Bug 25380

Summary: php 7.3.9 fixes two CVE's
Product: Mageia Reporter: Marc Krämer <mageia>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: mageia, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: php CVE:
Status comment:

Description Marc Krämer 2019-08-29 15:44:27 CEST 
Fixed CVE-2019-13224
Fixed CVE-2019-13225

And some more bugfixes like "Buffer overflow in zendparse"
Comment 1 Marc Krämer 2019-08-29 16:26:24 CEST 
Updated php packages fix security vulnerabilities:

- mbstring: fixed null-pointer and use after free vulnerability. [1,2]
- zendparse: A buffer overflow is now fixed.
- FPM: Use-after-free in FPM master event handling
- MySQLnd: MariaDB server version incorrectly detected

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13224
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13225
[3] https://www.php.net/ChangeLog-7.php#PHP_7_3_9
========================

Updated packages in core/updates_testing:
========================
php-ini-7.3.9-1.mga7
apache-mod_php-7.3.9-1.mga7
php-cli-7.3.9-1.mga7
php-cgi-7.3.9-1.mga7
lib64php_common7-7.3.9-1.mga7
php-devel-7.3.9-1.mga7
php-openssl-7.3.9-1.mga7
php-zlib-7.3.9-1.mga7
php-doc-7.3.9-1.mga7.noarch.rpm
php-bcmath-7.3.9-1.mga7
php-bz2-7.3.9-1.mga7
php-calendar-7.3.9-1.mga7
php-ctype-7.3.9-1.mga7
php-curl-7.3.9-1.mga7
php-dba-7.3.9-1.mga7
php-dom-7.3.9-1.mga7
php-enchant-7.3.9-1.mga7
php-exif-7.3.9-1.mga7
php-fileinfo-7.3.9-1.mga7
php-filter-7.3.9-1.mga7
php-ftp-7.3.9-1.mga7
php-gd-7.3.9-1.mga7
php-gettext-7.3.9-1.mga7
php-gmp-7.3.9-1.mga7
php-hash-7.3.9-1.mga7
php-iconv-7.3.9-1.mga7
php-imap-7.3.9-1.mga7
php-interbase-7.3.9-1.mga7
php-intl-7.3.9-1.mga7
php-json-7.3.9-1.mga7
php-ldap-7.3.9-1.mga7
php-mbstring-7.3.9-1.mga7
php-mysqli-7.3.9-1.mga7
php-mysqlnd-7.3.9-1.mga7
php-odbc-7.3.9-1.mga7
php-opcache-7.3.9-1.mga7
php-pcntl-7.3.9-1.mga7
php-pdo-7.3.9-1.mga7
php-pdo_dblib-7.3.9-1.mga7
php-pdo_firebird-7.3.9-1.mga7
php-pdo_mysql-7.3.9-1.mga7
php-pdo_odbc-7.3.9-1.mga7
php-pdo_pgsql-7.3.9-1.mga7
php-pdo_sqlite-7.3.9-1.mga7
php-pgsql-7.3.9-1.mga7
php-phar-7.3.9-1.mga7
php-posix-7.3.9-1.mga7
php-readline-7.3.9-1.mga7
php-recode-7.3.9-1.mga7
php-session-7.3.9-1.mga7
php-shmop-7.3.9-1.mga7
php-snmp-7.3.9-1.mga7
php-soap-7.3.9-1.mga7
php-sockets-7.3.9-1.mga7
php-sodium-7.3.9-1.mga7
php-sqlite3-7.3.9-1.mga7
php-sysvmsg-7.3.9-1.mga7
php-sysvsem-7.3.9-1.mga7
php-sysvshm-7.3.9-1.mga7
php-tidy-7.3.9-1.mga7
php-tokenizer-7.3.9-1.mga7
php-xml-7.3.9-1.mga7
php-xmlreader-7.3.9-1.mga7
php-xmlrpc-7.3.9-1.mga7
php-xmlwriter-7.3.9-1.mga7
php-xsl-7.3.9-1.mga7
php-wddx-7.3.9-1.mga7
php-zip-7.3.9-1.mga7
php-fpm-7.3.9-1.mga7
phpdbg-7.3.9-1.mga7
php-debugsource-7.3.9-1.mga7
php-debuginfo-7.3.9-1.mga7
apache-mod_php-debuginfo-7.3.9-1.mga7
php-cli-debuginfo-7.3.9-1.mga7
php-cgi-debuginfo-7.3.9-1.mga7
lib64php_common7-debuginfo-7.3.9-1.mga7
php-openssl-debuginfo-7.3.9-1.mga7
php-zlib-debuginfo-7.3.9-1.mga7
php-bcmath-debuginfo-7.3.9-1.mga7
php-bz2-debuginfo-7.3.9-1.mga7
php-calendar-debuginfo-7.3.9-1.mga7
php-ctype-debuginfo-7.3.9-1.mga7
php-curl-debuginfo-7.3.9-1.mga7
php-dba-debuginfo-7.3.9-1.mga7
php-dom-debuginfo-7.3.9-1.mga7
php-enchant-debuginfo-7.3.9-1.mga7
php-exif-debuginfo-7.3.9-1.mga7
php-fileinfo-debuginfo-7.3.9-1.mga7
php-filter-debuginfo-7.3.9-1.mga7
php-ftp-debuginfo-7.3.9-1.mga7
php-gd-debuginfo-7.3.9-1.mga7
php-gettext-debuginfo-7.3.9-1.mga7
php-gmp-debuginfo-7.3.9-1.mga7
php-hash-debuginfo-7.3.9-1.mga7
php-iconv-debuginfo-7.3.9-1.mga7
php-imap-debuginfo-7.3.9-1.mga7
php-interbase-debuginfo-7.3.9-1.mga7
php-intl-debuginfo-7.3.9-1.mga7
php-json-debuginfo-7.3.9-1.mga7
php-ldap-debuginfo-7.3.9-1.mga7
php-mbstring-debuginfo-7.3.9-1.mga7
php-mysqli-debuginfo-7.3.9-1.mga7
php-mysqlnd-debuginfo-7.3.9-1.mga7
php-odbc-debuginfo-7.3.9-1.mga7
php-opcache-debuginfo-7.3.9-1.mga7
php-pcntl-debuginfo-7.3.9-1.mga7
php-pdo-debuginfo-7.3.9-1.mga7
php-pdo_dblib-debuginfo-7.3.9-1.mga7
php-pdo_firebird-debuginfo-7.3.9-1.mga7
php-pdo_mysql-debuginfo-7.3.9-1.mga7
php-pdo_odbc-debuginfo-7.3.9-1.mga7
php-pdo_pgsql-debuginfo-7.3.9-1.mga7
php-pdo_sqlite-debuginfo-7.3.9-1.mga7
php-pgsql-debuginfo-7.3.9-1.mga7
php-phar-debuginfo-7.3.9-1.mga7
php-posix-debuginfo-7.3.9-1.mga7
php-readline-debuginfo-7.3.9-1.mga7
php-recode-debuginfo-7.3.9-1.mga7
php-session-debuginfo-7.3.9-1.mga7
php-shmop-debuginfo-7.3.9-1.mga7
php-snmp-debuginfo-7.3.9-1.mga7
php-soap-debuginfo-7.3.9-1.mga7
php-sockets-debuginfo-7.3.9-1.mga7
php-sodium-debuginfo-7.3.9-1.mga7
php-sqlite3-debuginfo-7.3.9-1.mga7
php-sysvmsg-debuginfo-7.3.9-1.mga7
php-sysvsem-debuginfo-7.3.9-1.mga7
php-sysvshm-debuginfo-7.3.9-1.mga7
php-tidy-debuginfo-7.3.9-1.mga7
php-tokenizer-debuginfo-7.3.9-1.mga7
php-xml-debuginfo-7.3.9-1.mga7
php-xmlreader-debuginfo-7.3.9-1.mga7
php-xmlrpc-debuginfo-7.3.9-1.mga7
php-xmlwriter-debuginfo-7.3.9-1.mga7
php-xsl-debuginfo-7.3.9-1.mga7
php-wddx-debuginfo-7.3.9-1.mga7
php-zip-debuginfo-7.3.9-1.mga7
php-fpm-debuginfo-7.3.9-1.mga7
phpdbg-debuginfo-7.3.9-1.mga7


Source RPMs: 
php-7.3.9-1.mga7.src.rpm

Assignee: mageia => qa-bugs

Comment 2 Marc Krämer 2019-08-29 16:27:06 CEST 
I assume, we will have 7.2.22 for backports tomorrow.
Comment 3 PC LX 2019-08-30 10:35:28 CEST 
Installed and tested the PHP 7.3.9 without issues.

Tested with various large (e.g. phpmyadmin, wordpress, roundcubemail, drupal) and small scripts, using HTTP(S) and CLI.

Will wait for more tests before OKing.


System: Mageia 7, x86_64, Intel CPU.


$ uname -a
Linux marte 5.2.10-desktop-1.mga7 #1 SMP Sun Aug 25 17:14:00 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ php --version
PHP 7.3.9 (cli) (built: Aug 29 2019 13:50:29) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.9, Copyright (c) 1998-2018 Zend Technologies
$ rpm -qa | grep 7.3.9 | sort -u
apache-mod_php-7.3.9-1.mga7
lib64php_common7-7.3.9-1.mga7
php-bz2-7.3.9-1.mga7
php-cli-7.3.9-1.mga7
php-ctype-7.3.9-1.mga7
php-dom-7.3.9-1.mga7
php-filter-7.3.9-1.mga7
php-ftp-7.3.9-1.mga7
php-gd-7.3.9-1.mga7
php-gettext-7.3.9-1.mga7
php-hash-7.3.9-1.mga7
php-ini-7.3.9-1.mga7
php-json-7.3.9-1.mga7
php-mbstring-7.3.9-1.mga7
php-mysqli-7.3.9-1.mga7
php-mysqlnd-7.3.9-1.mga7
php-openssl-7.3.9-1.mga7
php-pdo-7.3.9-1.mga7
php-pdo_mysql-7.3.9-1.mga7
php-pdo_sqlite-7.3.9-1.mga7
php-posix-7.3.9-1.mga7
php-session-7.3.9-1.mga7
php-sysvsem-7.3.9-1.mga7
php-sysvshm-7.3.9-1.mga7
php-tokenizer-7.3.9-1.mga7
php-xml-7.3.9-1.mga7
php-xmlreader-7.3.9-1.mga7
php-xmlwriter-7.3.9-1.mga7
php-zip-7.3.9-1.mga7
php-zlib-7.3.9-1.mga7

CC: (none) => mageia

Comment 4 Marc Krämer 2019-08-30 10:46:18 CEST 
php 7.2.22 released but accoring to their website the CVE's are not fixed (?)
Comment 5 PC LX 2019-09-06 11:05:41 CEST 
A week has passed since my test and I haven't had any issues.

It would be better to have more tests, especially for the packages I'm not using and for 32 bits, but having security updates waiting is not good either so I'm OKing it. Fell free to remove the OK if appropriate.

Whiteboard: (none) => MGA7-64-OK

Thomas Backlund 2019-09-06 20:08:43 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => tmb, sysadmin-bugs

Comment 6 Mageia Robot 2019-09-06 23:11:27 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0253.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED