Bug 22736

Summary: php new security issue CVE-2018-7584
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: mageia, mageia, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK
Source RPM: php-5.6.33-1.mga6.src.rpm CVE:
Status comment: Fixed upstream in 5.6.34

Description David Walser 2018-03-11 14:46:22 CET 
Upstream has released PHP 5.6.34 on March 1, fixing one security issue:
http://www.php.net/ChangeLog-5.php#5.6.34

Mageia 5 is also affected.
David Walser 2018-03-11 14:46:37 CET

Status comment: (none) => Fixed upstream in 5.6.34
Whiteboard: (none) => MGA5TOO

Comment 1 Marc Krämer 2018-03-11 23:37:53 CET 
@David: please report php issues to the php-mailing list. I'm wondering why I missed this php update, but thanks.

CC: (none) => mageia

Marc Krämer 2018-03-11 23:37:59 CET

Assignee: bugsquad => mageia

Comment 2 David Walser 2018-03-11 23:39:20 CET 
Marc, I report all security issues to Bugzilla.  Maintainers need to watch it or the bugsquad needs to assign the bugs to the right place.
Comment 3 Marc Krämer 2018-03-11 23:55:20 CET 
Updated php-packages for mga5/6:

Suggested advisory:
========================

Updated php packages fix security vulnerability:
Update to php 5.6.34 fixes a stack-buffer-overflow while parsing HTTP response). (CVE-2018-7584)

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7584
http://www.php.net/ChangeLog-5.php#5.6.34
========================

Updated packages in core/updates_testing:
========================
php-ini-5.6.34-1.mga6
apache-mod_php-5.6.34-1.mga6
php-cli-5.6.34-1.mga6
php-cgi-5.6.34-1.mga6
libphp5_common5-5.6.34-1.mga6
php-devel-5.6.34-1.mga6
php-openssl-5.6.34-1.mga6
php-zlib-5.6.34-1.mga6
php-doc-5.6.34-1.mga6
php-bcmath-5.6.34-1.mga6
php-bz2-5.6.34-1.mga6
php-calendar-5.6.34-1.mga6
php-ctype-5.6.34-1.mga6
php-curl-5.6.34-1.mga6
php-dba-5.6.34-1.mga6
php-dom-5.6.34-1.mga6
php-enchant-5.6.34-1.mga6
php-exif-5.6.34-1.mga6
php-fileinfo-5.6.34-1.mga6
php-filter-5.6.34-1.mga6
php-ftp-5.6.34-1.mga6
php-gd-5.6.34-1.mga6
php-gettext-5.6.34-1.mga6
php-gmp-5.6.34-1.mga6
php-hash-5.6.34-1.mga6
php-iconv-5.6.34-1.mga6
php-imap-5.6.34-1.mga6
php-interbase-5.6.34-1.mga6
php-intl-5.6.34-1.mga6
php-json-5.6.34-1.mga6
php-ldap-5.6.34-1.mga6
php-mbstring-5.6.34-1.mga6
php-mcrypt-5.6.34-1.mga6
php-mssql-5.6.34-1.mga6
php-mysql-5.6.34-1.mga6
php-mysqli-5.6.34-1.mga6
php-mysqlnd-5.6.34-1.mga6
php-odbc-5.6.34-1.mga6
php-opcache-5.6.34-1.mga6
php-pcntl-5.6.34-1.mga6
php-pdo-5.6.34-1.mga6
php-pdo_dblib-5.6.34-1.mga6
php-pdo_firebird-5.6.34-1.mga6
php-pdo_mysql-5.6.34-1.mga6
php-pdo_odbc-5.6.34-1.mga6
php-pdo_pgsql-5.6.34-1.mga6
php-pdo_sqlite-5.6.34-1.mga6
php-pgsql-5.6.34-1.mga6
php-phar-5.6.34-1.mga6
php-posix-5.6.34-1.mga6
php-readline-5.6.34-1.mga6
php-recode-5.6.34-1.mga6
php-session-5.6.34-1.mga6
php-shmop-5.6.34-1.mga6
php-snmp-5.6.34-1.mga6
php-soap-5.6.34-1.mga6
php-sockets-5.6.34-1.mga6
php-sqlite3-5.6.34-1.mga6
php-sybase_ct-5.6.34-1.mga6
php-sysvmsg-5.6.34-1.mga6
php-sysvsem-5.6.34-1.mga6
php-sysvshm-5.6.34-1.mga6
php-tidy-5.6.34-1.mga6
php-tokenizer-5.6.34-1.mga6
php-xml-5.6.34-1.mga6
php-xmlreader-5.6.34-1.mga6
php-xmlrpc-5.6.34-1.mga6
php-xmlwriter-5.6.34-1.mga6
php-xsl-5.6.34-1.mga6
php-wddx-5.6.34-1.mga6
php-zip-5.6.34-1.mga6
php-fpm-5.6.34-1.mga6
phpdbg-5.6.34-1.mga6
php-debuginfo-5.6.34-1.mga6

Source RPMs: 
php-5.6.34-1.mga5.src.rpm
php-5.6.34-1.mga6.src.rpm
Marc Krämer 2018-03-11 23:55:30 CET

Assignee: mageia => qa-bugs

Comment 4 PC LX 2018-03-12 12:09:02 CET 
Installed and tested without issues.

Tests included using a variety of large and small script (e.g. wordpress, drupal, custom scripts) that make extensive use of PHP and PHP extensions. Several of the custom scripts have test units that completed successfully.

System: Mageia 6, x86_64, Intel CPU.

$ uname -a
Linux marte 4.14.25-desktop-1.mga6 #1 SMP Fri Mar 9 19:48:35 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep php | sort
apache-mod_php-5.6.34-1.mga6
lib64php5_common5-5.6.34-1.mga6
php-cli-5.6.34-1.mga6
php-ctype-5.6.34-1.mga6
php-curl-5.6.34-1.mga6
php-dom-5.6.34-1.mga6
php-filter-5.6.34-1.mga6
php-ftp-5.6.34-1.mga6
php-gd-5.6.34-1.mga6
php-gettext-5.6.34-1.mga6
php-hash-5.6.34-1.mga6
php-ini-5.6.34-1.mga6
php-intl-5.6.34-1.mga6
php-json-5.6.34-1.mga6
php-mbstring-5.6.34-1.mga6
php-memcached-2.2.0-2.mga6
php-mysqli-5.6.34-1.mga6
php-mysqlnd-5.6.34-1.mga6
php-openssl-5.6.34-1.mga6
php-pdo-5.6.34-1.mga6
php-pdo_mysql-5.6.34-1.mga6
php-pdo_pgsql-5.6.34-1.mga6
php-pdo_sqlite-5.6.34-1.mga6
php-phpmailer-5.2.24-1.1.mga6
php-posix-5.6.34-1.mga6
php-session-5.6.34-1.mga6
php-suhosin-0.9.38-1.mga6
php-sysvsem-5.6.34-1.mga6
php-sysvshm-5.6.34-1.mga6
php-timezonedb-2017.2-1.mga6
php-tokenizer-5.6.34-1.mga6
php-xdebug-2.4.0-1.mga6
php-xml-5.6.34-1.mga6
php-xmlreader-5.6.34-1.mga6
php-xmlwriter-5.6.34-1.mga6
php-zlib-5.6.34-1.mga6

Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
CC: (none) => mageia

Comment 5 David Walser 2018-03-12 12:45:09 CET 
Thanks Marc.  Tested fine on Mageia 5 x86_64 with my normal battery of tests.

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK

Comment 6 claire robinson 2018-03-14 15:01:32 CET 
Advisory uploaded. Validating.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2018-03-14 17:22:15 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0167.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED