Bug 13297

Please patch CVEs for package php version 7.4.30
  
INFO (CVEs are): php 7.4.30
 cves found
CVE-2022-31628
Desc: In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-31628
Severity: MEDIUM
CVE-2022-31629
Desc: In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-31629
Severity: MEDIUM
CVE-2022-31630
Desc: In PHP versions prior to 7.4.33, 8.0.25 and 8.2.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-31630
Severity: HIGH
CVE-2022-37454
Desc: The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-37454
Severity: CRITICAL