Bug 16553

Summary: PHP 5.5.28
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lewyssmith, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/655408/
Whiteboard: MGA4-64-OK advisory
Source RPM: php-5.5.27-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-08-07 17:13:18 CEST 
Upstream has released version 5.5.28 on August 6:
http://php.net/archive/2015.php#id2015-08-06-3

It says that there are 12 security fixes, and some of the fixes in the changelog do sound like security fixes, but it's not entirely clear what the 12 are, and there are no CVEs yet.  Advisory to come later, as usual.

References:
http://www.php.net/ChangeLog-5.php#5.5.28

Updated packages in core/updates_testing:
========================
php-ini-5.5.28-1.mga4
apache-mod_php-5.5.28-1.mga4
php-cli-5.5.28-1.mga4
php-cgi-5.5.28-1.mga4
libphp5_common5-5.5.28-1.mga4
php-devel-5.5.28-1.mga4
php-openssl-5.5.28-1.mga4
php-zlib-5.5.28-1.mga4
php-doc-5.5.28-1.mga4
php-bcmath-5.5.28-1.mga4
php-bz2-5.5.28-1.mga4
php-calendar-5.5.28-1.mga4
php-ctype-5.5.28-1.mga4
php-curl-5.5.28-1.mga4
php-dba-5.5.28-1.mga4
php-dom-5.5.28-1.mga4
php-enchant-5.5.28-1.mga4
php-exif-5.5.28-1.mga4
php-fileinfo-5.5.28-1.mga4
php-filter-5.5.28-1.mga4
php-ftp-5.5.28-1.mga4
php-gd-5.5.28-1.mga4
php-gettext-5.5.28-1.mga4
php-gmp-5.5.28-1.mga4
php-hash-5.5.28-1.mga4
php-iconv-5.5.28-1.mga4
php-imap-5.5.28-1.mga4
php-interbase-5.5.28-1.mga4
php-intl-5.5.28-1.mga4
php-json-5.5.28-1.mga4
php-ldap-5.5.28-1.mga4
php-mbstring-5.5.28-1.mga4
php-mcrypt-5.5.28-1.mga4
php-mssql-5.5.28-1.mga4
php-mysql-5.5.28-1.mga4
php-mysqli-5.5.28-1.mga4
php-mysqlnd-5.5.28-1.mga4
php-odbc-5.5.28-1.mga4
php-opcache-5.5.28-1.mga4
php-pcntl-5.5.28-1.mga4
php-pdo-5.5.28-1.mga4
php-pdo_dblib-5.5.28-1.mga4
php-pdo_firebird-5.5.28-1.mga4
php-pdo_mysql-5.5.28-1.mga4
php-pdo_odbc-5.5.28-1.mga4
php-pdo_pgsql-5.5.28-1.mga4
php-pdo_sqlite-5.5.28-1.mga4
php-pgsql-5.5.28-1.mga4
php-phar-5.5.28-1.mga4
php-posix-5.5.28-1.mga4
php-readline-5.5.28-1.mga4
php-recode-5.5.28-1.mga4
php-session-5.5.28-1.mga4
php-shmop-5.5.28-1.mga4
php-snmp-5.5.28-1.mga4
php-soap-5.5.28-1.mga4
php-sockets-5.5.28-1.mga4
php-sqlite3-5.5.28-1.mga4
php-sybase_ct-5.5.28-1.mga4
php-sysvmsg-5.5.28-1.mga4
php-sysvsem-5.5.28-1.mga4
php-sysvshm-5.5.28-1.mga4
php-tidy-5.5.28-1.mga4
php-tokenizer-5.5.28-1.mga4
php-xml-5.5.28-1.mga4
php-xmlreader-5.5.28-1.mga4
php-xmlrpc-5.5.28-1.mga4
php-xmlwriter-5.5.28-1.mga4
php-xsl-5.5.28-1.mga4
php-wddx-5.5.28-1.mga4
php-zip-5.5.28-1.mga4
php-fpm-5.5.28-1.mga4
php-apc-3.1.15-4.18.mga4
php-apc-admin-3.1.15-4.18.mga4

from SRPMS:
php-5.5.28-1.mga4.src.rpm
php-apc-3.1.15-4.18.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Lewis Smith 2015-08-09 22:24:49 CEST 
Testing Mageia 4 x64

Updated all my installed PHP pkgs to those above in Updates Testing. (hint: to find them easily, sort on the version column).
Played extensively with setting up MediaWiki, eventually using the configured result. Used tried briefly phppgadmin, phpmyadmin, Wordpress, Moodle. No problems noticed, so OKing this.

CC: (none) => lewyssmith
Whiteboard: (none) => MGA4-64-OK

Comment 2 Samuel Verschelde 2015-08-18 10:52:45 CEST 
Tested various webapps, works ok here. It's Mageia 4 64 too but I think it's enough to validate (and IIRC php comes with its own testing suite which is run during build).

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 3 Samuel Verschelde 2015-08-18 10:53:13 CEST 
Needs an advisory though.
Comment 4 David Walser 2015-08-19 14:47:27 CEST 
Thanks Samuel.

CVEs were just requested for issues fixed in this one:
http://openwall.com/lists/oss-security/2015/08/19/3

Let's see if we hear something on that soon.
Comment 5 David Walser 2015-08-20 02:58:31 CEST 
If we don't hear anything on the CVE assignments by meeting time this Thursday, we can use this general advisory.

Advisory:
========================

Updated php packages fix security vulnerabilities:

The php package has been updated to version 5.5.28, which fixes several
security issues and other bugs.  See the upstream ChangeLog for more details.

References:
http://www.php.net/ChangeLog-5.php#5.5.28
RĂ©mi Verschelde 2015-08-21 16:21:00 CEST

Whiteboard: MGA4-64-OK => MGA4-64-OK advisory

Comment 6 Mageia Robot 2015-08-21 20:56:13 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0319.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-08-24 19:24:47 CEST

URL: (none) => http://lwn.net/Vulnerabilities/655408/

Comment 7 David Walser 2015-09-08 21:05:29 CEST 
CVE-2015-6831, CVE-2015-6832, CVE-2015-6833 assigned to this update:
http://openwall.com/lists/oss-security/2015/09/08/7
Comment 8 David Walser 2015-09-25 19:52:28 CEST 
(In reply to David Walser from comment #7)
> CVE-2015-6831, CVE-2015-6832, CVE-2015-6833 assigned to this update:
> http://openwall.com/lists/oss-security/2015/09/08/7

LWN reference:
http://lwn.net/Vulnerabilities/658453/