| Name | CVE-2021-21704 |
| Description | In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, such as getAttribute(), execute(), fetch() and others by returning invalid response data that is not parsed correctly by the driver. This can result in crashes, denial of service or potentially memory corruption. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-2708-1, DSA-4935-1, ELA-457-1 |
| Debian Bugs | 990575 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| php5 (PTS) | jessie, jessie (lts) | 5.6.40+dfsg-0+deb8u18 | fixed |
| php7.0 (PTS) | stretch (security) | 7.0.33-0+deb9u12 | fixed |
| stretch (lts), stretch | 7.0.33-0+deb9u16 | fixed | |
| php7.3 (PTS) | buster | 7.3.31-1~deb10u1 | fixed |
| buster (security) | 7.3.31-1~deb10u5 | fixed | |
| php7.4 (PTS) | bullseye | 7.4.33-1+deb11u4 | fixed |
| bullseye (security) | 7.4.33-1+deb11u5 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| php5 | source | jessie | 5.6.40+dfsg-0+deb8u14 | ELA-457-1 | ||
| php7.0 | source | stretch | 7.0.33-0+deb9u11 | DLA-2708-1 | ||
| php7.0 | source | (unstable) | (unfixed) | |||
| php7.3 | source | buster | 7.3.29-1~deb10u1 | DSA-4935-1 | ||
| php7.3 | source | (unstable) | (unfixed) | |||
| php7.4 | source | (unstable) | 7.4.21-1+deb11u1 | |||
| php8.0 | source | (unstable) | 8.0.8-1 | 990575 |
Fixed in 8.0.8, 7.4.21, 7.3.29
PHP Bug: https://bugs.php.net/76448
PHP Bug: https://bugs.php.net/76449
PHP Bug: https://bugs.php.net/76450
PHP Bug: https://bugs.php.net/76452