Bug 19219

Summary: PHP 5.6.25
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/698797/
Whiteboard: MGA5-64-OK advisory
Source RPM: php-5.6.24-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-08-19 16:07:41 CEST 
PHP 5.6.25 has been released on August 18 (even though it says 19):
http://php.net/archive/2016.php#id2016-08-18-2

There are several security bugs fixed in this update.  No CVEs are available yet.

Updated packages uploaded for Mageia 5 and Cauldron.

The only possible security issue in php-gd that may affect libgd is php#72709, which has not been addressed in libgd.  I'll update it if an update becomes available.

Advisory:
========================

Updated php packages fix security vulnerabilities:

The php package has been updated to version 5.6.25, which fixes several
security issues and other bugs.  See the upstream ChangeLog for more details.

References:
http://www.php.net/ChangeLog-5.php#5.6.25
========================

Updated packages in core/updates_testing:
========================
php-ini-5.6.25-1.mga5
apache-mod_php-5.6.25-1.mga5
php-cli-5.6.25-1.mga5
php-cgi-5.6.25-1.mga5
libphp5_common5-5.6.25-1.mga5
php-devel-5.6.25-1.mga5
php-openssl-5.6.25-1.mga5
php-zlib-5.6.25-1.mga5
php-doc-5.6.25-1.mga5
php-bcmath-5.6.25-1.mga5
php-bz2-5.6.25-1.mga5
php-calendar-5.6.25-1.mga5
php-ctype-5.6.25-1.mga5
php-curl-5.6.25-1.mga5
php-dba-5.6.25-1.mga5
php-dom-5.6.25-1.mga5
php-enchant-5.6.25-1.mga5
php-exif-5.6.25-1.mga5
php-fileinfo-5.6.25-1.mga5
php-filter-5.6.25-1.mga5
php-ftp-5.6.25-1.mga5
php-gd-5.6.25-1.mga5
php-gettext-5.6.25-1.mga5
php-gmp-5.6.25-1.mga5
php-hash-5.6.25-1.mga5
php-iconv-5.6.25-1.mga5
php-imap-5.6.25-1.mga5
php-interbase-5.6.25-1.mga5
php-intl-5.6.25-1.mga5
php-json-5.6.25-1.mga5
php-ldap-5.6.25-1.mga5
php-mbstring-5.6.25-1.mga5
php-mcrypt-5.6.25-1.mga5
php-mssql-5.6.25-1.mga5
php-mysql-5.6.25-1.mga5
php-mysqli-5.6.25-1.mga5
php-mysqlnd-5.6.25-1.mga5
php-odbc-5.6.25-1.mga5
php-opcache-5.6.25-1.mga5
php-pcntl-5.6.25-1.mga5
php-pdo-5.6.25-1.mga5
php-pdo_dblib-5.6.25-1.mga5
php-pdo_firebird-5.6.25-1.mga5
php-pdo_mysql-5.6.25-1.mga5
php-pdo_odbc-5.6.25-1.mga5
php-pdo_pgsql-5.6.25-1.mga5
php-pdo_sqlite-5.6.25-1.mga5
php-pgsql-5.6.25-1.mga5
php-phar-5.6.25-1.mga5
php-posix-5.6.25-1.mga5
php-readline-5.6.25-1.mga5
php-recode-5.6.25-1.mga5
php-session-5.6.25-1.mga5
php-shmop-5.6.25-1.mga5
php-snmp-5.6.25-1.mga5
php-soap-5.6.25-1.mga5
php-sockets-5.6.25-1.mga5
php-sqlite3-5.6.25-1.mga5
php-sybase_ct-5.6.25-1.mga5
php-sysvmsg-5.6.25-1.mga5
php-sysvsem-5.6.25-1.mga5
php-sysvshm-5.6.25-1.mga5
php-tidy-5.6.25-1.mga5
php-tokenizer-5.6.25-1.mga5
php-xml-5.6.25-1.mga5
php-xmlreader-5.6.25-1.mga5
php-xmlrpc-5.6.25-1.mga5
php-xmlwriter-5.6.25-1.mga5
php-xsl-5.6.25-1.mga5
php-wddx-5.6.25-1.mga5
php-zip-5.6.25-1.mga5
php-fpm-5.6.25-1.mga5
phpdbg-5.6.25-1.mga5

from php-5.6.25-1.mga5.src.rpm
Comment 1 David Walser 2016-08-20 18:49:30 CEST 
Looks like gdbm databases are incompatible between i586 and x86_64 (I just switched my workstation at home to x86_64 last weekend), so that's a shame, but starting with a fresh one, my normal apache/php/php-gd/php-cgi/php-dba/mod_suexec/mod_userdir test works fine on Mageia 5 x86_64.

Whiteboard: (none) => MGA5-64-OK

Dave Hodgins 2016-08-26 01:05:52 CEST

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 2 Mageia Robot 2016-08-31 17:34:03 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0293.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-08-31 22:43:32 CEST

URL: (none) => http://lwn.net/Vulnerabilities/698797/

Comment 3 David Walser 2016-09-02 20:48:29 CEST 
CVEs have been assigned:
http://www.openwall.com/lists/oss-security/2016/09/02/9

The last two were PHP 7.0.x only.

Also, CVE-2016-7126 and CVE-2016-7127 only affect bundled gd, and not us using external libgd.

So we have for this update:
CVE-2016-7124
CVE-2016-7125
CVE-2016-7128
CVE-2016-7129
CVE-2016-7130
CVE-2016-7131
CVE-2016-7132