Software 42490 Published by

A number of security issues have been fixed in PHP 8.1.29. Resolved issues with CGI, filters, and OpenSSL are detailed in the revision history. CGI and filter both addressed issues with argument injection and filter bypass, while OpenSSL patched a security hole in PHP's openssl_private_decrypt function.


- CGI:
. Fixed bug GHSA-3qgc-jrrr-25jv (Bypass of CVE-2012-1823, Argument Injection
in PHP-CGI). (CVE-2024-4577) (nielsdos)

- Filter:
. Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL).
(CVE-2024-5458) (nielsdos)

- OpenSSL:
. The openssl_private_decrypt function in PHP, when using PKCS1 padding
(OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack
unless it is used with an OpenSSL version that includes the changes from this pull
request: (rsa_pkcs1_implicit_rejection).
These changes are part of OpenSSL 3.2 and have also been backported to stable
versions of various Linux distributions, as well as to the PHP builds provided for
Windows since the previous release. All distributors and builders should ensure that
this version is used to prevent PHP from being vulnerable. (CVE-2024-2408)

- Standard:
. Fixed bug GHSA-9fcc-425m-g385 (Bypass of CVE-2024-1874).
(CVE-2024-5585) (nielsdos)

Release php-8.1.29 · php/php-src