diff -Nru php8.1-8.1.2/debian/changelog php8.1-8.1.2/debian/changelog
--- php8.1-8.1.2/debian/changelog	2024-02-23 17:26:53.000000000 +0000
+++ php8.1-8.1.2/debian/changelog	2024-05-01 10:10:07.000000000 +0000
@@ -1,3 +1,29 @@
+php8.1 (8.1.2-1ubuntu2.17) jammy-security; urgency=medium
+
+  * SECURITY UPDATE: Heap buffer-overflow
+    - debian/patches/CVE-2022-4900.patch: prevent potential buffer
+      overflow for large valye of php_cli_server_workers_max in
+      sapi/cli/php_cli_server.c.
+    - CVE-2022-4900
+  * SECURITY UPDATE: Cookie by pass
+    - debian/patches/CVE-2024-2756.patch: adds more mangling rules
+      in main/php_variable.c.
+    - CVE-2024-2756
+  * SECURITY UPDATE: Account take over risk
+    - debian/patches/CVE-2024-3096.patch: disallow null character in bcrypt
+      password in ext/standard/password.c,
+      ext/standard/tests/password_bcrypt_errors.phpt.
+    - CVE-2024-3096
+
+ -- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com>  Wed, 01 May 2024 07:10:07 -0300
+
+php8.1 (8.1.2-1ubuntu2.16) jammy; urgency=medium
+
+  * d/p/fix-segfault-in-fpm_status_export_to_zval.patch: fix
+    segmentation fault in fpm_status_export_to_zval. (LP: #2057576)
+
+ -- Athos Ribeiro <athos.ribeiro@canonical.com>  Wed, 10 Apr 2024 08:54:30 -0300
+
 php8.1 (8.1.2-1ubuntu2.15) jammy; urgency=medium
 
   * d/p/fix-attribute-instantion-dangling-pointer.patch: Fix sigsegv from
diff -Nru php8.1-8.1.2/debian/patches/CVE-2022-4900.patch php8.1-8.1.2/debian/patches/CVE-2022-4900.patch
--- php8.1-8.1.2/debian/patches/CVE-2022-4900.patch	1970-01-01 00:00:00.000000000 +0000
+++ php8.1-8.1.2/debian/patches/CVE-2022-4900.patch	2024-05-01 10:09:37.000000000 +0000
@@ -0,0 +1,56 @@
+From 789a37f14405e2d1a05a76c9fb4ed2d49d4580d5 Mon Sep 17 00:00:00 2001
+From: guoyiyuan <yguoaz@gmail.com>
+Date: Wed, 13 Jul 2022 20:55:51 +0800
+Subject: [PATCH] Prevent potential buffer overflow for large value of
+ php_cli_server_workers_max
+
+Fixes #8989.
+Closes #9000.
+---
+ NEWS                      |  4 ++++
+ sapi/cli/php_cli_server.c | 10 +++-------
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+Index: php8.1-8.1.2/NEWS
+===================================================================
+--- php8.1-8.1.2.orig/NEWS
++++ php8.1-8.1.2/NEWS
+@@ -2,6 +2,10 @@ PHP
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ 20 Jan 2022, PHP 8.1.2
+ 
++- CLI:
++  . Fixed potential overflow for the builtin server via the PHP_CLI_SERVER_WORKERS
++    environment variable. (yiyuaner)
++
+ - Core:
+   . Fixed bug #81216 (Nullsafe operator leaks dynamic property name). (Dmitry)
+   . Fixed bug #81684 (Using null coalesce assignment with $GLOBALS["x"] produces
+Index: php8.1-8.1.2/sapi/cli/php_cli_server.c
+===================================================================
+--- php8.1-8.1.2.orig/sapi/cli/php_cli_server.c
++++ php8.1-8.1.2/sapi/cli/php_cli_server.c
+@@ -2296,7 +2296,7 @@ static void php_cli_server_dtor(php_cli_
+ 					  !WIFSIGNALED(php_cli_server_worker_status));
+ 		}
+ 
+-		free(php_cli_server_workers);
++		pefree(php_cli_server_workers, 1);
+ 	}
+ #endif
+ } /* }}} */
+@@ -2382,12 +2382,8 @@ static void php_cli_server_startup_worke
+ 	if (php_cli_server_workers_max > 1) {
+ 		zend_long php_cli_server_worker;
+ 
+-		php_cli_server_workers = calloc(
+-			php_cli_server_workers_max, sizeof(pid_t));
+-		if (!php_cli_server_workers) {
+-			php_cli_server_workers_max = 1;
+-			return;
+-		}
++		php_cli_server_workers = pecalloc(
++			php_cli_server_workers_max, sizeof(pid_t), 1);
+ 
+ 		php_cli_server_master = getpid();
+ 
diff -Nru php8.1-8.1.2/debian/patches/CVE-2024-2756.patch php8.1-8.1.2/debian/patches/CVE-2024-2756.patch
--- php8.1-8.1.2/debian/patches/CVE-2024-2756.patch	1970-01-01 00:00:00.000000000 +0000
+++ php8.1-8.1.2/debian/patches/CVE-2024-2756.patch	2024-05-01 10:09:45.000000000 +0000
@@ -0,0 +1,157 @@
+From 093c08af25fb323efa0c8e6154aa9fdeae3d3b53 Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Sun, 17 Mar 2024 21:04:47 +0100
+Subject: [PATCH] Fix GHSA-wpj3-hf5j-x4v4: __Host-/__Secure- cookie bypass due
+ to partial CVE-2022-31629 fix
+
+The check happened too early as later code paths may perform more
+mangling rules. Move the check downwards right before adding the actual
+variable.
+---
+ ext/standard/tests/ghsa-wpj3-hf5j-x4v4.phpt | 63 +++++++++++++++++++++
+ main/php_variables.c                        | 41 +++++++++-----
+ 2 files changed, 90 insertions(+), 14 deletions(-)
+ create mode 100644 ext/standard/tests/ghsa-wpj3-hf5j-x4v4.phpt
+
+#diff --git a/ext/standard/tests/ghsa-wpj3-hf5j-x4v4.phpt b/ext/standard/tests/ghsa-wpj3-hf5j-x4v4.phpt
+#new file mode 100644
+#index 0000000000000..77fcb68089488
+#--- /dev/null
+#+++ b/ext/standard/tests/ghsa-wpj3-hf5j-x4v4.phpt
+#@@ -0,0 +1,63 @@
+#+--TEST--
+#+ghsa-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix)
+#+--COOKIE--
+#+..Host-test=ignore_1;
+#+._Host-test=ignore_2;
+#+.[Host-test=ignore_3;
+#+_.Host-test=ignore_4;
+#+__Host-test=ignore_5;
+#+_[Host-test=ignore_6;
+#+[.Host-test=ignore_7;
+#+[_Host-test=ignore_8;
+#+[[Host-test=ignore_9;
+#+..Host-test[]=ignore_10;
+#+._Host-test[]=ignore_11;
+#+.[Host-test[]=ignore_12;
+#+_.Host-test[]=ignore_13;
+#+__Host-test[]=legitimate_14;
+#+_[Host-test[]=legitimate_15;
+#+[.Host-test[]=ignore_16;
+#+[_Host-test[]=ignore_17;
+#+[[Host-test[]=ignore_18;
+#+..Secure-test=ignore_1;
+#+._Secure-test=ignore_2;
+#+.[Secure-test=ignore_3;
+#+_.Secure-test=ignore_4;
+#+__Secure-test=ignore_5;
+#+_[Secure-test=ignore_6;
+#+[.Secure-test=ignore_7;
+#+[_Secure-test=ignore_8;
+#+[[Secure-test=ignore_9;
+#+..Secure-test[]=ignore_10;
+#+._Secure-test[]=ignore_11;
+#+.[Secure-test[]=ignore_12;
+#+_.Secure-test[]=ignore_13;
+#+__Secure-test[]=legitimate_14;
+#+_[Secure-test[]=legitimate_15;
+#+[.Secure-test[]=ignore_16;
+#+[_Secure-test[]=ignore_17;
+#+[[Secure-test[]=ignore_18;
+#+--FILE--
+#+<?php
+#+var_dump($_COOKIE);
+#+?>
+#+--EXPECT--
+#+array(3) {
+#+  ["__Host-test"]=>
+#+  array(1) {
+#+    [0]=>
+#+    string(13) "legitimate_14"
+#+  }
+#+  ["_"]=>
+#+  array(2) {
+#+    ["Host-test["]=>
+#+    string(13) "legitimate_15"
+#+    ["Secure-test["]=>
+#+    string(13) "legitimate_15"
+#+  }
+#+  ["__Secure-test"]=>
+#+  array(1) {
+#+    [0]=>
+#+    string(13) "legitimate_14"
+#+  }
+#+}
+diff --git a/main/php_variables.c b/main/php_variables.c
+index 17e4a1e5d2cf1..da7266416a54d 100644
+--- a/main/php_variables.c
++++ b/main/php_variables.c
+@@ -54,6 +54,21 @@ static zend_always_inline void php_register_variable_quick(const char *name, siz
+ 	zend_string_release_ex(key, 0);
+ }
+ 
++/* Discard variable if mangling made it start with __Host-, where pre-mangling it did not start with __Host-
++ * Discard variable if mangling made it start with __Secure-, where pre-mangling it did not start with __Secure- */
++static bool php_is_forbidden_variable_name(const char *mangled_name, size_t mangled_name_len, const char *pre_mangled_name)
++{
++	if (mangled_name_len >= sizeof("__Host-")-1 && strncmp(mangled_name, "__Host-", sizeof("__Host-")-1) == 0 && strncmp(pre_mangled_name, "__Host-", sizeof("__Host-")-1) != 0) {
++		return true;
++	}
++
++	if (mangled_name_len >= sizeof("__Secure-")-1 && strncmp(mangled_name, "__Secure-", sizeof("__Secure-")-1) == 0 && strncmp(pre_mangled_name, "__Secure-", sizeof("__Secure-")-1) != 0) {
++		return true;
++	}
++
++	return false;
++}
++
+ PHPAPI void php_register_variable_ex(const char *var_name, zval *val, zval *track_vars_array)
+ {
+ 	char *p = NULL;
+@@ -104,20 +119,6 @@ PHPAPI void php_register_variable_ex(const char *var_name, zval *val, zval *trac
+ 	}
+ 	var_len = p - var;
+ 
+-	/* Discard variable if mangling made it start with __Host-, where pre-mangling it did not start with __Host- */
+-	if (strncmp(var, "__Host-", sizeof("__Host-")-1) == 0 && strncmp(var_name, "__Host-", sizeof("__Host-")-1) != 0) {
+-		zval_ptr_dtor_nogc(val);
+-		free_alloca(var_orig, use_heap);
+-		return;
+-	}
+-
+-	/* Discard variable if mangling made it start with __Secure-, where pre-mangling it did not start with __Secure- */
+-	if (strncmp(var, "__Secure-", sizeof("__Secure-")-1) == 0 && strncmp(var_name, "__Secure-", sizeof("__Secure-")-1) != 0) {
+-		zval_ptr_dtor_nogc(val);
+-		free_alloca(var_orig, use_heap);
+-		return;
+-	}
+-
+ 	if (var_len==0) { /* empty variable name, or variable name with a space in it */
+ 		zval_ptr_dtor_nogc(val);
+ 		free_alloca(var_orig, use_heap);
+@@ -221,6 +222,12 @@ PHPAPI void php_register_variable_ex(const char *var_name, zval *val, zval *trac
+ 					return;
+ 				}
+ 			} else {
++				if (php_is_forbidden_variable_name(index, index_len, var_name)) {
++					zval_ptr_dtor_nogc(val);
++					free_alloca(var_orig, use_heap);
++					return;
++				}
++
+ 				gpc_element_p = zend_symtable_str_find(symtable1, index, index_len);
+ 				if (!gpc_element_p) {
+ 					zval tmp;
+@@ -258,6 +265,12 @@ PHPAPI void php_register_variable_ex(const char *var_name, zval *val, zval *trac
+ 				zval_ptr_dtor_nogc(val);
+ 			}
+ 		} else {
++			if (php_is_forbidden_variable_name(index, index_len, var_name)) {
++				zval_ptr_dtor_nogc(val);
++				free_alloca(var_orig, use_heap);
++				return;
++			}
++
+ 			zend_ulong idx;
+ 
+ 			/*
diff -Nru php8.1-8.1.2/debian/patches/CVE-2024-3096.patch php8.1-8.1.2/debian/patches/CVE-2024-3096.patch
--- php8.1-8.1.2/debian/patches/CVE-2024-3096.patch	1970-01-01 00:00:00.000000000 +0000
+++ php8.1-8.1.2/debian/patches/CVE-2024-3096.patch	2024-05-01 10:09:51.000000000 +0000
@@ -0,0 +1,47 @@
+From 0ba5229a3f7572846e91c8f5382e87785f543826 Mon Sep 17 00:00:00 2001
+From: Jakub Zelenka <bukka@php.net>
+Date: Fri, 29 Mar 2024 15:27:59 +0000
+Subject: [PATCH] Fix bug GHSA-q6x7-frmf-grcw: password_verify can erroneously
+ return true
+
+Disallow null character in bcrypt password
+---
+ ext/standard/password.c                                 | 5 +++++
+ ext/standard/tests/password/password_bcrypt_errors.phpt | 7 +++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/ext/standard/password.c b/ext/standard/password.c
+index 651cffc9fe656..fbe58da603053 100644
+--- a/ext/standard/password.c
++++ b/ext/standard/password.c
+@@ -184,6 +184,11 @@ static zend_string* php_password_bcrypt_hash(const zend_string *password, zend_a
+ 	zval *zcost;
+ 	zend_long cost = PHP_PASSWORD_BCRYPT_COST;
+ 
++	if (memchr(ZSTR_VAL(password), '\0', ZSTR_LEN(password))) {
++		zend_value_error("Bcrypt password must not contain null character");
++		return NULL;
++	}
++
+ 	if (options && (zcost = zend_hash_str_find(options, "cost", sizeof("cost")-1)) != NULL) {
+ 		cost = zval_get_long(zcost);
+ 	}
+diff --git a/ext/standard/tests/password/password_bcrypt_errors.phpt b/ext/standard/tests/password/password_bcrypt_errors.phpt
+index 10c3483f5a80d..5d823cba0217d 100644
+--- a/ext/standard/tests/password/password_bcrypt_errors.phpt
++++ b/ext/standard/tests/password/password_bcrypt_errors.phpt
+@@ -14,7 +14,14 @@ try {
+ } catch (ValueError $exception) {
+     echo $exception->getMessage() . "\n";
+ }
++
++try {
++    var_dump(password_hash("null\0password", PASSWORD_BCRYPT));
++} catch (ValueError $e) {
++    echo $e->getMessage(), "\n";
++}
+ ?>
+ --EXPECT--
+ Invalid bcrypt cost parameter specified: 3
+ Invalid bcrypt cost parameter specified: 32
++Bcrypt password must not contain null character
diff -Nru php8.1-8.1.2/debian/patches/fix-segfault-in-fpm_status_export_to_zval.patch php8.1-8.1.2/debian/patches/fix-segfault-in-fpm_status_export_to_zval.patch
--- php8.1-8.1.2/debian/patches/fix-segfault-in-fpm_status_export_to_zval.patch	1970-01-01 00:00:00.000000000 +0000
+++ php8.1-8.1.2/debian/patches/fix-segfault-in-fpm_status_export_to_zval.patch	2024-04-10 11:54:30.000000000 +0000
@@ -0,0 +1,27 @@
+From df259f88daaf7df5673fd78a0a1b76a1d831d0a2 Mon Sep 17 00:00:00 2001
+From: Patrick Prasse <patrick.prasse@actindo.com>
+Date: Fri, 17 Nov 2023 16:32:23 +0000
+Subject: [PATCH] Fix bug GH-12705: Segmentation fault in fpm_status_export_to_zval
+
+Closes GH-12706
+
+Bug: https://github.com/php/php-src/issues/12705
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/php7.4/+bug/2057576
+Last-update: 2024-04-10
+Origin: upstream, https://github.com/php/php-src/commit/df259f88daaf7df5673fd78a0a1b76a1d831d0a2
+---
+ NEWS                      | 4 ++++
+ sapi/fpm/fpm/fpm_status.c | 2 +-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+--- a/sapi/fpm/fpm/fpm_status.c
++++ b/sapi/fpm/fpm/fpm_status.c
+@@ -55,7 +55,7 @@
+ 
+ 	scoreboard_p = fpm_scoreboard_acquire(NULL, 1);
+ 	if (!scoreboard_p) {
+-		zlog(ZLOG_NOTICE, "[pool %s] status: scoreboard already in use.", scoreboard_p->pool);
++		zlog(ZLOG_NOTICE, "[pool (unknown)] status: scoreboard already in use.");
+ 		return -1;
+ 	}
+ 
diff -Nru php8.1-8.1.2/debian/patches/series php8.1-8.1.2/debian/patches/series
--- php8.1-8.1.2/debian/patches/series	2024-02-23 17:26:53.000000000 +0000
+++ php8.1-8.1.2/debian/patches/series	2024-05-01 10:09:51.000000000 +0000
@@ -70,3 +70,7 @@
 CVE-2023-3824.patch
 fix-attribute-instantion-dangling-pointer.patch
 fix-attribute-instantion-memory-overflow-recovery.patch
+fix-segfault-in-fpm_status_export_to_zval.patch
+CVE-2022-4900.patch
+CVE-2024-2756.patch
+CVE-2024-3096.patch