FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

php -- Multiple vulnerabilities

Affected packages
	php81	<	8.1.28
	php82	<	8.2.18
	php83	<	8.3.6

Details

VuXML ID	6d82c5e9-fc24-11ee-a689-04421a1baf97
Discovery	2024-04-11
Entry	2024-04-16

This update includes 3 security fixes:

High CVE-2024-1874: Command injection via array-ish $command parameter of proc_open even if bypass_shell option enabled on Windows

High CVE-2024-1874: Command injection via array-ish $command parameter of proc_open even if bypass_shell option enabled on Windows

Medium CVE-2024-2756: __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix

High CVE-2024-2757: mb_encode_mimeheader runs endlessly for some inputs

[source]

References

CVE Name	CVE-2024-1874
CVE Name	CVE-2024-2756
CVE Name	CVE-2024-2757
CVE Name	CVE-2024-3096
URL	https://github.com/php/php-src/security/advisories/GHSA-fjp9-9hwx-59fq
URL	https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr
URL	https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7
URL	https://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5j-x4v4