Debian has issued an advisory on June 16: https://www.debian.org/security/2014/dsa-2961 I previously posted about this here: https://bugs.mageia.org/show_bug.cgi?id=13021#c6 There are also issues in the bundled libgd in Mageia 3 (which is fixed in SVN for Bug 13021) and issues in the bundled libmagic which don't have public CVEs yet that I posted about here: https://bugs.mageia.org/show_bug.cgi?id=13021#c7 We'll fix all of these in our next PHP update when upstream releases new versions. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Blocks: (none) => 13021Assignee: bugsquad => oe
PHP versions 5.4.30 and 5.5.14 have been released on June 26: http://www.php.net/archive/2014.php#id2014-06-26-1 http://www.php.net/archive/2014.php#id2014-06-27-1 http://www.php.net/ChangeLog-5.php#5.4.30 http://www.php.net/ChangeLog-5.php#5.5.14 This update will fix: - An issue in bundled libgd for Mageia 3 (Bug 13021, CVE-2014-2497) - Issues in bundled libmagic (CVE-2014-0207, CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487, see Bug 13603 for the file package) - A DNS issue, original subject of this bug (CVE-2014-4049) - An issue with the unserialize() function (CVE-2014-3515) - A /tmp-file issue in the configure script, only affects those building PHP (CVE-2014-3981)
Updated packages uploaded for Mageia 3 and Mageia 4. It would be nice to have a better description for CVE-2014-3515, but this is all I can find for now. I haven't listed CVE-2014-3981, due to it only affecting those building the package. Note to QA: please note the PoC for the libgd issue in the Mageia 3 update in Bug 13021. Advisory (Mageia 3): ======================== Updated php packages fix security vulnerabilities: The unserialize() function in PHP before 5.4.30 and 5.5.14 has a Type Confusion issue related to the SPL ArrayObject and SPLObjectStorage Types (CVE-2014-3515). It was discovered that PHP is vulnerable to a heap-based buffer overflow in the DNS TXT record parsing. A malicious server or man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as the PHP interpreter if a PHP application uses dns_get_record() to perform a DNS query (CVE-2014-4049). A flaw was found in the way file parsed property information from Composite Document Files (CDF) files, where the mconvert() function did not correctly compute the truncated pascal string size (CVE-2014-3478). Multiple flaws were found in the way file parsed property information from Composite Document Files (CDF) files, due to insufficient boundary checks on buffers (CVE-2014-0207, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487). PHP contains a bundled copy of the file utility's libmagic library, so it was vulnerable to this issue. It has been updated to versions 5.4.30 and 5.5.14, which fix this issue and several other bugs. Also, PHP contains a bundled copy of the GD image library, and has been patched to correct an issue in the imagecreatefromxpm function which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted color table in an XPM file (CVE-2014-2497). Additionally, php-apc has been rebuilt against the updated php packages. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2497 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3515 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4049 http://www.php.net/archive/2014.php#id2014-06-26-1 http://www.php.net/ChangeLog-5.php#5.4.30 ======================== Updated packages in core/updates_testing: ======================== php-ini-5.4.30-1.mga3 apache-mod_php-5.4.30-1.mga3 php-cli-5.4.30-1.mga3 php-cgi-5.4.30-1.mga3 libphp5_common5-5.4.30-1.mga3 php-devel-5.4.30-1.mga3 php-openssl-5.4.30-1.mga3 php-zlib-5.4.30-1.mga3 php-doc-5.4.30-1.mga3 php-bcmath-5.4.30-1.mga3 php-bz2-5.4.30-1.mga3 php-calendar-5.4.30-1.mga3 php-ctype-5.4.30-1.mga3 php-curl-5.4.30-1.mga3 php-dba-5.4.30-1.mga3 php-dom-5.4.30-1.mga3 php-enchant-5.4.30-1.mga3 php-exif-5.4.30-1.mga3 php-fileinfo-5.4.30-1.mga3 php-filter-5.4.30-1.mga3 php-ftp-5.4.30-1.mga3 php-gd-5.4.30-1.mga3 php-gettext-5.4.30-1.mga3 php-gmp-5.4.30-1.mga3 php-hash-5.4.30-1.mga3 php-iconv-5.4.30-1.mga3 php-imap-5.4.30-1.mga3 php-interbase-5.4.30-1.mga3 php-intl-5.4.30-1.mga3 php-json-5.4.30-1.mga3 php-ldap-5.4.30-1.mga3 php-mbstring-5.4.30-1.mga3 php-mcrypt-5.4.30-1.mga3 php-mssql-5.4.30-1.mga3 php-mysql-5.4.30-1.mga3 php-mysqli-5.4.30-1.mga3 php-mysqlnd-5.4.30-1.mga3 php-odbc-5.4.30-1.mga3 php-pcntl-5.4.30-1.mga3 php-pdo-5.4.30-1.mga3 php-pdo_dblib-5.4.30-1.mga3 php-pdo_firebird-5.4.30-1.mga3 php-pdo_mysql-5.4.30-1.mga3 php-pdo_odbc-5.4.30-1.mga3 php-pdo_pgsql-5.4.30-1.mga3 php-pdo_sqlite-5.4.30-1.mga3 php-pgsql-5.4.30-1.mga3 php-phar-5.4.30-1.mga3 php-posix-5.4.30-1.mga3 php-readline-5.4.30-1.mga3 php-recode-5.4.30-1.mga3 php-session-5.4.30-1.mga3 php-shmop-5.4.30-1.mga3 php-snmp-5.4.30-1.mga3 php-soap-5.4.30-1.mga3 php-sockets-5.4.30-1.mga3 php-sqlite3-5.4.30-1.mga3 php-sybase_ct-5.4.30-1.mga3 php-sysvmsg-5.4.30-1.mga3 php-sysvsem-5.4.30-1.mga3 php-sysvshm-5.4.30-1.mga3 php-tidy-5.4.30-1.mga3 php-tokenizer-5.4.30-1.mga3 php-xml-5.4.30-1.mga3 php-xmlreader-5.4.30-1.mga3 php-xmlrpc-5.4.30-1.mga3 php-xmlwriter-5.4.30-1.mga3 php-xsl-5.4.30-1.mga3 php-wddx-5.4.30-1.mga3 php-zip-5.4.30-1.mga3 php-fpm-5.4.30-1.mga3 php-apc-3.1.14-7.10.mga3 php-apc-admin-3.1.14-7.10.mga3 php-gd-bundled-5.4.30-1.mga3 from SRPMS: php-5.4.30-1.mga3.src.rpm php-apc-3.1.14-7.10.mga3.src.rpm php-gd-bundled-5.4.30-1.mga3.src.rpm Advisory (Mageia 4): ======================== Updated php packages fix security vulnerabilities: The unserialize() function in PHP before 5.4.30 and 5.5.14 has a Type Confusion issue related to the SPL ArrayObject and SPLObjectStorage Types (CVE-2014-3515). It was discovered that PHP is vulnerable to a heap-based buffer overflow in the DNS TXT record parsing. A malicious server or man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as the PHP interpreter if a PHP application uses dns_get_record() to perform a DNS query (CVE-2014-4049). A flaw was found in the way file parsed property information from Composite Document Files (CDF) files, where the mconvert() function did not correctly compute the truncated pascal string size (CVE-2014-3478). Multiple flaws were found in the way file parsed property information from Composite Document Files (CDF) files, due to insufficient boundary checks on buffers (CVE-2014-0207, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487). PHP contains a bundled copy of the file utility's libmagic library, so it was vulnerable to this issue. It has been updated to versions 5.4.30 and 5.5.14, which fix this issue and several other bugs. Additionally, php-apc has been rebuilt against the updated php packages. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3515 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4049 http://www.php.net/archive/2014.php#id2014-06-27-1 http://www.php.net/ChangeLog-5.php#5.5.14 ======================== Updated packages in core/updates_testing: ======================== php-ini-5.5.14-1.mga4 apache-mod_php-5.5.14-1.mga4 php-cli-5.5.14-1.mga4 php-cgi-5.5.14-1.mga4 libphp5_common5-5.5.14-1.mga4 php-devel-5.5.14-1.mga4 php-openssl-5.5.14-1.mga4 php-zlib-5.5.14-1.mga4 php-doc-5.5.14-1.mga4 php-bcmath-5.5.14-1.mga4 php-bz2-5.5.14-1.mga4 php-calendar-5.5.14-1.mga4 php-ctype-5.5.14-1.mga4 php-curl-5.5.14-1.mga4 php-dba-5.5.14-1.mga4 php-dom-5.5.14-1.mga4 php-enchant-5.5.14-1.mga4 php-exif-5.5.14-1.mga4 php-fileinfo-5.5.14-1.mga4 php-filter-5.5.14-1.mga4 php-ftp-5.5.14-1.mga4 php-gd-5.5.14-1.mga4 php-gettext-5.5.14-1.mga4 php-gmp-5.5.14-1.mga4 php-hash-5.5.14-1.mga4 php-iconv-5.5.14-1.mga4 php-imap-5.5.14-1.mga4 php-interbase-5.5.14-1.mga4 php-intl-5.5.14-1.mga4 php-json-5.5.14-1.mga4 php-ldap-5.5.14-1.mga4 php-mbstring-5.5.14-1.mga4 php-mcrypt-5.5.14-1.mga4 php-mssql-5.5.14-1.mga4 php-mysql-5.5.14-1.mga4 php-mysqli-5.5.14-1.mga4 php-mysqlnd-5.5.14-1.mga4 php-odbc-5.5.14-1.mga4 php-opcache-5.5.14-1.mga4 php-pcntl-5.5.14-1.mga4 php-pdo-5.5.14-1.mga4 php-pdo_dblib-5.5.14-1.mga4 php-pdo_firebird-5.5.14-1.mga4 php-pdo_mysql-5.5.14-1.mga4 php-pdo_odbc-5.5.14-1.mga4 php-pdo_pgsql-5.5.14-1.mga4 php-pdo_sqlite-5.5.14-1.mga4 php-pgsql-5.5.14-1.mga4 php-phar-5.5.14-1.mga4 php-posix-5.5.14-1.mga4 php-readline-5.5.14-1.mga4 php-recode-5.5.14-1.mga4 php-session-5.5.14-1.mga4 php-shmop-5.5.14-1.mga4 php-snmp-5.5.14-1.mga4 php-soap-5.5.14-1.mga4 php-sockets-5.5.14-1.mga4 php-sqlite3-5.5.14-1.mga4 php-sybase_ct-5.5.14-1.mga4 php-sysvmsg-5.5.14-1.mga4 php-sysvsem-5.5.14-1.mga4 php-sysvshm-5.5.14-1.mga4 php-tidy-5.5.14-1.mga4 php-tokenizer-5.5.14-1.mga4 php-xml-5.5.14-1.mga4 php-xmlreader-5.5.14-1.mga4 php-xmlrpc-5.5.14-1.mga4 php-xmlwriter-5.5.14-1.mga4 php-xsl-5.5.14-1.mga4 php-wddx-5.5.14-1.mga4 php-zip-5.5.14-1.mga4 php-fpm-5.5.14-1.mga4 php-apc-3.1.15-4.5.mga4 php-apc-admin-3.1.15-4.5.mga4 from SRPMS: php-5.5.14-1.mga4.src.rpm php-apc-3.1.15-4.5.mga4.src.rpm
CC: (none) => oeAssignee: oe => qa-bugsSeverity: normal => major
Package(s) under test: drupal glpi owncloud php-fpm php-ini phpmyadmin default install of php-ini [root@localhost wilcal]# urpmi drupal Package drupal-7.26-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.83.91-1.1.mga3.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-5.0.16-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.4.29-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi php-ini Package php-ini-5.4.29-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.1-1.mga3.noarch is already installed localhost/drupal opens localhost/phpmyadmin opens localhost/glpi opens localhost/owncloud opens and runs install php-ini from updates_testing [root@localhost wilcal]# urpmi drupal Package drupal-7.28-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.83.91-1.1.mga3.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-5.0.16-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.4.30-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi php-ini Package php-ini-5.4.30-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.1-1.mga3.noarch is already installed localhost/phpmyadmin opens and works localhost/glpi opens localhost/owncloud opens and runs localhost/drupal opens Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
Created attachment 5224 [details] php files before and after update MGA3-32
LWN reference for the /tmp-file, libmagic, and unserialize issues: http://lwn.net/Vulnerabilities/603974/
(In reply to William Kenney from comment #4) > Created attachment 5224 [details] > php files before and after update MGA3-32 Your "After update" column lists several php packages that you haven't yet updated to the 5.4.30 testing versions.
(In reply to David Walser from comment #6) > Your "After update" column lists several php packages that you haven't yet > updated to the 5.4.30 testing versions. Yep, ran out of time. Next time I bring this up I'm gonna let the entire Vbox client update, reboot, and run the listing again. Hopefully things will be ok. If that all works I'll run the same process on the other three clients.
Created attachment 5226 [details] php files before, after update then after a full system update MGA3-32
In VirtualBox, M3, KDE, 64-bit Package(s) under test: drupal glpi owncloud php-fpm php-ini phpmyadmin default install of php-ini [root@localhost wilcal]# urpmi drupal Package drupal-7.26-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.83.91-1.1.mga3.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-5.0.16-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.4.29-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi php-ini Package php-ini-5.4.29-1.mga3.x86_64 is already installed Marking php-ini as manually installed, it won't be auto-orphaned writing /var/lib/rpm/installed-through-deps.list [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.1-1.mga3.noarch is already installed localhost/drupal opens localhost/phpmyadmin opens localhost/glpi opens localhost/owncloud opens and runs install php-ini from updates_testing [root@localhost wilcal]# urpmi drupal Package drupal-7.28-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.83.91-1.1.mga3.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-5.0.16-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.4.30-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi php-ini Package php-ini-5.4.30-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.1-1.mga3.noarch is already installed localhost/phpmyadmin opens and works localhost/glpi opens localhost/owncloud opens and runs localhost/drupal opens Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Created attachment 5227 [details] php files before, after update then after a full system update MGA3-64
In VirtualBox, M4, KDE, 32-bit Package(s) under test: drupal glpi owncloud php-fpm php-ini phpmyadmin default install of php-ini [root@localhost wilcal]# urpmi drupal Package drupal-7.26-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.84.3-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.3-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.5.13-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi php-ini Package php-ini-5.5.13-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.1-1.mga4.noarch is already installed localhost/drupal opens localhost/phpmyadmin opens localhost/glpi opens localhost/owncloud opens and runs install php-ini from updates_testing [root@localhost wilcal]# urpmi drupal Package drupal-7.28-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.84.3-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.3-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.5.14-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi php-ini Package php-ini-5.5.14-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.1-1.mga4.noarch is already installed localhost/phpmyadmin opens and works localhost/glpi opens localhost/owncloud opens and runs localhost/drupal opens Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Created attachment 5228 [details] php files before, after update then after a full system update MGA4-32
(In reply to William Kenney from comment #12) > Created attachment 5228 [details] > php files before, after update then after a full system update MGA4-32 Also shows several php packages not updated to 5.5.14.
(In reply to David Walser from comment #13) > Also shows several php packages not updated to 5.5.14. Almost through M4 64-bit. Once I'm finished lets think about this. I'm see'n some wrinkles in M4.
In VirtualBox, M4, KDE, 64-bit Package(s) under test: drupal glpi owncloud php-fpm php-ini phpmyadmin default install of php-ini [root@localhost wilcal]# urpmi drupal Package drupal-7.26-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.84.3-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.3-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.5.13-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi php-ini Package php-ini-5.5.13-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.1-1.mga4.noarch is already installed localhost/drupal opens localhost/phpmyadmin opens localhost/glpi opens localhost/owncloud opens and runs install php-ini from updates_testing [root@localhost wilcal]# urpmi drupal Package drupal-7.28-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.84.3-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.3-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.5.14-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi php-ini Package php-ini-5.5.14-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.1-1.mga4.noarch is already installed localhost/phpmyadmin opens and works localhost/glpi opens localhost/owncloud no longer opens or runs localhost/drupal opens Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Created attachment 5229 [details] php files before, after update then after a full system update MGA4-64
There were no available updates between the update_testing of php-ini and a full system update for either M4-32bit or M4-64bit. Also notice that owncloud didn't work after the update_testing on M4-64bit.
(In reply to William Kenney from comment #17) > There were no available updates between the update_testing of php-ini > and a full system update for either M4-32bit or M4-64bit. Also notice > that owncloud didn't work after the update_testing on M4-64bit. In both of your Mageia 4 tests, you didn't update all of the php packages before testing. Please pay attention to the package lists and install all relevant packages.
(In reply to David Walser from comment #18) > In both of your Mageia 4 tests, you didn't update all of the php packages > before testing. Please pay attention to the package lists and install all > relevant packages. First go through I only deal with updates listed in the MCC with: drupal glpi owncloud php-fpm php-ini phpmyadmin If they're not listed there they ain't updated. 2nd time through I do a complete update of the system and in both of those trys with M4 there were no updates to update. I'll run the M4 testing again tomorrow from scratch. My local repo updates at 04:02AM everyday so I'm dealing with a static repo.
William, I'm not sure what procedure that you're using to install the updates, but we have documented on the wiki a procedure that works pretty well. See #2 "Installing the Update Candidate" here: https://wiki.mageia.org/en/QA_process_for_validating_updates#Test_the_update_candidate Basically the idea is that you temporarily enable the testing repository, run MageiaUpdate and it will propose all packages that you have installed that have updated versions available, and then you go through and check all of the packages listed there that are also listed in the bug report as being a part of that particular update. Then you disable the testing repository.
(In reply to David Walser from comment #20) > Basically the idea is that you temporarily enable the testing repository, > run MageiaUpdate and it will propose all packages that you have installed > that have updated versions available, Ya, that's pretty much what I'm do'n here. M3 worked fine, M4 seems to have issues. I'll rerun the M4 thing all over again tomorrow ( Tues ) when I have clear head. Thanks for the help.
Retest In VirtualBox, M4, KDE, 32-bit Package(s) under test: drupal glpi owncloud php-fpm php-ini phpmyadmin default install of php-ini [root@localhost wilcal]# urpmi drupal Package drupal-7.26-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.84.3-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.3-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.5.13-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi php-ini Package php-ini-5.5.13-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.1-1.mga4.noarch is already installed localhost/drupal opens localhost/phpmyadmin opens localhost/glpi opens localhost/owncloud opens and runs install php-ini from updates_testing [root@localhost wilcal]# urpmi drupal Package drupal-7.28-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi glpi Package glpi-0.84.3-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.3-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.5.14-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi php-ini Package php-ini-5.5.14-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.1.14.1-1.mga4.noarch is already installed localhost/phpmyadmin opens and works localhost/glpi opens localhost/owncloud opens and runs localhost/drupal opens Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Created attachment 5231 [details] retest, php files before, after update then after a full system update MGA4-32
(In reply to William Kenney from comment #23) > Created attachment 5231 [details] > retest, php files before, after update then after a full system update > MGA4-32 From a quick glance I noticed that apache-mod_php still wasn't updated.
(In reply to David Walser from comment #24) > From a quick glance I noticed that apache-mod_php still wasn't updated. Well clearly, IMO, we need a better way to test this. php-ini is not updating all the php files on the system. There appears to be over 80 php related files that need to be updated and having to go through them one by one to make sure they are updated is not a good way to update and test. Throw in the database issue and it becomes overly complex. I'm also running into an M4-64bit owncloud issue. Before the update I can log in using the system root and PW. After that that don't work anymore. M3-32/64bit and M4-32bit that works fine.
(In reply to William Kenney from comment #25) > Well clearly, IMO, we need a better way to test this. There are a lot of subpackages and yes it tedious (and possibly error-prone) clicking all of them, but that's the procedure currently. It would be great if we had a better tool for handling this than MageiaUpdate, but currently we don't. We need to find developers interested in developing one :o) My idea is that we have a simplified update tool that lists packages by their Source RPM rather than individual RPMs. Listing the individual RPMs I think is TMI for most users, and I think the use case of allowing users to only update some subpackages but not others from the same SRPM is very limited and not something we should really be supporting anyway. Anyway, that's an aside, but in the meantime, when testing updates you just have to be careful and pay attention to the package lists.
It can be helpful to sort the packages in MageiaUpdate according to version. It doesn't always help as some with lots of packages are also lots of versions.
(In reply to claire robinson from comment #27) > It can be helpful to sort the packages in MageiaUpdate according to version. > > It doesn't always help as some with lots of packages are also lots of > versions. Even still, that's a really good suggestion. It didn't occur to me that you could do that :o)
I'd kinda like to get this php behind us before we really launch into M5 isos. This thing can be a time burner. Anyway, I'm gonna take a break from it and try again. Many thanks to David for the help. This is probably a subject for the qa-meeting on Thurs.
Just to say that I shall be trying MGA4 64-bit.
CC: (none) => lewyssmith
I brute forced it this morning. Installed every file listed in Comment #2 ( 74 files ) using the MCC, that installed over 150 files. There was one conflict before install. rpm -qa | grep php- comes up with a list of 85 files. Most match but about a dozen don't. This may be a Mission Impossible. We'll talk about it at the QA meeting.
Tested on Mageia 3 & 4 for both i586 & x86_64 archs Steps taken: 1: Updated each system without testing repos enabled. 2: Installed all packages listed above and webmin (for testing purposes). Mediawiki already installed. For conflicting packages, installed one, tested then replaced with conflicting package before and after updating. Verified that all packages do install correctly. Conflicting packages found: Mageia 3: php-gd conflicts with php-gd-bundled. Mageia 4: php-opcache conflicts with php-apc, php-apc-admin. 3: Turned on php debugging to syslog in /etc/php.ini and set it to E_ALL. 4: Ran tests. Searched around, but found only one, the gd library's xpm bug. Tried running from command line (PoC: https://bugs.php.net/bug.php?id=66901): php -r 'var_dump(imagecreatefromxpm("foo.xpm"));' Results: Mageia 3 & 4, i586 & x86_64: segfault Checked mediawiki and webmin to make sure they were working correclty. They were. 5: Enabled testing repositories and updated php-*, apache-mod_php and libphp5 (or lib64php5). 6: Ran tests again. The PoC for the php-gd bug now reports 'bool(false)' and posts a warning to logs. Mediawiki and webmin still function correctly after update and logs show no obvious errors. No segfaults reported in logs after restarting apache with php-opcache installed and enabled in php.ini (Bug #12995). Could be blind luck. Note for Mageia 4: libgd3 (or lib64gd3) needs to be upgraded from mageia 4 testing repositories as well or php-gd still segfaults after updating. All packages install correctly. The two php intensive packages tested still functioned without complaint. Testing complete. ------------------------------------------ Update validated. Thanks. Advisories: See comment #2 SRPMS: php-5.4.30-1.mga3.src.rpm php-apc-3.1.14-7.10.mga3.src.rpm php-gd-bundled-5.4.30-1.mga3.src.rpm php-5.5.14-1.mga4.src.rpm php-apc-3.1.15-4.5.mga4.src.rpm Could sysadmin please push from core/updates_testing to core/updates. Thank you! ------------------------------------------
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs, warrendiogeneseWhiteboard: MGA3TOO => MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK
Separate advisories uploaded 13532.mga3.adv & 13532.mga4.adv
Whiteboard: MGA3TOO MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK => MGA3TOO advisory MGA3-64-OK MGA3-32-OK MGA4-64-OK MGA4-32-OK
A CVE has been assigned for another one of the bugs fixed in these updates: http://openwall.com/lists/oss-security/2014/07/06/6 Could someone please add the following stanza and reference to the advisories? The phpinfo() function in PHP before 5.4.30 and 5.5.14 has a Type Confusion issue that can cause it to leak arbitrary process memory (CVE-2014-4721). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4721
13532.mga3.adv & 13532.mga4.adv updated.
http://advisories.mageia.org/MGASA-2014-0283.html http://advisories.mageia.org/MGASA-2014-0284.html
Status: NEW => RESOLVEDCC: (none) => pterjanResolution: (none) => FIXED
LWN reference for CVE-2014-4721: http://lwn.net/Vulnerabilities/604856/