SUSE-CU-2025:2096-1: Security update of bci/php-apache

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Wed Mar 26 10:32:30 UTC 2025


SUSE Container Update Advisory: bci/php-apache
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:2096-1
Container Tags        : bci/php-apache:8 , bci/php-apache:8.2.28 , bci/php-apache:8.2.28-48.49 , bci/php-apache:latest
Container Release     : 48.49
Severity              : important
Type                  : security
References            : 1234015 1236643 1236886 1239664 1239666 1239667 1239668 1239669
                        1239670 CVE-2024-11235 CVE-2025-1217 CVE-2025-1219 CVE-2025-1734
                        CVE-2025-1736 CVE-2025-1861 
-----------------------------------------------------------------

The container bci/php-apache was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1012-1
Released:    Tue Mar 25 13:47:29 2025
Summary:     Security update for php8
Type:        security
Severity:    important
References:  1239664,1239666,1239667,1239668,1239669,1239670,CVE-2024-11235,CVE-2025-1217,CVE-2025-1219,CVE-2025-1734,CVE-2025-1736,CVE-2025-1861
This update for php8 fixes the following issues:

- CVE-2025-1217: Fixed header parser of `http` stream wrapper not handling folded headers (bsc#1239664)
- CVE-2024-11235: Fixed reference counting in php_request_shutdown causing Use-After-Free (bsc#1239666)
- CVE-2025-1219: Fixed libxml streams using wrong `content-type` header when requesting a redirected resource (bsc#1239667)
- CVE-2025-1734: Fixed streams HTTP wrapper not failing for headers with invalid name and no colon (bsc#1239668)
- CVE-2025-1861: Fixed stream HTTP wrapper truncate redirect location to 1024 bytes (bsc#1239669)
- CVE-2025-1736: Fixed stream HTTP wrapper header check might omitting basic auth header (bsc#1239670)

Version update to 8.2.28:
    Core:
        Fixed bug GH-17211 (observer segfault on function loaded with dl()).
    LibXML:
        Fixed GHSA-wg4p-4hqh-c3g9.
        Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong `content-type` header when requesting a redirected resource).
    Streams:
        Fixed GHSA-hgf5-96fm-v528 (Stream HTTP wrapper header check might omit basic auth header).
        Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location to 1024 bytes).
        Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers without colon).
        Fixed GHSA-v8xr-gpvj-cx9g (Header parser of `http` stream wrapper does not handle folded headers).
  
Version update version 8.2.27
    Calendar:
        Fixed jdtogregorian overflow.
        Fixed cal_to_jd julian_days argument overflow.
    COM:
        Fixed bug GH-16991 (Getting typeinfo of non DISPATCH variant segfaults).
    Core:
        Fail early in *nix configuration build script.
        Fixed bug GH-16727 (Opcache bad signal 139 crash in ZTS bookworm (frankenphp)).
        Fixed bug GH-16799 (Assertion failure at Zend/zend_vm_execute.h:7469).
        Fixed bug GH-16630 (UAF in lexer with encoding translation and heredocs).
        Fix is_zend_ptr() huge block comparison.
        Fixed potential OOB read in zend_dirname() on Windows.
    Curl:
        Fix various memory leaks in curl mime handling.
    FPM:
        Fixed GH-16432 (PHP-FPM 8.2 SIGSEGV in fpm_get_status).
    GD:
        Fixed GH-16776 (imagecreatefromstring overflow).
    GMP:
        Revert gmp_pow() overly restrictive overflow checks.
    Hash:
        Fixed GH-16711: Segfault in mhash().
    Opcache:
        Fixed bug GH-16770 (Tracing JIT type mismatch when returning UNDEF).
        Fixed bug GH-16851 (JIT_G(enabled) not set correctly on other threads).
        Fixed bug GH-16902 (Set of opcache tests fail zts+aarch64).
    OpenSSL:
        Prevent unexpected array entry conversion when reading key.
        Fix various memory leaks related to openssl exports.
        Fix memory leak in php_openssl_pkey_from_zval().
    PDO:
        Fixed memory leak of `setFetchMode()`.
    Phar:
        Fixed bug GH-16695 (phar:// tar parser and zero-length file header blocks).
    PHPDBG:
        Fixed bug GH-15208 (Segfault with breakpoint map and phpdbg_clear()).
    SAPI:
        Fixed bug GH-16998 (UBSAN warning in rfc1867).
    SimpleXML:
        Fixed bug GH-16808 (Segmentation fault in RecursiveIteratorIterator ->current() with a xml element input).
    SNMP:
        Fixed bug GH-16959 (snmget modifies the object_id array).
    Standard:
        Fixed bug GH-16905 (Internal iterator functions can't handle UNDEF properties).
    Streams:
        Fixed network connect poll interuption handling.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1016-1
Released:    Tue Mar 25 15:59:05 2025
Summary:     Recommended update for systemd
Type:        recommended
Severity:    important
References:  1234015,1236643,1236886
This update for systemd fixes the following issues:

- udev: allow/denylist for reading sysfs attributes when composing a NIC name (bsc#1234015)
- journald: close runtime journals before their parent directory removed
- journald: reset runtime seqnum data when flushing to system journal (bsc#1236886)
- Move systemd-userwork from the experimental sub-package to the main package (bsc#1236643)
  It is likely an oversight from when systemd-userdb was migrated from the
  experimental package to the main one.
  

The following package changes have been done:

- libsystemd0-254.24-150600.4.28.1 updated
- php8-cli-8.2.28-150600.3.16.1 updated
- php8-8.2.28-150600.3.16.1 updated
- apache2-mod_php8-8.2.28-150600.3.16.1 updated
- php8-openssl-8.2.28-150600.3.16.1 updated
- php8-mbstring-8.2.28-150600.3.16.1 updated
- php8-zlib-8.2.28-150600.3.16.1 updated
- php8-zip-8.2.28-150600.3.16.1 updated
- php8-curl-8.2.28-150600.3.16.1 updated
- php8-phar-8.2.28-150600.3.16.1 updated
- container:registry.suse.com-bci-bci-base-15.6-35b37108e267992f6a9e4a847e4ed01ef916cde04311c5ba8d2bad59054116c2-0 updated


More information about the sle-container-updates mailing list