CVE-2021-21704

NameCVE-2021-21704
DescriptionIn PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, such as getAttribute(), execute(), fetch() and others by returning invalid response data that is not parsed correctly by the driver. This can result in crashes, denial of service or potentially memory corruption.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2708-1, DSA-4935-1, ELA-457-1
Debian Bugs990575

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php5 (PTS)jessie, jessie (lts)5.6.40+dfsg-0+deb8u21fixed
php7.0 (PTS)stretch (security)7.0.33-0+deb9u12fixed
stretch (lts), stretch7.0.33-0+deb9u19fixed
php7.3 (PTS)buster, buster (lts)7.3.31-1~deb10u8fixed
buster (security)7.3.31-1~deb10u7fixed
php7.4 (PTS)bullseye7.4.33-1+deb11u5fixed
bullseye (security)7.4.33-1+deb11u7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php5sourcejessie5.6.40+dfsg-0+deb8u14ELA-457-1
php7.0sourcestretch7.0.33-0+deb9u11DLA-2708-1
php7.0source(unstable)(unfixed)
php7.3sourcebuster7.3.29-1~deb10u1DSA-4935-1
php7.3source(unstable)(unfixed)
php7.4source(unstable)7.4.21-1+deb11u1
php8.0source(unstable)8.0.8-1990575

Notes

Fixed in 8.0.8, 7.4.21, 7.3.29
PHP Bug: https://bugs.php.net/76448
PHP Bug: https://bugs.php.net/76449
PHP Bug: https://bugs.php.net/76450
PHP Bug: https://bugs.php.net/76452

Search for package or bug name: Reporting problems