CVE-2021-21704

NameCVE-2021-21704
DescriptionIn PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, such as getAttribute(), execute(), fetch() and others by returning invalid response data that is not parsed correctly by the driver. This can result in crashes, denial of service or potentially memory corruption.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2708-1, DSA-4935-1
Debian Bugs990575

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php7.0 (PTS)stretch7.0.33-0+deb9u8vulnerable
stretch (security)7.0.33-0+deb9u12fixed
php7.3 (PTS)buster, buster (security)7.3.31-1~deb10u1fixed
php7.4 (PTS)bullseye (security), bullseye7.4.28-1+deb11u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php7.0sourcestretch7.0.33-0+deb9u11DLA-2708-1
php7.0source(unstable)(unfixed)
php7.3sourcebuster7.3.29-1~deb10u1DSA-4935-1
php7.3source(unstable)(unfixed)
php7.4source(unstable)7.4.21-1+deb11u1
php8.0source(unstable)8.0.8-1990575

Notes

Fixed in 8.0.8, 7.4.21, 7.3.29
PHP Bug: https://bugs.php.net/76448
PHP Bug: https://bugs.php.net/76449
PHP Bug: https://bugs.php.net/76450
PHP Bug: https://bugs.php.net/76452

Search for package or bug name: Reporting problems