CVE-2024-2961

[rocketeerbkw]

There are rumors of a very bad PHP exploit going to be announced in mid May. If true, it may allow full RCE of any PHP application exposed to the internet. It depends on a security flaw in glibc assigned CVE-2024-2961.

The Lagoon PHP images are based on alpine linux, which uses musl, not glibc. At this time we believe our images are not vulnerable to the exploit.

We will update this issues as more information comes out.

[rocketeerbkw]

Some other references:

• https://www.offensivecon.org/speakers/2024/charles-fol.html
• https://www.offensivecon.org/speakers/2024/charles-fol.html
• https://rockylinux.org/news/glibc-vulnerability-april-2024/
• https://garrettmills.dev/blog/2024/04/22/Mitigating-the-iconv-Vulnerability-for-PHP-CVE-2024-2961/

[smlx]

AFAIK we aren't vulnerable to this. Can we close this issue?