heise PlusAbo
Anzeige

Security updates: PHP 8.3.12 and 8.2.24 plug critical security leaks

The PHP developers have released PHP 8.3.12 and 8.2.24. They close several security vulnerabilities, some of which are critical.

listen Print view
Programmer at the laptop displaying COde and "PHP". Viruses and criminals attack this

(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)

2 min. read
Security
By

Admins who were about to head off for the weekend should quickly get back to the administration PC: The PHP developers have released versions 8.3.12 and 8.2.24. These close security gaps, some of which are classified as critical risks.

The release announcements for PHP 8.3.12 and PHP 8.2.24 are extremely brief. "This is a security release. All PHP 8.[2|3] users are advised to upgrade to this version" read the announcements, the only difference being the version number.

Changelogs with a lot of vulnerabilities

The changelogs for version 8.3.12 and 8.2.24 are similar. They are almost identical. The exception is an additionally corrected error in PHP 8.3.12, which is apparently not present in 8.2.24. According to the short description, this is a signed integer overflow in ext/dom/nodelist.c. Much worse, however, is a recurrence of an old vulnerability in PHP versions prior to the newly released ones. Once again, it concerns the known vulnerability CVE-2024-4577 – The previous patch is not sufficient, the countermeasures taken with it can be circumvented. Details are still missing, the CVE entry CVE-2024-8926 still has the status "reserved" at the time of reporting. However, Tenable reveals that the CVSS value is 9.1, meaning that the vulnerability is "critical".

Videos by heise

IT managers should install the updated PHP versions as soon as possible. The predecessor vulnerability CVE-2024-4577 was already attacked in the wild in June. CISA warned of this by including the vulnerability in the Known Exploited Vulnerabilities catalog. The fact that CVE-2024-4577 was also merely a variant of a 12-year-old bug (CVE-2012-1823), which the programmers did not fully correct, adds a little salt to the wound.

Updated source code packages are available on the PHP download page. In addition to the sources, ready-to-install binary files are also available for Windows on a separate download page. Linux users must start the software management of the distribution used to search for and install error-corrected PHP packages.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten