|Related CVEs||CVE-2022-31631 CVE-2023-0567 CVE-2023-0568 CVE-2023-0662|
Multiple security issues were found in PHP, a widely-used open source general purpose scripting language, which could result in denial of service or incorrect validation of BCrypt hashes.
Due to an uncaught integer overflow, `PDO::quote()` of PDO_SQLite may return an improperly quoted string. The exact details likely depend on the implementation of `sqlite3_snprintf()`, but with some versions it is possible to force the function to return a single apostrophe, if the function is called on user supplied input without any length restrictions in place.
Tim Düsterhus discovered that malformed BCrypt hashes that include a `$` within their salt part trigger a buffer overread and may erroneously validate any password as valid. (`Password_verify()` always return `true` with such inputs.)
1-byte array overrun when appending slash to paths during path resolution.
Jakob Ackermann discovered a Denial of Service vulnerability when parsing multipart request body: the request body parsing in PHP allows any unauthenticated attacker to consume a large amount of CPU time and trigger excessive logging.
For Debian 9 stretch, these problems have been fixed in version 7.0.33-0+deb9u14.
We recommend that you upgrade your php7.0 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.