| Summary: | PHP 5.5.24 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/640803/ | ||
| Whiteboard: | has_procedure advisory mga4-64-ok mga4-32-ok | ||
| Source RPM: | php-5.5.23-1.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-04-17 17:14:53 CEST
David Walser
2015-04-17 18:22:59 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/640803/ (In reply to David Walser from comment #0) > The CVE-2015-2783 issue (php#69324) issue in php-phar as well as the buffer > overflow in php-phar (php#69441) are new. A CVE has been requested for the > latter issue here: > http://openwall.com/lists/oss-security/2015/04/16/22 This (php#69441) now has CVE-2015-3329: http://openwall.com/lists/oss-security/2015/04/17/6 (In reply to David Walser from comment #0) > The remote code execution with apache 2.4 (php#69218) is also new and a CVE > for that has been requested here: > http://openwall.com/lists/oss-security/2015/04/17/3 This is now CVE-2015-3330: http://openwall.com/lists/oss-security/2015/04/17/7 Advisory: ======================== Updated php packages fix security vulnerabilities: Buffer Over-read in unserialize when parsing Phar (CVE-2015-2783). Buffer Overflow when parsing tar/zip/phar in phar_set_inode (CVE-2015-3329). Potential remote code execution with apache 2.4 apache2handler (CVE-2015-3330). PHP has been updated to version 5.5.24, which fixes these issues and other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2783 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3329 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3330 http://www.php.net/ChangeLog-5.php#5.5.24 ======================== Updated packages in core/updates_testing: ======================== php-ini-5.5.24-1.mga4 apache-mod_php-5.5.24-1.mga4 php-cli-5.5.24-1.mga4 php-cgi-5.5.24-1.mga4 libphp5_common5-5.5.24-1.mga4 php-devel-5.5.24-1.mga4 php-openssl-5.5.24-1.mga4 php-zlib-5.5.24-1.mga4 php-doc-5.5.24-1.mga4 php-bcmath-5.5.24-1.mga4 php-bz2-5.5.24-1.mga4 php-calendar-5.5.24-1.mga4 php-ctype-5.5.24-1.mga4 php-curl-5.5.24-1.mga4 php-dba-5.5.24-1.mga4 php-dom-5.5.24-1.mga4 php-enchant-5.5.24-1.mga4 php-exif-5.5.24-1.mga4 php-fileinfo-5.5.24-1.mga4 php-filter-5.5.24-1.mga4 php-ftp-5.5.24-1.mga4 php-gd-5.5.24-1.mga4 php-gettext-5.5.24-1.mga4 php-gmp-5.5.24-1.mga4 php-hash-5.5.24-1.mga4 php-iconv-5.5.24-1.mga4 php-imap-5.5.24-1.mga4 php-interbase-5.5.24-1.mga4 php-intl-5.5.24-1.mga4 php-json-5.5.24-1.mga4 php-ldap-5.5.24-1.mga4 php-mbstring-5.5.24-1.mga4 php-mcrypt-5.5.24-1.mga4 php-mssql-5.5.24-1.mga4 php-mysql-5.5.24-1.mga4 php-mysqli-5.5.24-1.mga4 php-mysqlnd-5.5.24-1.mga4 php-odbc-5.5.24-1.mga4 php-opcache-5.5.24-1.mga4 php-pcntl-5.5.24-1.mga4 php-pdo-5.5.24-1.mga4 php-pdo_dblib-5.5.24-1.mga4 php-pdo_firebird-5.5.24-1.mga4 php-pdo_mysql-5.5.24-1.mga4 php-pdo_odbc-5.5.24-1.mga4 php-pdo_pgsql-5.5.24-1.mga4 php-pdo_sqlite-5.5.24-1.mga4 php-pgsql-5.5.24-1.mga4 php-phar-5.5.24-1.mga4 php-posix-5.5.24-1.mga4 php-readline-5.5.24-1.mga4 php-recode-5.5.24-1.mga4 php-session-5.5.24-1.mga4 php-shmop-5.5.24-1.mga4 php-snmp-5.5.24-1.mga4 php-soap-5.5.24-1.mga4 php-sockets-5.5.24-1.mga4 php-sqlite3-5.5.24-1.mga4 php-sybase_ct-5.5.24-1.mga4 php-sysvmsg-5.5.24-1.mga4 php-sysvsem-5.5.24-1.mga4 php-sysvshm-5.5.24-1.mga4 php-tidy-5.5.24-1.mga4 php-tokenizer-5.5.24-1.mga4 php-xml-5.5.24-1.mga4 php-xmlreader-5.5.24-1.mga4 php-xmlrpc-5.5.24-1.mga4 php-xmlwriter-5.5.24-1.mga4 php-xsl-5.5.24-1.mga4 php-wddx-5.5.24-1.mga4 php-zip-5.5.24-1.mga4 php-fpm-5.5.24-1.mga4 php-apc-3.1.15-4.14.mga4 php-apc-admin-3.1.15-4.14.mga4 php-timezonedb-2015.3-1.mga4 from SRPMS: php-5.5.24-1.mga4.src.rpm php-apc-3.1.15-4.14.mga4.src.rpm php-timezonedb-2015.3-1.mga4.src.rpm Assignee:
bugsquad =>
qa-bugs LWN reference for CVE-2015-3329 and CVE-2015-3330: http://lwn.net/Vulnerabilities/641243/ Testing complete mga4 64 Tested at the same time as the wordpress update in bug 15745. Also tested zoneminder and php-apc at http://localhost/php-apc Whiteboard:
(none) =>
has_procedure mga4-64-ok Advisory uploaded. Whiteboard:
has_procedure mga4-64-ok =>
has_procedure advisory mga4-64-ok Testing complete mga4 32 Validating. Please push to 4 updates Thanks Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0169.html Status:
NEW =>
RESOLVED This also fixed CVE-2015-3307, CVE-2015-341[12], CVE-2015-459[89], and CVE-2015-460[0-5] according to RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1223441 https://bugzilla.redhat.com/show_bug.cgi?id=1213407 https://bugzilla.redhat.com/show_bug.cgi?id=1232823 https://bugzilla.redhat.com/show_bug.cgi?id=1232897 https://bugzilla.redhat.com/show_bug.cgi?id=1222538 https://bugzilla.redhat.com/show_bug.cgi?id=1232923 https://bugzilla.redhat.com/show_bug.cgi?id=1232918 https://bugzilla.redhat.com/show_bug.cgi?id=1213442 |