|
9 | 9 | <category term="frontpage" label="PHP.net frontpage news"/> |
10 | 10 | <content type="xhtml"> |
11 | 11 | <div xmlns="http://www.w3.org/1999/xhtml"> |
12 | | - <p>Recently, a bug in <b>glibc</b> version 2.39 and older (<a |
13 | | - href="archive/entries/2024-04-24-1.xml">CVE-2024-2961</a>) was uncovered |
| 12 | + <p>Recently, a bug in <strong>glibc</strong> version 2.39 and older (<a |
| 13 | + href="https://nvd.nist.gov/vuln/detail/CVE-2024-2961">CVE-2024-2961</a>) was uncovered |
14 | 14 | where a buffer overflow in character set conversions *to* the |
15 | 15 | ISO-2022-CN-EXT character set.</p> |
16 | | - |
| 16 | + |
17 | 17 | <p>This specific buffer overflow in glibc is exploitable through PHP, |
18 | 18 | which uses the iconv functionality in glibc to do character set |
19 | 19 | conversions. Although the bug is exploitable in the context of the PHP |
20 | 20 | Engine, the bug is not in PHP. It is also not directly exploitable |
21 | 21 | remotely.</p> |
22 | | - |
| 22 | + |
23 | 23 | <p>There are numerous reports online with titles like "Mitigating the |
24 | 24 | iconv Vulnerability for PHP (CVE-2024-2961)" or "PHP Under Attack". These |
25 | | - titles are misleading as this is *not* a bug in PHP itself.</p> |
26 | | - |
| 25 | + titles are misleading as this is <em>not</em> a bug in PHP itself.</p> |
| 26 | + |
27 | 27 | <p>Currently there is no fix for this issue, but there is a workaround |
28 | 28 | described in <a |
29 | 29 | href="https://rockylinux.org/news/glibc-vulnerability-april-2024/">GLIBC |
30 | 30 | Vulnerability on Servers Serving PHP</a>. It explains a way how to remove |
31 | 31 | the problematic character set from glibc. Perform this procedure for every |
32 | 32 | gconv-modules-extra.conf file that is available on your system.</p> |
33 | | - |
| 33 | + |
34 | 34 | <p>Additionally it is also good practice for applications to accept only |
35 | 35 | specific charsets, with an allow-list.</p> |
36 | | - |
| 36 | + |
37 | 37 | <p>Some Linux distributions such as <a |
38 | 38 | href="https://security-tracker.debian.org/tracker/CVE-2024-2961">Debian</a>, |
39 | 39 | CentOS, and others, already have published patched variants of glibc. |
40 | 40 | Please upgrade as soon as possible.</p> |
41 | | - |
| 41 | + |
42 | 42 | <p>Once an update is available in glibc, updating that package on your |
43 | 43 | Linux machine will be enough to alleviate the issue. You do not need to |
44 | 44 | update PHP, as glibc is a dynamically linked library.</p> |
45 | | - |
| 45 | + |
46 | 46 | <p>PHP users on Windows are not affected.</p> |
47 | | - |
| 47 | + |
48 | 48 | <p>There will therefore also not be a new version of PHP for this |
49 | 49 | vulnerability.</p> |
50 | 50 | </div> |
|
0 commit comments