MGA4: Fixed source rpm packages: php-5.5.10-1.mga4: http://www.php.net/ChangeLog-5.php#5.5.9 CVE-2013-7226 http://www.php.net/ChangeLog-5.php#5.5.10 CVE-2014-1943, CVE-2014-2270, CVE-2013-7327 jsonc-1.3.4: http://pecl.php.net/package-changelog.php?package=jsonc&release=1.3.4 php-apc-3.1.15-4.1.mga4: rebuild php-timezonedb-2013.9-1.mga4: http://pecl.php.net/package-changelog.php?package=timezonedb&release=2013.9 php-xdebug-2.2.4-1.mga4: http://pecl.php.net/package-changelog.php?package=xdebug&release=2.2.4 ---------------------------------------------------------------------------- MGA3: Fixed source rpm packages: php-5.4.26-1.mga3: http://www.php.net/ChangeLog-5.php#5.4.24 CVE-2013-6712 http://www.php.net/ChangeLog-5.php#5.4.25 http://www.php.net/ChangeLog-5.php#5.4.26 CVE-2014-1943, CVE-2014-2270 php-timezonedb-2013.9-1.mga3: http://pecl.php.net/package-changelog.php?package=timezonedb&release=2013.9 php-apc-3.1.14-7.6.mga3: rebuild php-gd-bundled-5.4.26-1.mga3: 5.4.26 Reproducible: Steps to Reproduce:
Summary: multiple vulnerabilities in php (CVE-2013-6712, CVE-2013-7226, CVE-2014-1943, CVE-2014-2270, CVE-2013-7327 => multiple vulnerabilities in php (CVE-2013-6712, CVE-2013-7226, CVE-2014-1943, CVE-2014-2270, CVE-2013-7327)
http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:059/
Thanks Oden! Though not mentioned in the upstream changelog, I believe the CVE-2013-7328 and CVE-2014-2020 mentioned in the Ubuntu advisory I linked in Bug 12842 are relevant for the Mageia 4 update. I guess we can use this bug for the Mageia 3 update and Bug 12842 for the Mageia 4 update. I'll work on that later.
CC: (none) => luigiwalserDepends on: (none) => 12842
Advisory (Mageia 3): ======================== Updated php packages fix security vulnerabilities: It was discovered that the file utility contains a flaw in the handling of "indirect" magic rules in the libmagic library, which leads to an infinite recursion when trying to determine the file type of certain files (CVE-2014-1943). A flaw was found in the way the file utility determined the type of Portable Executable (PE) format files, the executable format used on Windows. A malicious PE file could cause the file utility to crash or, potentially, execute arbitrary code (CVE-2014-2270). PHP contains a bundled copy of the file utility's libmagic library, so it was vulnerable to these issues. It has been updated to version 5.4.26, which fixes these issues and several other bugs. This update also fixes a heap buffer over-read in DateInterval, which was fixed in PHP 5.4.24 (CVE-2013-6712). Also, the timezonedb PHP PECL module has been updated to its newest version. Additionally, php-apc has been rebuilt against the updated php package. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6712 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1943 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2270 http://www.php.net/ChangeLog-5.php#5.4.24 http://www.php.net/ChangeLog-5.php#5.4.25 http://www.php.net/ChangeLog-5.php#5.4.26 http://pecl.php.net/package-changelog.php?package=timezonedb&release=2013.9 http://advisories.mageia.org/MGASA-2014-0092.html http://advisories.mageia.org/MGASA-2014-0123.html ======================== Updated packages in core/updates_testing: ======================== php-ini-5.4.26-1.mga3 apache-mod_php-5.4.26-1.mga3 php-cli-5.4.26-1.mga3 php-cgi-5.4.26-1.mga3 libphp5_common5-5.4.26-1.mga3 php-devel-5.4.26-1.mga3 php-openssl-5.4.26-1.mga3 php-zlib-5.4.26-1.mga3 php-doc-5.4.26-1.mga3 php-bcmath-5.4.26-1.mga3 php-bz2-5.4.26-1.mga3 php-calendar-5.4.26-1.mga3 php-ctype-5.4.26-1.mga3 php-curl-5.4.26-1.mga3 php-dba-5.4.26-1.mga3 php-dom-5.4.26-1.mga3 php-enchant-5.4.26-1.mga3 php-exif-5.4.26-1.mga3 php-fileinfo-5.4.26-1.mga3 php-filter-5.4.26-1.mga3 php-ftp-5.4.26-1.mga3 php-gd-5.4.26-1.mga3 php-gettext-5.4.26-1.mga3 php-gmp-5.4.26-1.mga3 php-hash-5.4.26-1.mga3 php-iconv-5.4.26-1.mga3 php-imap-5.4.26-1.mga3 php-interbase-5.4.26-1.mga3 php-intl-5.4.26-1.mga3 php-json-5.4.26-1.mga3 php-ldap-5.4.26-1.mga3 php-mbstring-5.4.26-1.mga3 php-mcrypt-5.4.26-1.mga3 php-mssql-5.4.26-1.mga3 php-mysql-5.4.26-1.mga3 php-mysqli-5.4.26-1.mga3 php-mysqlnd-5.4.26-1.mga3 php-odbc-5.4.26-1.mga3 php-pcntl-5.4.26-1.mga3 php-pdo-5.4.26-1.mga3 php-pdo_dblib-5.4.26-1.mga3 php-pdo_firebird-5.4.26-1.mga3 php-pdo_mysql-5.4.26-1.mga3 php-pdo_odbc-5.4.26-1.mga3 php-pdo_pgsql-5.4.26-1.mga3 php-pdo_sqlite-5.4.26-1.mga3 php-pgsql-5.4.26-1.mga3 php-phar-5.4.26-1.mga3 php-posix-5.4.26-1.mga3 php-readline-5.4.26-1.mga3 php-recode-5.4.26-1.mga3 php-session-5.4.26-1.mga3 php-shmop-5.4.26-1.mga3 php-snmp-5.4.26-1.mga3 php-soap-5.4.26-1.mga3 php-sockets-5.4.26-1.mga3 php-sqlite3-5.4.26-1.mga3 php-sybase_ct-5.4.26-1.mga3 php-sysvmsg-5.4.26-1.mga3 php-sysvsem-5.4.26-1.mga3 php-sysvshm-5.4.26-1.mga3 php-tidy-5.4.26-1.mga3 php-tokenizer-5.4.26-1.mga3 php-xml-5.4.26-1.mga3 php-xmlreader-5.4.26-1.mga3 php-xmlrpc-5.4.26-1.mga3 php-xmlwriter-5.4.26-1.mga3 php-xsl-5.4.26-1.mga3 php-wddx-5.4.26-1.mga3 php-zip-5.4.26-1.mga3 php-fpm-5.4.26-1.mga3 php-gd-bundled-5.4.26-1.mga3 php-apc-3.1.14-7.6.mga3 php-apc-admin-3.1.14-7.6.mga3 php-timezonedb-2013.9-1.mga3 from SRPMS: php-5.4.26-1.mga3.src.rpm php-gd-bundled-5.4.26-1.mga3.src.rpm php-apc-3.1.14-7.6.mga3.src.rpm php-timezonedb-2013.9-1.mga3.src.rpm
Assignee: bugsquad => qa-bugsSummary: multiple vulnerabilities in php (CVE-2013-6712, CVE-2013-7226, CVE-2014-1943, CVE-2014-2270, CVE-2013-7327) => php new security issues CVE-2013-6712, CVE-2014-1943, and CVE-2014-2270
php-timezonedb-2014.1-1.mga3, php-timezonedb-2014.1-1.mga4 & php-timezonedb-2014.1-1.mga5 was just submitted.
Oden, is CVE-2013-7345 relevant to our PHP version in Mageia 3? http://lwn.net/Vulnerabilities/592275/ RedHat has a link to the PHP commit in their bug: https://bugzilla.redhat.com/show_bug.cgi?id=1079846
Testing complete mga3 64
Whiteboard: (none) => mga3-64-ok
Testing complete mga3 32 Procedure: https://bugs.mageia.org/show_bug.cgi?id=12842#c16 Also checked 'php -i | less' for any obvious errors
Whiteboard: mga3-64-ok => has_procedure mga3-32-ok mga3-64-ok
Validating. Advisory uploaded. Could sysadmin please push to 3 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga3-32-ok mga3-64-ok => has_procedure advisory mga3-32-ok mga3-64-okCC: (none) => sysadmin-bugs
Advisory updated with the good release of php-timezonedb. http://advisories.mageia.org/MGASA-2014-0162.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED