Security update for php7 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:1130-1 Final 1 1 2021-08-10T10:21:45Z current 2021-08-10T10:21:45Z 2021-08-10T10:21:45Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for php7 This update for php7 fixes the following issues: - CVE-2021-21704: Fixed security issues in pdo_firebase module (bsc#1188035). - CVE-2021-21705: Fixed SSRF bypass in FILTER_VALIDATE_URL (bsc#1188037). This update was imported from the SUSE:SLE-15-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-1130 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BO2ME666CUOF6FDZXIKM27VW5MN7US3U/ E-Mail link for openSUSE-SU-2021:1130-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1188035 SUSE Bug 1188035 https://bugzilla.suse.com/1188037 SUSE Bug 1188037 https://www.suse.com/security/cve/CVE-2021-21704/ SUSE CVE CVE-2021-21704 page https://www.suse.com/security/cve/CVE-2021-21705/ SUSE CVE CVE-2021-21705 page openSUSE Leap 15.2 apache2-mod_php7-7.4.6-lp152.2.18.1 php7-7.4.6-lp152.2.18.1 php7-bcmath-7.4.6-lp152.2.18.1 php7-bz2-7.4.6-lp152.2.18.1 php7-calendar-7.4.6-lp152.2.18.1 php7-ctype-7.4.6-lp152.2.18.1 php7-curl-7.4.6-lp152.2.18.1 php7-dba-7.4.6-lp152.2.18.1 php7-devel-7.4.6-lp152.2.18.1 php7-dom-7.4.6-lp152.2.18.1 php7-embed-7.4.6-lp152.2.18.1 php7-enchant-7.4.6-lp152.2.18.1 php7-exif-7.4.6-lp152.2.18.1 php7-fastcgi-7.4.6-lp152.2.18.1 php7-fileinfo-7.4.6-lp152.2.18.1 php7-firebird-7.4.6-lp152.2.18.1 php7-fpm-7.4.6-lp152.2.18.1 php7-ftp-7.4.6-lp152.2.18.1 php7-gd-7.4.6-lp152.2.18.1 php7-gettext-7.4.6-lp152.2.18.1 php7-gmp-7.4.6-lp152.2.18.1 php7-iconv-7.4.6-lp152.2.18.1 php7-intl-7.4.6-lp152.2.18.1 php7-json-7.4.6-lp152.2.18.1 php7-ldap-7.4.6-lp152.2.18.1 php7-mbstring-7.4.6-lp152.2.18.1 php7-mysql-7.4.6-lp152.2.18.1 php7-odbc-7.4.6-lp152.2.18.1 php7-opcache-7.4.6-lp152.2.18.1 php7-openssl-7.4.6-lp152.2.18.1 php7-pcntl-7.4.6-lp152.2.18.1 php7-pdo-7.4.6-lp152.2.18.1 php7-pgsql-7.4.6-lp152.2.18.1 php7-phar-7.4.6-lp152.2.18.1 php7-posix-7.4.6-lp152.2.18.1 php7-readline-7.4.6-lp152.2.18.1 php7-shmop-7.4.6-lp152.2.18.1 php7-snmp-7.4.6-lp152.2.18.1 php7-soap-7.4.6-lp152.2.18.1 php7-sockets-7.4.6-lp152.2.18.1 php7-sodium-7.4.6-lp152.2.18.1 php7-sqlite-7.4.6-lp152.2.18.1 php7-sysvmsg-7.4.6-lp152.2.18.1 php7-sysvsem-7.4.6-lp152.2.18.1 php7-sysvshm-7.4.6-lp152.2.18.1 php7-test-7.4.6-lp152.2.18.1 php7-tidy-7.4.6-lp152.2.18.1 php7-tokenizer-7.4.6-lp152.2.18.1 php7-xmlreader-7.4.6-lp152.2.18.1 php7-xmlrpc-7.4.6-lp152.2.18.1 php7-xmlwriter-7.4.6-lp152.2.18.1 php7-xsl-7.4.6-lp152.2.18.1 php7-zip-7.4.6-lp152.2.18.1 php7-zlib-7.4.6-lp152.2.18.1 apache2-mod_php7-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-bcmath-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-bz2-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-calendar-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-ctype-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-curl-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-dba-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-devel-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-dom-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-embed-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-enchant-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-exif-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-fastcgi-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-fileinfo-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-firebird-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-fpm-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-ftp-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-gd-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-gettext-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-gmp-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-iconv-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-intl-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-json-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-ldap-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-mbstring-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-mysql-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-odbc-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-opcache-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-openssl-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-pcntl-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-pdo-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-pgsql-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-phar-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-posix-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-readline-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-shmop-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-snmp-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-soap-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-sockets-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-sodium-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-sqlite-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-sysvmsg-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-sysvsem-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-sysvshm-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-test-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-tidy-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-tokenizer-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-xmlreader-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-xmlrpc-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-xmlwriter-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-xsl-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-zip-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 php7-zlib-7.4.6-lp152.2.18.1 as a component of openSUSE Leap 15.2 In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, such as getAttribute(), execute(), fetch() and others by returning invalid response data that is not parsed correctly by the driver. This can result in crashes, denial of service or potentially memory corruption. CVE-2021-21704 openSUSE Leap 15.2:apache2-mod_php7-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-bcmath-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-bz2-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-calendar-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-ctype-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-curl-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-dba-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-devel-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-dom-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-embed-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-enchant-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-exif-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-fastcgi-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-fileinfo-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-firebird-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-fpm-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-ftp-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-gd-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-gettext-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-gmp-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-iconv-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-intl-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-json-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-ldap-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-mbstring-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-mysql-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-odbc-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-opcache-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-openssl-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-pcntl-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-pdo-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-pgsql-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-phar-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-posix-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-readline-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-shmop-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-snmp-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-soap-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-sockets-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-sodium-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-sqlite-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-sysvmsg-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-sysvsem-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-sysvshm-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-test-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-tidy-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-tokenizer-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-xmlreader-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-xmlrpc-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-xmlwriter-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-xsl-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-zip-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-zlib-7.4.6-lp152.2.18.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BO2ME666CUOF6FDZXIKM27VW5MN7US3U/ https://www.suse.com/security/cve/CVE-2021-21704.html CVE-2021-21704 https://bugzilla.suse.com/1188035 SUSE Bug 1188035 In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision. CVE-2021-21705 openSUSE Leap 15.2:apache2-mod_php7-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-bcmath-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-bz2-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-calendar-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-ctype-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-curl-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-dba-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-devel-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-dom-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-embed-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-enchant-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-exif-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-fastcgi-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-fileinfo-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-firebird-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-fpm-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-ftp-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-gd-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-gettext-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-gmp-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-iconv-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-intl-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-json-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-ldap-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-mbstring-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-mysql-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-odbc-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-opcache-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-openssl-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-pcntl-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-pdo-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-pgsql-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-phar-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-posix-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-readline-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-shmop-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-snmp-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-soap-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-sockets-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-sodium-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-sqlite-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-sysvmsg-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-sysvsem-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-sysvshm-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-test-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-tidy-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-tokenizer-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-xmlreader-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-xmlrpc-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-xmlwriter-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-xsl-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-zip-7.4.6-lp152.2.18.1 openSUSE Leap 15.2:php7-zlib-7.4.6-lp152.2.18.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BO2ME666CUOF6FDZXIKM27VW5MN7US3U/ https://www.suse.com/security/cve/CVE-2021-21705.html CVE-2021-21705 https://bugzilla.suse.com/1188037 SUSE Bug 1188037