Bug 2327960 (CVE-2024-8929)

Summary: CVE-2024-8929 php: Leak partial content of the heap through heap buffer over-read in mysqlnd
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ben.argyle, kyoshida, ronald.l.gould, vrajput
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the PHP MySQL client library. This vulnerability allows a hostile MySQL server to disclose the content of the client's heap, potentially exposing data from other SQL requests and other users of the same server via malicious server interactions.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2328034, 2328035, 2328036    
Bug Blocks:    

Description OSIDB Bzimport 2024-11-22 07:01:03 UTC 
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, a hostile MySQL server can cause the client to disclose the content of its heap containing data from other SQL requests and possible other data belonging to different users of the same server.
Comment 2 Ben 2025-02-17 13:08:19 UTC 
Is there a status update as to when this will be patched for, or PHP moved to 8.1.31, please?
Comment 3 errata-xmlrpc 2025-04-28 15:14:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:4263 https://access.redhat.com/errata/RHSA-2025:4263
Comment 4 errata-xmlrpc 2025-05-13 10:35:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7315 https://access.redhat.com/errata/RHSA-2025:7315
Comment 5 errata-xmlrpc 2025-05-13 11:56:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7432 https://access.redhat.com/errata/RHSA-2025:7432
Comment 6 Ron Gould 2025-09-08 18:28:40 UTC 
Will this be fixed for RH 8.10 in module stream php:8.2?
Comment 7 errata-xmlrpc 2025-09-11 11:54:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:15687 https://access.redhat.com/errata/RHSA-2025:15687