![Tech Too talk [T3]](https://techtootalk.com/storage/general/techtootalk-update-icon-02-1.png){kind=icon}
Build a Django Discussion Forum: Step-by-Step Tutorial
Build a Django Discussion Forum: Step-by-Step Tutorial
PHP versions 8.1.11, 8.0.24, and 7.4.32 are released with several bug fixes and two security fixes.The updated releases should be available shortly in software distributions channels of operating systems, and they are already available on official Docker Hub, as well as windows.php.net for compiled Windows executables.
PHP versions 8.1.11, 8.0.24, and 7.4.32 contain two security fixes, with assigned CVE numbers CVE-2022-31628 and CVE-2022-31629. Additionally, all three versions contain bug fixes in FPM, DOM, GMP, Intl, and a few other extensions as well as PHP core.
Vulnerabilities fixed in 8.1.11, 8.0.24, and 7.4.32
CVE-2022-31628: Phar: DOS when using quine gzip file
The new releases contain a fix for a Denial of Service security vulnerability in PHP's Phar extension when it attempts to decompress Gzip quines.
A "Gzip quine" is a gzip archive that contains itself, and when a program attempts to extract it, it can fall into an infinite recursive loop. Prior to PHP 8.1.11, 8.0.24, and 7.4.32, PHP's Phar wrapper could be tricked into an infinite recursive loop with a Gzip quine, thereby causing a Denial of Service.
The new releases fix this by adding a hard limit of 3 recursions, preventing too deep or infinite recursions.
Attempting to open a Phar archive with such a malicious recursion is now refused, and PHP emits warning:
Comments