From 8c9111ca6e22b3c79fddc353b01b68c90554ca15 Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Tue, 26 Oct 2021 21:08:40 +0200 Subject: [PATCH] package/php: security bump to version 7.4.25 Fixes the following security issue: - CVE-2021-21703: n PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user. For more details, see https://www.ambionics.io/blog/php-fpm-local-root https://www.php.net/ChangeLog-7.php#7.4.25 Signed-off-by: Peter Korsgaard --- package/php/php.hash | 2 +- package/php/php.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/php/php.hash b/package/php/php.hash index d82c81a703..c55f997731 100644 --- a/package/php/php.hash +++ b/package/php/php.hash @@ -1,5 +1,5 @@ # From https://www.php.net/downloads.php -sha256 ff7658ee2f6d8af05b48c21146af5f502e121def4e76e862df5ec9fa06e98734 php-7.4.24.tar.xz +sha256 12a758f1d7fee544387a28d3cf73226f47e3a52fb3049f07fcc37d156d393c0a php-7.4.25.tar.xz # License file sha256 a188db807d711536f71e27b7d36879d63480f7994dc18adc08e624b3c5430fff LICENSE diff --git a/package/php/php.mk b/package/php/php.mk index 30c3ee9ca4..27e665bf3c 100644 --- a/package/php/php.mk +++ b/package/php/php.mk @@ -4,7 +4,7 @@ # ################################################################################ -PHP_VERSION = 7.4.24 +PHP_VERSION = 7.4.25 PHP_SITE = http://www.php.net/distributions PHP_SOURCE = php-$(PHP_VERSION).tar.xz PHP_INSTALL_STAGING = YES