Security update for php8-pear

Announcement ID: SUSE-SU-2022:3198-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2021-32610 ( NVD ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Affected Products:
  • SUSE Linux Enterprise High Performance Computing 15 SP4
  • SUSE Linux Enterprise Server 15 SP4
  • SUSE Linux Enterprise Server for SAP Applications 15 SP4
  • SUSE Manager Proxy 4.3
  • SUSE Manager Retail Branch Server 4.3
  • SUSE Manager Server 4.3
  • Web and Scripting Module 15-SP4

An update that solves one vulnerability and contains one feature can now be installed.

Description:

This update for php8-pear fixes the following issues:

  • Add php8-pear to SLE15-SP4 (jsc#SLE-24728)
  • Update to 1.10.21
  • PEAR 1.10.13
    • unsupported protocol - use --force to continue
    • Add $this operator to _determineIfPowerpc calls
  • Update to 1.10.20
  • Archive_Tar 1.4.14
    • Properly fix symbolic link path traversal (CVE-2021-32610)
  • Archive_Tar 1.4.13
    • Relative symlinks failing (out-of path file extraction)
  • Archive_Tar 1.4.12
  • Archive_Tar 1.4.11
  • Archive_Tar 1.4.10

    • Fix block padding when the file buffer length is a multiple of 512 and smaller than Archive_Tar buffer length
    • Don't try to copy username/groupname in chroot jail
  • provides and obsoletes php7-pear-Archive_Tar, former location of PEAR/Archive/Tar.php

  • Update to version 1.10.19

  • PEAR 1.10.12
    • adjust dependencies based on new releases
  • XML_Util 1.4.5

    • fix Trying to access array offset on value of type int
  • Update to version 1.10.18

  • Remove pear-cacheid-array-check.patch (upstreamed)
  • Contents of .filemap are now sorted internally

  • Sort contents of .filemap to make build reproducible

  • Recommend php7-openssl to allow https sources to be used

  • Modify metadata_dir for system configuration only
  • Add /var/lib/pear directory where xml files are stored
  • Cleanup %files section

  • Only use the GPG keys of Chuck Burgess. Extracted from the Release Manager public keys.

  • Add release versions of PEAR modules

  • Install metadata files (registry, filemap, channels, ...) in /var/lib/pear/ instead of /usr/share/php7/PEAR/

  • Update to version 1.10.17

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • Web and Scripting Module 15-SP4
    zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP4-2022-3198=1

Package List:

  • Web and Scripting Module 15-SP4 (noarch)
    • php8-pecl-1.10.21-150400.9.3.1
    • php8-pear-1.10.21-150400.9.3.1

References: