CVE-2021-21703

NameCVE-2021-21703
DescriptionIn PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 a ...
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2794-1, DSA-4992-1, DSA-4993-1
Debian Bugs997003

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php7.4 (PTS)bullseye7.4.33-1+deb11u5fixed
bullseye (security)7.4.33-1+deb11u10fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php7.0sourcestretch7.0.33-0+deb9u12DLA-2794-1
php7.0source(unstable)(unfixed)
php7.3sourcebuster7.3.31-1~deb10u1DSA-4993-1
php7.3source(unstable)(unfixed)
php7.4sourcebullseye7.4.25-1+deb11u1DSA-4992-1
php7.4source(unstable)7.4.26-1997003
php8.0source(unstable)(unfixed)

Notes

Fixed in 8.0.12, 7.4.25
PHP Bug: http://bugs.php.net/81026
https://github.com/php/php-src/commit/fadb1f8c1d08ae62b4f0a16917040fde57a3b93b
https://www.ambionics.io/blog/php-fpm-local-root
https://www.openwall.com/lists/oss-security/2021/10/26/7
Search for package or bug name: Reporting problems