PHP updates: 8.1.31, 8.2.26, 8.3.14 and 8.4.1 plug security leaks
The PHP developers have released new packages. PHP 8.1.31, 8.2.26, 8.3.14 and 8.4.1 close security vulnerabilities.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
The PHP developers have released updated packages. While PHP 8.4.1 delivers "numerous improvements and new functions" alongside closed security gaps, PHP 8.1.31, 8.2.26 and 8.3.14 are purely security updates that IT managers should install quickly.
In the version announcements for the PHP updates, the programmers are quite cautious with details. They do not mention any security updates for 8.4.1, while the three other versions only have "This is a security release. All PHP 8.[1|2|3].x users are encouraged to update to this version." as a change entry.
PHP updates close partly critical gaps
The updates address different vulnerabilities, but some affect all versions. For example, one of the most prominent vulnerabilities on 32-bit systems is the ldap_escape() function, which can provoke an integer overflow when accepting unfiltered long strings, resulting in write accesses outside the intended limits – and thus apparently enabling the execution of injected malicious code(CVE-2024-8932, CVSS 9.8, risk"critical").
Videos by heise
Interested parties can find details of the other changes and security fixes in the updated PHP packages in the individual changelogs:
Updated packages are available for download on the PHP download page. In addition to the source code packages, you will also find fully compiled versions for Windows. Installation instructions for Linux and macOS are also available there. However, Linux distributions are usually provided with the updated versions via the system's software management. Linux admins should therefore call it up once to search for and install updates. IT managers should install the updates quickly, as some of the vulnerabilities pose a critical risk.
The PHP developers had already released security updates in the 8.1.x, 8.2.y and 8.3.z version branches at the end of September. Even then, some of the leaks were considered a critical risk, which made a prompt update important.
(dmk)
