Bug 17899

Summary: PHP 5.6.19
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/679764/
Whiteboard: advisory MGA5-32-OK MGA5-64-OK
Source RPM: php-5.6.18-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-03-07 21:35:15 CET 
PHP 5.6.19 has been released on March 3:
http://php.net/archive/2016.php#id2016-03-03-3

It fixes several security bugs.  There are no CVEs (yet?).
http://php.net/ChangeLog-5.php#5.6.19

Updated packages uploaded for Mageia 5 and Cauldron.

The timezone and php-timezonedb packages have also been updated.

Advisory:
========================

Updated php packages fix security vulnerabilities:

The php package has been updated to version 5.6.19, which fixes several
security issues and other bugs.  See the upstream ChangeLog for more details.

The timezone information in the timezone and php-timezonedb packages has also
been updated to the latest, version 2016a.

References:
http://www.php.net/ChangeLog-5.php#5.6.19
http://mm.icann.org/pipermail/tz-announce/2015-October/000034.html
http://mm.icann.org/pipermail/tz-announce/2016-January/000035.html
========================

Updated packages in core/updates_testing:
========================
php-ini-5.6.19-1.mga5
apache-mod_php-5.6.19-1.mga5
php-cli-5.6.19-1.mga5
php-cgi-5.6.19-1.mga5
libphp5_common5-5.6.19-1.mga5
php-devel-5.6.19-1.mga5
php-openssl-5.6.19-1.mga5
php-zlib-5.6.19-1.mga5
php-doc-5.6.19-1.mga5
php-bcmath-5.6.19-1.mga5
php-bz2-5.6.19-1.mga5
php-calendar-5.6.19-1.mga5
php-ctype-5.6.19-1.mga5
php-curl-5.6.19-1.mga5
php-dba-5.6.19-1.mga5
php-dom-5.6.19-1.mga5
php-enchant-5.6.19-1.mga5
php-exif-5.6.19-1.mga5
php-fileinfo-5.6.19-1.mga5
php-filter-5.6.19-1.mga5
php-ftp-5.6.19-1.mga5
php-gd-5.6.19-1.mga5
php-gettext-5.6.19-1.mga5
php-gmp-5.6.19-1.mga5
php-hash-5.6.19-1.mga5
php-iconv-5.6.19-1.mga5
php-imap-5.6.19-1.mga5
php-interbase-5.6.19-1.mga5
php-intl-5.6.19-1.mga5
php-json-5.6.19-1.mga5
php-ldap-5.6.19-1.mga5
php-mbstring-5.6.19-1.mga5
php-mcrypt-5.6.19-1.mga5
php-mssql-5.6.19-1.mga5
php-mysql-5.6.19-1.mga5
php-mysqli-5.6.19-1.mga5
php-mysqlnd-5.6.19-1.mga5
php-odbc-5.6.19-1.mga5
php-opcache-5.6.19-1.mga5
php-pcntl-5.6.19-1.mga5
php-pdo-5.6.19-1.mga5
php-pdo_dblib-5.6.19-1.mga5
php-pdo_firebird-5.6.19-1.mga5
php-pdo_mysql-5.6.19-1.mga5
php-pdo_odbc-5.6.19-1.mga5
php-pdo_pgsql-5.6.19-1.mga5
php-pdo_sqlite-5.6.19-1.mga5
php-pgsql-5.6.19-1.mga5
php-phar-5.6.19-1.mga5
php-posix-5.6.19-1.mga5
php-readline-5.6.19-1.mga5
php-recode-5.6.19-1.mga5
php-session-5.6.19-1.mga5
php-shmop-5.6.19-1.mga5
php-snmp-5.6.19-1.mga5
php-soap-5.6.19-1.mga5
php-sockets-5.6.19-1.mga5
php-sqlite3-5.6.19-1.mga5
php-sybase_ct-5.6.19-1.mga5
php-sysvmsg-5.6.19-1.mga5
php-sysvsem-5.6.19-1.mga5
php-sysvshm-5.6.19-1.mga5
php-tidy-5.6.19-1.mga5
php-tokenizer-5.6.19-1.mga5
php-xml-5.6.19-1.mga5
php-xmlreader-5.6.19-1.mga5
php-xmlrpc-5.6.19-1.mga5
php-xmlwriter-5.6.19-1.mga5
php-xsl-5.6.19-1.mga5
php-wddx-5.6.19-1.mga5
php-zip-5.6.19-1.mga5
php-fpm-5.6.19-1.mga5
phpdbg-5.6.19-1.mga5
timezone-2016a-1.mga5
timezone-java-2016a-1.mga5
php-timezonedb-2016.1-1.mga5

from SRPMS:
php-5.6.19-mga5.src.rpm
timezone-2016a-1.mga5.src.rpm
php-timezonedb-2016.1-1.mga5.src.rpm
Dave Hodgins 2016-03-07 21:52:31 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 1 David Walser 2016-03-09 15:53:22 CET 
Fedora has issued an advisory for this on March 5:
https://lists.fedoraproject.org/pipermail/package-announce/2016-March/178442.html

URL: (none) => http://lwn.net/Vulnerabilities/674929/

Comment 2 William Kenney 2016-03-09 20:02:32 CET 
In VirtualBox, M5, KDE, 32-bit

Install and setup mariadb
In root terminal: systemctl start mysqld.service
Set password to: testphp
[root@localhost wilcal]# mysqladmin -u root password
type password "testphp" twice

Package(s) under test:
php-ini php-fpm mariadb phpmyadmin

default install of php-ini php-fpm drupal glpi owncloud phpmyadmin

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.6.10-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.6.10-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.23-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.5-1.2.mga5.noarch is already installed

localhost/phpmyadmin opens and creates a database named "test01"
I can close localhost/phpmyadmin then reopen and access db test01

install php-ini & php-fpm from updates_testing

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.6.19-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.6.19-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.5-1.2.mga5.noarch is already installed

localhost/phpmyadmin opens and I can access db "test01"
localhost/phpmyadmin opens and creates a database named "test02"
I can close localhost/phpmyadmin then reopen and access db's test01 & test02

CC: (none) => wilcal.int

Comment 3 William Kenney 2016-03-09 20:21:28 CET 
In VirtualBox, M5, KDE, 64-bit

Install and setup mariadb
In root terminal: systemctl start mysqld.service
Set password to: testphp
[root@localhost wilcal]# mysqladmin -u root password
type password "testphp" twice

Package(s) under test:
php-ini php-fpm mariadb phpmyadmin

default install of php-ini php-fpm drupal glpi owncloud phpmyadmin

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.6.18-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.6.18-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.23-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.5-1.2.mga5.noarch is already installed

localhost/phpmyadmin opens and creates a database named "test01"
I can close localhost/phpmyadmin then reopen and access db test01

install php-ini & php-fpm from updates_testing

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.6.19-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.6.19-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.23-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.5-1.2.mga5.noarch is already installed

localhost/phpmyadmin opens and I can access db "test01"
localhost/phpmyadmin opens and creates a database named "test02"
I can close localhost/phpmyadmin then reopen and access db's test01 & test02
Comment 4 William Kenney 2016-03-09 20:21:51 CET 
Looks ok to me
Comment 5 David Walser 2016-03-10 16:00:33 CET 
CVEs have been requested:
http://openwall.com/lists/oss-security/2016/03/10/5
William Kenney 2016-03-10 21:43:54 CET

Whiteboard: advisory => advisory MGA5-32-OK MGA5-64-OK

Dave Hodgins 2016-03-11 00:30:00 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2016-03-11 00:50:13 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0110.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-03-11 16:42:43 CET

URL: http://lwn.net/Vulnerabilities/674929/ => http://lwn.net/Vulnerabilities/679764/

Comment 7 David Walser 2016-03-14 17:16:33 CET 
php#71587 - CVE-2016-3141
php#71498 - CVE-2016-3142

http://openwall.com/lists/oss-security/2016/03/14/7
http://openwall.com/lists/oss-security/2016/03/14/8