Bug 22384

Summary:	PHP 5.6.33
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	sysadmin-bugs
Version:	5	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA5-64-OK
Source RPM:	php-5.6.32-1.mga5.src.rpm	CVE:
Status comment:
Bug Depends on:	22321
Bug Blocks:

Description David Walser 2018-01-13 06:16:21 CET

+++ This bug was initially created as a clone of Bug #22321 +++

Upstream has released PHP 5.6.33 on Jan 4th:
http://php.net/archive/2018.php#id2018-01-04-4

It fixes a few security issues:
http://php.net/ChangeLog-5.php#5.6.33

Advisory:
========================

Updated php packages fix security vulnerabilities:

Potential infinite loop in gdImageCreateFromGifCtx (php#75571)
Reflected XSS in .phar 404 page (php#74782)

References:
http://php.net/ChangeLog-5.php#5.6.33
========================

Updated packages in core/updates_testing:
========================
libgd3-2.2.5-1.1.mga5
libgd-devel-2.2.5-1.1.mga5
libgd-static-devel-2.2.5-1.1.mga5
gd-utils-2.2.5-1.1.mga5
php-ini-5.6.33-1.mga5
apache-mod_php-5.6.33-1.mga5
php-cli-5.6.33-1.mga5
php-cgi-5.6.33-1.mga5
lib64php5_common5-5.6.33-1.mga5
php-devel-5.6.33-1.mga5
php-openssl-5.6.33-1.mga5
php-zlib-5.6.33-1.mga5
php-doc-5.6.33-1.mga5
php-bcmath-5.6.33-1.mga5
php-bz2-5.6.33-1.mga5
php-calendar-5.6.33-1.mga5
php-ctype-5.6.33-1.mga5
php-curl-5.6.33-1.mga5
php-dba-5.6.33-1.mga5
php-dom-5.6.33-1.mga5
php-enchant-5.6.33-1.mga5
php-exif-5.6.33-1.mga5
php-fileinfo-5.6.33-1.mga5
php-filter-5.6.33-1.mga5
php-ftp-5.6.33-1.mga5
php-gd-5.6.33-1.mga5
php-gettext-5.6.33-1.mga5
php-gmp-5.6.33-1.mga5
php-hash-5.6.33-1.mga5
php-iconv-5.6.33-1.mga5
php-imap-5.6.33-1.mga5
php-interbase-5.6.33-1.mga5
php-intl-5.6.33-1.mga5
php-json-5.6.33-1.mga5
php-ldap-5.6.33-1.mga5
php-mbstring-5.6.33-1.mga5
php-mcrypt-5.6.33-1.mga5
php-mssql-5.6.33-1.mga5
php-mysql-5.6.33-1.mga5
php-mysqli-5.6.33-1.mga5
php-mysqlnd-5.6.33-1.mga5
php-odbc-5.6.33-1.mga5
php-opcache-5.6.33-1.mga5
php-pcntl-5.6.33-1.mga5
php-pdo-5.6.33-1.mga5
php-pdo_dblib-5.6.33-1.mga5
php-pdo_firebird-5.6.33-1.mga5
php-pdo_mysql-5.6.33-1.mga5
php-pdo_odbc-5.6.33-1.mga5
php-pdo_pgsql-5.6.33-1.mga5
php-pdo_sqlite-5.6.33-1.mga5
php-pgsql-5.6.33-1.mga5
php-phar-5.6.33-1.mga5
php-posix-5.6.33-1.mga5
php-readline-5.6.33-1.mga5
php-recode-5.6.33-1.mga5
php-session-5.6.33-1.mga5
php-shmop-5.6.33-1.mga5
php-snmp-5.6.33-1.mga5
php-soap-5.6.33-1.mga5
php-sockets-5.6.33-1.mga5
php-sqlite3-5.6.33-1.mga5
php-sybase_ct-5.6.33-1.mga5
php-sysvmsg-5.6.33-1.mga5
php-sysvsem-5.6.33-1.mga5
php-sysvshm-5.6.33-1.mga5
php-tidy-5.6.33-1.mga5
php-tokenizer-5.6.33-1.mga5
php-xml-5.6.33-1.mga5
php-xmlreader-5.6.33-1.mga5
php-xmlrpc-5.6.33-1.mga5
php-xmlwriter-5.6.33-1.mga5
php-xsl-5.6.33-1.mga5
php-wddx-5.6.33-1.mga5
php-zip-5.6.33-1.mga5
php-fpm-5.6.33-1.mga5
phpdbg-5.6.33-1.mga5
php-debuginfo-5.6.33-1.mga5

from SRPMS:
libgd-2.2.5-1.1.mga5.src.rpm
php-5.6.33-1.mga5.src.rpm

Comment 1 David Walser 2018-01-13 20:14:12 CET

Ran my usual test cases that use php-gd, php-dba, php-cgi, and sends an e-mail.  All works fine on Mageia 5 x86_64.

Whiteboard: (none) => MGA5-64-OK

Comment 2 Lewis Smith 2018-01-14 17:18:53 CET

Another super-rapid & thorough OK, thanks David. Advisory + validate.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 3 Mageia Robot 2018-01-14 17:55:14 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0085.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 4 David Walser 2018-02-01 21:30:56 CET

php#75571 has been assigned CVE-2018-5711:
https://lists.opensuse.org/opensuse-updates/2018-01/msg00114.html