Ondřej Surý has released new PHP 8.2.3, 8.1.16, 8.0.28, 7.4.33-5, 7.3.33-10, 7.2.34-38, 7.1.33-52, 7.0.33-65, and 5.6.40-65 packages for both Debian GNU/Linux 10 LTS and 11 to address three security issues (CVE-2023-0567, CVE-2023-056, and CVE-2023-0662)

To add the repository:

#!/bin/bash # To add this repository please do:

if [ "$(whoami)" != "root" ]; then
SUDO=sudo
fi

${SUDO} apt-get -y install apt-transport-https lsb-release ca-certificates curl
${SUDO} wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
${SUDO} sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
${SUDO} apt-get update

Change log

- Core:
. Fixed bug #81744 (Password_verify() always return true with some hash). (CVE-2023-0567) (Tim Düsterhus)
. Fixed bug #81746 (1-byte array overrun in common path resolve code). (CVE-2023-0568) (Niels Dossche)

- FPM:
. Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart request body). (CVE-2023-0662) (Jakub Zelenka)

PHP Packages
Issues Tracker