Bug 17687

Summary: PHP 5.6.18
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/674929/
Whiteboard: has_procedure advisory MGA5-64-OK
Source RPM: php-5.6.17-mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-02-04 16:52:17 CET 
PHP 5.6.18 has been released today (February 4).  The announcement and changelog haven't been posted to their website yet, but you can see the changelog in the NEWS file in git:
http://git.php.net/?p=php-src.git;a=blob;f=NEWS;h=6dba6e4fa7eee0eadd78a9ad865913a3c142aac2;hb=62cf13d3aa08b15107b02a0505a4f30142fa37b4

Several of the fixes look security relevant.

Updated package uploaded for Mageia 5.

Advisory:
========================

Updated php packages fix security vulnerabilities:

The php package has been updated to version 5.6.18, which fixes several
security issues and other bugs.  See the upstream ChangeLog for more details.

References:
http://www.php.net/ChangeLog-5.php#5.6.18

Updated packages in core/updates_testing:
========================
php-ini-5.6.18-1.mga5
apache-mod_php-5.6.18-1.mga5
php-cli-5.6.18-1.mga5
php-cgi-5.6.18-1.mga5
libphp5_common5-5.6.18-1.mga5
php-devel-5.6.18-1.mga5
php-openssl-5.6.18-1.mga5
php-zlib-5.6.18-1.mga5
php-doc-5.6.18-1.mga5
php-bcmath-5.6.18-1.mga5
php-bz2-5.6.18-1.mga5
php-calendar-5.6.18-1.mga5
php-ctype-5.6.18-1.mga5
php-curl-5.6.18-1.mga5
php-dba-5.6.18-1.mga5
php-dom-5.6.18-1.mga5
php-enchant-5.6.18-1.mga5
php-exif-5.6.18-1.mga5
php-fileinfo-5.6.18-1.mga5
php-filter-5.6.18-1.mga5
php-ftp-5.6.18-1.mga5
php-gd-5.6.18-1.mga5
php-gettext-5.6.18-1.mga5
php-gmp-5.6.18-1.mga5
php-hash-5.6.18-1.mga5
php-iconv-5.6.18-1.mga5
php-imap-5.6.18-1.mga5
php-interbase-5.6.18-1.mga5
php-intl-5.6.18-1.mga5
php-json-5.6.18-1.mga5
php-ldap-5.6.18-1.mga5
php-mbstring-5.6.18-1.mga5
php-mcrypt-5.6.18-1.mga5
php-mssql-5.6.18-1.mga5
php-mysql-5.6.18-1.mga5
php-mysqli-5.6.18-1.mga5
php-mysqlnd-5.6.18-1.mga5
php-odbc-5.6.18-1.mga5
php-opcache-5.6.18-1.mga5
php-pcntl-5.6.18-1.mga5
php-pdo-5.6.18-1.mga5
php-pdo_dblib-5.6.18-1.mga5
php-pdo_firebird-5.6.18-1.mga5
php-pdo_mysql-5.6.18-1.mga5
php-pdo_odbc-5.6.18-1.mga5
php-pdo_pgsql-5.6.18-1.mga5
php-pdo_sqlite-5.6.18-1.mga5
php-pgsql-5.6.18-1.mga5
php-phar-5.6.18-1.mga5
php-posix-5.6.18-1.mga5
php-readline-5.6.18-1.mga5
php-recode-5.6.18-1.mga5
php-session-5.6.18-1.mga5
php-shmop-5.6.18-1.mga5
php-snmp-5.6.18-1.mga5
php-soap-5.6.18-1.mga5
php-sockets-5.6.18-1.mga5
php-sqlite3-5.6.18-1.mga5
php-sybase_ct-5.6.18-1.mga5
php-sysvmsg-5.6.18-1.mga5
php-sysvsem-5.6.18-1.mga5
php-sysvshm-5.6.18-1.mga5
php-tidy-5.6.18-1.mga5
php-tokenizer-5.6.18-1.mga5
php-xml-5.6.18-1.mga5
php-xmlreader-5.6.18-1.mga5
php-xmlrpc-5.6.18-1.mga5
php-xmlwriter-5.6.18-1.mga5
php-xsl-5.6.18-1.mga5
php-wddx-5.6.18-1.mga5
php-zip-5.6.18-1.mga5
php-fpm-5.6.18-1.mga5
phpdbg-5.6.18-1.mga5

from SRPMS:
php-5.6.18-mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Lewis Smith 2016-02-08 13:41:02 CET 
Testing M5 x64 real h/w

Updated via MCC/Update System from Updates Testing the 45 PHP pkgs from the list I had already installed, to 5.6.18-1.mga.

Tried Bugzilla, Drupal, MediaWiki, PHPmyAdmin, PHPpgAdmin. Nothing untoward noticed, so for me this update is OK.

CC: (none) => lewyssmith
Whiteboard: (none) => MGA5-64-OK

Comment 2 claire robinson 2016-02-09 12:49:44 CET 
Good job Lewis. Validating.

Please push to 5 updates, thanks.

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => has_procedure advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 3 Mageia Robot 2016-02-09 14:46:47 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0058.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-02-09 18:29:44 CET

URL: (none) => http://lwn.net/Vulnerabilities/674929/

Comment 4 David Walser 2016-03-10 19:41:19 CET 
php#71488, a php-phar issue fixed in this update it, apparently was assigned CVE-2016-2554:
http://lwn.net/Vulnerabilities/679620/
Comment 5 David Walser 2016-04-28 19:22:33 CEST 
More phar issues in this update were assigned CVE-2016-4342 and CVE-2016-4343:
http://openwall.com/lists/oss-security/2016/04/28/6
Comment 6 David Walser 2016-05-19 16:42:08 CEST 
(In reply to David Walser from comment #5)
> More phar issues in this update were assigned CVE-2016-4342 and
> CVE-2016-4343:
> http://openwall.com/lists/oss-security/2016/04/28/6

LWN reference:
http://lwn.net/Vulnerabilities/688055/
Comment 7 David Walser 2018-02-24 23:20:18 CET 
This update also fixed CVE-2016-10712:
https://lists.opensuse.org/opensuse-updates/2018-02/msg00102.html