Bug 1117

Summary: PHP Multiple vulnerability
Product: Mageia Reporter: Michael Scherer <misc>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: Normal CC: misc, pterjan, saispo
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://www.ubuntu.com/usn/usn-1126-1/
Whiteboard:
Source RPM: php CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 908    

Description Michael Scherer 2011-05-03 14:21:47 CEST 
Php suffer from multiple vulnerabilities : 
http://www.ubuntu.com/usn/usn-1126-1/
Michael Scherer 2011-05-03 14:22:02 CEST

Blocks: (none) => 908

Michael Scherer 2011-05-05 15:39:31 CEST

Summary: Multiple vulnerability => PHP Multiple vulnerability

Comment 1 Michael Scherer 2011-05-05 15:39:48 CEST 
According to saispo, there is some regression caused by this security update
Comment 2 Michael Scherer 2011-05-17 16:34:20 CEST 
Saispo, you have more information about the regression caused by this ?

CC: (none) => misc, saispo

Comment 3 Michael Scherer 2011-05-17 16:35:26 CEST 
Ok, regression seems to have been fixed : http://www.ubuntu.com/usn/usn-1126-2/

So I guess we can update php ?
Comment 4 Pascal Terjan 2011-05-18 21:16:41 CEST 
Several of them were already fixed by http://svnweb.mageia.org/packages?view=revision&revision=87292

- Update to 5.3.6
  - Fixes CVE-2011-1153, CVE-2011-1092, CVE-2011-0708, CVE-2011-0421
  - Sync with Mandriva

CC: (none) => pterjan

Comment 5 Pascal Terjan 2011-05-18 21:34:24 CEST 
From the CVE listed in that Ubuntu advisory:

CVE-2006-7243 Fixed in 5.3.4
CVE-2010-4697 Fixed in 5.3.4
CVE-2010-4698 Fixed in 5.3.4
CVE-2011-0420 
CVE-2011-0421 Fixed in 5.3.6
CVE-2011-0441 
CVE-2011-0708 Fixed in 5.3.6
CVE-2011-1092 Fixed in 5.3.6
CVE-2011-1144 
CVE-2011-1148 
CVE-2011-1153 Fixed in 5.3.6
CVE-2011-1464 Fixed in 5.3.6
CVE-2011-1466 Fixed in 5.3.6
CVE-2011-1467 Fixed in 5.3.6
CVE-2011-1468 Fixed in 5.3.6
CVE-2011-1469 Fixed in 5.3.6
CVE-2011-1470 Fixed in 5.3.6
CVE-2011-1471 Fixed in 5.3.6

So CVE-2011-0420, CVE-2011-0441, CVE-2011-1144 and CVE-2011-1148 need to be checked
Comment 6 Pascal Terjan 2011-05-18 23:15:33 CEST 
CVE-2011-0420 Not a security issue according to https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0420
Comment 7 Pascal Terjan 2011-05-18 23:22:27 CEST 
We already have the fix for CVE-2011-0441
Comment 8 Pascal Terjan 2011-05-18 23:25:35 CEST 
Fix for CVE-2011-1148
http://svn.php.net/viewvc?view=revision&revision=310194
Comment 9 Pascal Terjan 2011-05-18 23:28:29 CEST 
CVE-2011-1144 is for php-pear, not php
Comment 10 Pascal Terjan 2011-05-18 23:33:41 CEST 
Fix for CVE-2011-1148 added to php package.
Comment 11 Pascal Terjan 2011-05-18 23:43:54 CEST 
Fix for CVE-2011-1144 added to php-pear package.

Status: NEW => RESOLVED
Resolution: (none) => FIXED