5.4.32 is now out as well.  I've checked that and 5.5.16 into Mageia 3 and Mageia 4 SVN, respectively (including removing upstreamed patches).  I haven't done anything else or pushed anything to the build system.

Upstream hasn't released announcements or posted the Changelogs yet (of course the NEWS files are in git).

Speaking of the NEWS files, I also see a CVE-2014-5120 listed there for GD, coming from this change:
http://git.php.net/?p=php-src.git;a=blobdiff;f=ext/gd/gd_ctx.c;h=eafbab5896185560fec80dde0851bb9f35dab827;hp=bff691fad2f0c5782793318354740ab2e12f56a2;hb=706aefb78112a44d4932d4c9430c6a898696f51f;hpb=529da0f74c1a230d0656799efc73a387392dbc10

It doesn't look like that code is in libgd, and perhaps Debian links their system libgd as we do and so that CVE wasn't relevant for them and that's why they didn't list it in their advisory.  That CVE would be relevant for our Mageia 3 update though (for gd-bundled anyway).  It doesn't look like that code is in Mageia 3's gd package either, which is nice.

Fedora has issued an advisory for file for CVE-2014-3587 on August 24:
https://lists.fedoraproject.org/pipermail/package-announce/2014-August/136989.html

Updates submitted to the build system for Mageia 3, Mageia 4, and Cauldron.

I'll file a new bug for that.

file update is in Bug 13985.

Severity: normal => major

Gentoo has issued an advisory today (August 29):
http://www.gentoo.org/security/en/glsa/glsa-201408-11.xml

It does reference CVE-2014-5120 (which I mentioned in Comment 1).

It also lists a CVE-2013-4636 fixed in 5.4.16 in the libmagic part.  I checked our file packages, and it doesn't appear to be relevant in any of them.

It also lists some other older PHP CVEs which are not an issue for us.

LWN reference:
http://lwn.net/Vulnerabilities/609962/

Updated packages uploaded for Mageia 3 and Mageia 4 by Oden and I.

Advisory:
========================

Updated php packages fix security vulnerabilities:

Integer overflow in the cdf_read_property_info function in cdf.c
in file through 5.19, as used in the Fileinfo component in PHP
before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to
cause a denial of service (application crash) via a crafted CDF
file. NOTE: this vulnerability exists because of an incomplete fix
for CVE-2012-1571 (CVE-2014-3587).

Multiple buffer overflows in the php_parserr function in
ext/standard/dns.c in PHP before 5.4.32 and 5.5.x before 5.5.16 allow
remote DNS servers to cause a denial of service (application crash)
or possibly execute arbitrary code via a crafted DNS record, related
to the dns_get_record function and the dn_expand function. NOTE:
this issue exists because of an incomplete fix for CVE-2014-4049
(CVE-2014-3597).

gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x
before 5.5.16 does not ensure that pathnames lack \%00 sequences,
which might allow remote attackers to overwrite arbitrary files
via crafted input to an application that calls the (1) imagegd, (2)
imagegd2, (3) imagegif, (4) imagejpeg, (5) imagepng, (6) imagewbmp,
or (7) imagewebp function (CVE-2014-5120).

The php packages have been updated to 5.4.32 for Mageia 3 and 5.5.16 for
Mageia 4, fixing these issues and several other bugs.

Note that the CVE-2014-5120 issue is only relevant for the php-gd-bundled
package in Mageia 3.

Also, php-apc has been rebuilt against the updated php packages.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3587
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3597
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5120
http://php.net/ChangeLog-5.php#5.4.32
http://php.net/ChangeLog-5.php#5.5.16
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014%3A172/
========================

Updated packages in core/updates_testing:
========================
php-ini-5.4.32-1.mga3
apache-mod_php-5.4.32-1.mga3
php-cli-5.4.32-1.mga3
php-cgi-5.4.32-1.mga3
libphp5_common5-5.4.32-1.mga3
php-devel-5.4.32-1.mga3
php-openssl-5.4.32-1.mga3
php-zlib-5.4.32-1.mga3
php-doc-5.4.32-1.mga3
php-bcmath-5.4.32-1.mga3
php-bz2-5.4.32-1.mga3
php-calendar-5.4.32-1.mga3
php-ctype-5.4.32-1.mga3
php-curl-5.4.32-1.mga3
php-dba-5.4.32-1.mga3
php-dom-5.4.32-1.mga3
php-enchant-5.4.32-1.mga3
php-exif-5.4.32-1.mga3
php-fileinfo-5.4.32-1.mga3
php-filter-5.4.32-1.mga3
php-ftp-5.4.32-1.mga3
php-gd-5.4.32-1.mga3
php-gettext-5.4.32-1.mga3
php-gmp-5.4.32-1.mga3
php-hash-5.4.32-1.mga3
php-iconv-5.4.32-1.mga3
php-imap-5.4.32-1.mga3
php-interbase-5.4.32-1.mga3
php-intl-5.4.32-1.mga3
php-json-5.4.32-1.mga3
php-ldap-5.4.32-1.mga3
php-mbstring-5.4.32-1.mga3
php-mcrypt-5.4.32-1.mga3
php-mssql-5.4.32-1.mga3
php-mysql-5.4.32-1.mga3
php-mysqli-5.4.32-1.mga3
php-mysqlnd-5.4.32-1.mga3
php-odbc-5.4.32-1.mga3
php-pcntl-5.4.32-1.mga3
php-pdo-5.4.32-1.mga3
php-pdo_dblib-5.4.32-1.mga3
php-pdo_firebird-5.4.32-1.mga3
php-pdo_mysql-5.4.32-1.mga3
php-pdo_odbc-5.4.32-1.mga3
php-pdo_pgsql-5.4.32-1.mga3
php-pdo_sqlite-5.4.32-1.mga3
php-pgsql-5.4.32-1.mga3
php-phar-5.4.32-1.mga3
php-posix-5.4.32-1.mga3
php-readline-5.4.32-1.mga3
php-recode-5.4.32-1.mga3
php-session-5.4.32-1.mga3
php-shmop-5.4.32-1.mga3
php-snmp-5.4.32-1.mga3
php-soap-5.4.32-1.mga3
php-sockets-5.4.32-1.mga3
php-sqlite3-5.4.32-1.mga3
php-sybase_ct-5.4.32-1.mga3
php-sysvmsg-5.4.32-1.mga3
php-sysvsem-5.4.32-1.mga3
php-sysvshm-5.4.32-1.mga3
php-tidy-5.4.32-1.mga3
php-tokenizer-5.4.32-1.mga3
php-xml-5.4.32-1.mga3
php-xmlreader-5.4.32-1.mga3
php-xmlrpc-5.4.32-1.mga3
php-xmlwriter-5.4.32-1.mga3
php-xsl-5.4.32-1.mga3
php-wddx-5.4.32-1.mga3
php-zip-5.4.32-1.mga3
php-fpm-5.4.32-1.mga3
php-apc-3.1.14-7.12.mga3
php-apc-admin-3.1.14-7.12.mga3
php-gd-bundled-5.4.32-1.mga3
php-ini-5.5.16-1.mga4
apache-mod_php-5.5.16-1.mga4
php-cli-5.5.16-1.mga4
php-cgi-5.5.16-1.mga4
libphp5_common5-5.5.16-1.mga4
php-devel-5.5.16-1.mga4
php-openssl-5.5.16-1.mga4
php-zlib-5.5.16-1.mga4
php-doc-5.5.16-1.mga4
php-bcmath-5.5.16-1.mga4
php-bz2-5.5.16-1.mga4
php-calendar-5.5.16-1.mga4
php-ctype-5.5.16-1.mga4
php-curl-5.5.16-1.mga4
php-dba-5.5.16-1.mga4
php-dom-5.5.16-1.mga4
php-enchant-5.5.16-1.mga4
php-exif-5.5.16-1.mga4
php-fileinfo-5.5.16-1.mga4
php-filter-5.5.16-1.mga4
php-ftp-5.5.16-1.mga4
php-gd-5.5.16-1.mga4
php-gettext-5.5.16-1.mga4
php-gmp-5.5.16-1.mga4
php-hash-5.5.16-1.mga4
php-iconv-5.5.16-1.mga4
php-imap-5.5.16-1.mga4
php-interbase-5.5.16-1.mga4
php-intl-5.5.16-1.mga4
php-json-5.5.16-1.mga4
php-ldap-5.5.16-1.mga4
php-mbstring-5.5.16-1.mga4
php-mcrypt-5.5.16-1.mga4
php-mssql-5.5.16-1.mga4
php-mysql-5.5.16-1.mga4
php-mysqli-5.5.16-1.mga4
php-mysqlnd-5.5.16-1.mga4
php-odbc-5.5.16-1.mga4
php-opcache-5.5.16-1.mga4
php-pcntl-5.5.16-1.mga4
php-pdo-5.5.16-1.mga4
php-pdo_dblib-5.5.16-1.mga4
php-pdo_firebird-5.5.16-1.mga4
php-pdo_mysql-5.5.16-1.mga4
php-pdo_odbc-5.5.16-1.mga4
php-pdo_pgsql-5.5.16-1.mga4
php-pdo_sqlite-5.5.16-1.mga4
php-pgsql-5.5.16-1.mga4
php-phar-5.5.16-1.mga4
php-posix-5.5.16-1.mga4
php-readline-5.5.16-1.mga4
php-recode-5.5.16-1.mga4
php-session-5.5.16-1.mga4
php-shmop-5.5.16-1.mga4
php-snmp-5.5.16-1.mga4
php-soap-5.5.16-1.mga4
php-sockets-5.5.16-1.mga4
php-sqlite3-5.5.16-1.mga4
php-sybase_ct-5.5.16-1.mga4
php-sysvmsg-5.5.16-1.mga4
php-sysvsem-5.5.16-1.mga4
php-sysvshm-5.5.16-1.mga4
php-tidy-5.5.16-1.mga4
php-tokenizer-5.5.16-1.mga4
php-xml-5.5.16-1.mga4
php-xmlreader-5.5.16-1.mga4
php-xmlrpc-5.5.16-1.mga4
php-xmlwriter-5.5.16-1.mga4
php-xsl-5.5.16-1.mga4
php-wddx-5.5.16-1.mga4
php-zip-5.5.16-1.mga4
php-fpm-5.5.16-1.mga4
php-apc-3.1.15-4.7.mga4
php-apc-admin-3.1.15-4.7.mga4

from SRPMS:
php-5.4.32-1.mga3.src.rpm
php-apc-3.1.14-7.12.mga3.src.rpm
php-gd-bundled-5.4.32-1.mga3.src.rpm
php-5.5.16-1.mga4.src.rpm
php-apc-3.1.15-4.7.mga4.src.rpm

CC: (none) => oe
Assignee: oe => qa-bugs

Procedure https://bugs.mageia.org/show_bug.cgi?id=13796#c8 and following comments.

Basically: choose a list of PHP webapps and test that they still work.

CC: (none) => stormi
Whiteboard: MGA3TOO => MGA3TOO has_procedure

As this update is another 'file/libmagic' vulnerability we can check that still works too

$ cat fileinfo.php 

<?php
$finfo = new finfo();
$fileinfo = $finfo->file('../random.tif', FILEINFO_MIME);
echo $fileinfo
?>


replace ../random.tif with the path to a file on your system


$ php fileinfo.php 

image/tiff; charset=binary

Testing complete mga4 64

Tested with wordpress, zoneminder, phpmyadmin, php-apc (tip: install and browse to http://localhost/<package> - some eg. wordpress need a database creating first) 

Also the fileinfo.php from comment 7

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok

Testing complete mga3 64

Used phpmyadmin, drupal, php-apc and fileinfo.php from comment 7

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-64-ok mga4-64-ok

Testing complete mga4 32

phpmyadmin, owncloud, php-apc and fileinfo.php from comment 7

Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-64-ok mga4-32-ok mga4-64-ok

Testing complete mga3 32

Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Validating. Advisory from comment 5 uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0367.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED