Bug 18287

Summary: PHP 5.6.21
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/685885/
Whiteboard: advisory MGA5-32-OK MGA5-64-OK
Source RPM: php-5.6.20-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-04-28 14:52:05 CEST 
PHP 5.6.21 has been released either yesterday or today (April 27-28).  It has not yet been announced.  You can see the ChangeLog in git:
http://git.php.net/?p=php-src.git;a=blob;f=NEWS;h=4905156bc5a1b6e2c0cd1e06b5aacb8cb7c3ec3d;hb=refs/heads/PHP-5.6

Some of the fixes are likely security relevant.

For the GD issues listed, php#71912 is CVE-2016-3074, which we already fixed in libgd (we don't use PHP's bundled copy), and php#71952 isn't a security issue according to upstream (and is in the php-gd code, not libgd).

Updated php packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated php packages fix security vulnerabilities:

The php package has been updated to version 5.6.21, which fixes several
security issues and other bugs.  See the upstream ChangeLog for more details.

References:
http://www.php.net/ChangeLog-5.php#5.6.21
========================

Updated packages in core/updates_testing:
========================
php-ini-5.6.21-1.mga5
apache-mod_php-5.6.21-1.mga5
php-cli-5.6.21-1.mga5
php-cgi-5.6.21-1.mga5
libphp5_common5-5.6.21-1.mga5
php-devel-5.6.21-1.mga5
php-openssl-5.6.21-1.mga5
php-zlib-5.6.21-1.mga5
php-doc-5.6.21-1.mga5
php-bcmath-5.6.21-1.mga5
php-bz2-5.6.21-1.mga5
php-calendar-5.6.21-1.mga5
php-ctype-5.6.21-1.mga5
php-curl-5.6.21-1.mga5
php-dba-5.6.21-1.mga5
php-dom-5.6.21-1.mga5
php-enchant-5.6.21-1.mga5
php-exif-5.6.21-1.mga5
php-fileinfo-5.6.21-1.mga5
php-filter-5.6.21-1.mga5
php-ftp-5.6.21-1.mga5
php-gd-5.6.21-1.mga5
php-gettext-5.6.21-1.mga5
php-gmp-5.6.21-1.mga5
php-hash-5.6.21-1.mga5
php-iconv-5.6.21-1.mga5
php-imap-5.6.21-1.mga5
php-interbase-5.6.21-1.mga5
php-intl-5.6.21-1.mga5
php-json-5.6.21-1.mga5
php-ldap-5.6.21-1.mga5
php-mbstring-5.6.21-1.mga5
php-mcrypt-5.6.21-1.mga5
php-mssql-5.6.21-1.mga5
php-mysql-5.6.21-1.mga5
php-mysqli-5.6.21-1.mga5
php-mysqlnd-5.6.21-1.mga5
php-odbc-5.6.21-1.mga5
php-opcache-5.6.21-1.mga5
php-pcntl-5.6.21-1.mga5
php-pdo-5.6.21-1.mga5
php-pdo_dblib-5.6.21-1.mga5
php-pdo_firebird-5.6.21-1.mga5
php-pdo_mysql-5.6.21-1.mga5
php-pdo_odbc-5.6.21-1.mga5
php-pdo_pgsql-5.6.21-1.mga5
php-pdo_sqlite-5.6.21-1.mga5
php-pgsql-5.6.21-1.mga5
php-phar-5.6.21-1.mga5
php-posix-5.6.21-1.mga5
php-readline-5.6.21-1.mga5
php-recode-5.6.21-1.mga5
php-session-5.6.21-1.mga5
php-shmop-5.6.21-1.mga5
php-snmp-5.6.21-1.mga5
php-soap-5.6.21-1.mga5
php-sockets-5.6.21-1.mga5
php-sqlite3-5.6.21-1.mga5
php-sybase_ct-5.6.21-1.mga5
php-sysvmsg-5.6.21-1.mga5
php-sysvsem-5.6.21-1.mga5
php-sysvshm-5.6.21-1.mga5
php-tidy-5.6.21-1.mga5
php-tokenizer-5.6.21-1.mga5
php-xml-5.6.21-1.mga5
php-xmlreader-5.6.21-1.mga5
php-xmlrpc-5.6.21-1.mga5
php-xmlwriter-5.6.21-1.mga5
php-xsl-5.6.21-1.mga5
php-wddx-5.6.21-1.mga5
php-zip-5.6.21-1.mga5
php-fpm-5.6.21-1.mga5
phpdbg-5.6.21-1.mga5

from php-5.6.21-1.mga5.src.rpm
Comment 1 William Kenney 2016-04-28 18:21:23 CEST 
In VirtualBox, M5, KDE, 32-bit

Install and setup mariadb
In root terminal: systemctl start mysqld.service
Set password to: testphp
[root@localhost wilcal]# mysqladmin -u root password
type password "testphp" twice

Package(s) under test:
php-ini php-fpm mariadb phpmyadmin

default install of php-ini php-fpm drupal glpi owncloud phpmyadmin

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.6.20-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.6.20-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.24-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.5-1.2.mga5.noarch is already installed

localhost/phpmyadmin opens and creates a database named "test01"
I can close localhost/phpmyadmin then reopen and access db test01

install php-ini & php-fpm from updates_testing

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.6.21-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.6.21-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.5-1.2.mga5.noarch is already installed

localhost/phpmyadmin opens and I can access db "test01"
localhost/phpmyadmin opens and creates a database named "test02"
I can close localhost/phpmyadmin then reopen and access db's test01 & test02

CC: (none) => wilcal.int
Whiteboard: (none) => MGA5-32-OK

Comment 2 William Kenney 2016-04-28 18:39:30 CEST 
In VirtualBox, M5, KDE, 64-bit

Install and setup mariadb
In root terminal: systemctl start mysqld.service
Set password to: testphp
[root@localhost wilcal]# mysqladmin -u root password
type password "testphp" twice

Package(s) under test:
php-ini php-fpm mariadb phpmyadmin

default install of php-ini php-fpm drupal glpi owncloud phpmyadmin

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.6.20-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.6.20-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.24-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.5-1.2.mga5.noarch is already installed

localhost/phpmyadmin opens and creates a database named "test01"
I can close localhost/phpmyadmin then reopen and access db test01

install php-ini & php-fpm from updates_testing

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.6.21-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.6.21-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.5-1.2.mga5.noarch is already installed

localhost/phpmyadmin opens and I can access db "test01"
localhost/phpmyadmin opens and creates a database named "test02"
I can close localhost/phpmyadmin then reopen and access db's test01 & test02
William Kenney 2016-04-28 18:39:46 CEST

Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK

Comment 3 William Kenney 2016-04-28 18:40:19 CEST 
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 claire robinson 2016-04-28 18:44:06 CEST 
Advisory uploaded.

Whiteboard: MGA5-32-OK MGA5-64-OK => advisory MGA5-32-OK MGA5-64-OK

Comment 5 Mageia Robot 2016-04-29 19:22:25 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0159.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 6 David Walser 2016-05-05 17:09:14 CEST 
CVE request:
http://openwall.com/lists/oss-security/2016/05/05/21
David Walser 2016-05-05 17:43:31 CEST

URL: (none) => http://lwn.net/Vulnerabilities/685885/

Comment 7 David Walser 2016-05-06 14:10:22 CEST 
(In reply to David Walser from comment #6)
> CVE request:
> http://openwall.com/lists/oss-security/2016/05/05/21

http://openwall.com/lists/oss-security/2016/05/05/24

- CVE-2016-4537
- CVE-2016-4538
- CVE-2016-4539
- CVE-2016-4540
- CVE-2016-4541
- CVE-2016-4542
- CVE-2016-4543
- CVE-2016-4544