SUSE-CU-2025:2096-1: Security update of bci/php-apache
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Wed Mar 26 10:32:30 UTC 2025
SUSE Container Update Advisory: bci/php-apache
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:2096-1
Container Tags : bci/php-apache:8 , bci/php-apache:8.2.28 , bci/php-apache:8.2.28-48.49 , bci/php-apache:latest
Container Release : 48.49
Severity : important
Type : security
References : 1234015 1236643 1236886 1239664 1239666 1239667 1239668 1239669
1239670 CVE-2024-11235 CVE-2025-1217 CVE-2025-1219 CVE-2025-1734
CVE-2025-1736 CVE-2025-1861
-----------------------------------------------------------------
The container bci/php-apache was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1012-1
Released: Tue Mar 25 13:47:29 2025
Summary: Security update for php8
Type: security
Severity: important
References: 1239664,1239666,1239667,1239668,1239669,1239670,CVE-2024-11235,CVE-2025-1217,CVE-2025-1219,CVE-2025-1734,CVE-2025-1736,CVE-2025-1861
This update for php8 fixes the following issues:
- CVE-2025-1217: Fixed header parser of `http` stream wrapper not handling folded headers (bsc#1239664)
- CVE-2024-11235: Fixed reference counting in php_request_shutdown causing Use-After-Free (bsc#1239666)
- CVE-2025-1219: Fixed libxml streams using wrong `content-type` header when requesting a redirected resource (bsc#1239667)
- CVE-2025-1734: Fixed streams HTTP wrapper not failing for headers with invalid name and no colon (bsc#1239668)
- CVE-2025-1861: Fixed stream HTTP wrapper truncate redirect location to 1024 bytes (bsc#1239669)
- CVE-2025-1736: Fixed stream HTTP wrapper header check might omitting basic auth header (bsc#1239670)
Version update to 8.2.28:
Core:
Fixed bug GH-17211 (observer segfault on function loaded with dl()).
LibXML:
Fixed GHSA-wg4p-4hqh-c3g9.
Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong `content-type` header when requesting a redirected resource).
Streams:
Fixed GHSA-hgf5-96fm-v528 (Stream HTTP wrapper header check might omit basic auth header).
Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location to 1024 bytes).
Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers without colon).
Fixed GHSA-v8xr-gpvj-cx9g (Header parser of `http` stream wrapper does not handle folded headers).
Version update version 8.2.27
Calendar:
Fixed jdtogregorian overflow.
Fixed cal_to_jd julian_days argument overflow.
COM:
Fixed bug GH-16991 (Getting typeinfo of non DISPATCH variant segfaults).
Core:
Fail early in *nix configuration build script.
Fixed bug GH-16727 (Opcache bad signal 139 crash in ZTS bookworm (frankenphp)).
Fixed bug GH-16799 (Assertion failure at Zend/zend_vm_execute.h:7469).
Fixed bug GH-16630 (UAF in lexer with encoding translation and heredocs).
Fix is_zend_ptr() huge block comparison.
Fixed potential OOB read in zend_dirname() on Windows.
Curl:
Fix various memory leaks in curl mime handling.
FPM:
Fixed GH-16432 (PHP-FPM 8.2 SIGSEGV in fpm_get_status).
GD:
Fixed GH-16776 (imagecreatefromstring overflow).
GMP:
Revert gmp_pow() overly restrictive overflow checks.
Hash:
Fixed GH-16711: Segfault in mhash().
Opcache:
Fixed bug GH-16770 (Tracing JIT type mismatch when returning UNDEF).
Fixed bug GH-16851 (JIT_G(enabled) not set correctly on other threads).
Fixed bug GH-16902 (Set of opcache tests fail zts+aarch64).
OpenSSL:
Prevent unexpected array entry conversion when reading key.
Fix various memory leaks related to openssl exports.
Fix memory leak in php_openssl_pkey_from_zval().
PDO:
Fixed memory leak of `setFetchMode()`.
Phar:
Fixed bug GH-16695 (phar:// tar parser and zero-length file header blocks).
PHPDBG:
Fixed bug GH-15208 (Segfault with breakpoint map and phpdbg_clear()).
SAPI:
Fixed bug GH-16998 (UBSAN warning in rfc1867).
SimpleXML:
Fixed bug GH-16808 (Segmentation fault in RecursiveIteratorIterator ->current() with a xml element input).
SNMP:
Fixed bug GH-16959 (snmget modifies the object_id array).
Standard:
Fixed bug GH-16905 (Internal iterator functions can't handle UNDEF properties).
Streams:
Fixed network connect poll interuption handling.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1016-1
Released: Tue Mar 25 15:59:05 2025
Summary: Recommended update for systemd
Type: recommended
Severity: important
References: 1234015,1236643,1236886
This update for systemd fixes the following issues:
- udev: allow/denylist for reading sysfs attributes when composing a NIC name (bsc#1234015)
- journald: close runtime journals before their parent directory removed
- journald: reset runtime seqnum data when flushing to system journal (bsc#1236886)
- Move systemd-userwork from the experimental sub-package to the main package (bsc#1236643)
It is likely an oversight from when systemd-userdb was migrated from the
experimental package to the main one.
The following package changes have been done:
- libsystemd0-254.24-150600.4.28.1 updated
- php8-cli-8.2.28-150600.3.16.1 updated
- php8-8.2.28-150600.3.16.1 updated
- apache2-mod_php8-8.2.28-150600.3.16.1 updated
- php8-openssl-8.2.28-150600.3.16.1 updated
- php8-mbstring-8.2.28-150600.3.16.1 updated
- php8-zlib-8.2.28-150600.3.16.1 updated
- php8-zip-8.2.28-150600.3.16.1 updated
- php8-curl-8.2.28-150600.3.16.1 updated
- php8-phar-8.2.28-150600.3.16.1 updated
- container:registry.suse.com-bci-bci-base-15.6-35b37108e267992f6a9e4a847e4ed01ef916cde04311c5ba8d2bad59054116c2-0 updated
More information about the sle-container-updates
mailing list