The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_4263.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff




====================================================================
Red Hat Security Advisory

Synopsis:           Moderate: php:8.1 security update
Advisory ID:        RHSA-2025:4263-03
Product:            Red Hat Enterprise Linux
Advisory URL:       https://access.redhat.com/errata/RHSA-2025:4263
Issue date:         2025-04-28
Revision:           03
CVE Names:          CVE-2024-8929
====================================================================

Summary: 

An update for the php:8.1 module is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.




Description:

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

Security Fix(es):

* php: Leak partial content of the heap through heap buffer over-read in mysqlnd (CVE-2024-8929)

* php: Single byte overread with convert.quoted-printable-decode filter (CVE-2024-11233)

* php: Configuring a proxy in a stream context might allow for CRLF injection in URIs (CVE-2024-11234)

* php: Header parser of http stream wrapper does not handle folded headers (CVE-2025-1217)

* php: Stream HTTP wrapper header check might omit basic auth header (CVE-2025-1736)

* php: Streams HTTP wrapper does not fail for headers with invalid name and no colon (CVE-2025-1734)

* php: libxml streams use wrong content-type header when requesting a redirected resource (CVE-2025-1219)

* php: Stream HTTP wrapper truncates redirect location to 1024 bytes (CVE-2025-1861)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.


Solution:

https://access.redhat.com/articles/11258



CVEs:

CVE-2024-8929

References:

https://access.redhat.com/security/updates/classification/#moderate
https://bugzilla.redhat.com/show_bug.cgi?id=2327960
https://bugzilla.redhat.com/show_bug.cgi?id=2328521
https://bugzilla.redhat.com/show_bug.cgi?id=2328523
https://bugzilla.redhat.com/show_bug.cgi?id=2355917
https://bugzilla.redhat.com/show_bug.cgi?id=2356041
https://bugzilla.redhat.com/show_bug.cgi?id=2356042
https://bugzilla.redhat.com/show_bug.cgi?id=2356043
https://bugzilla.redhat.com/show_bug.cgi?id=2356046