PHP 5.6.9 and 5.5.25 have been released on June 11: http://php.net/ChangeLog-5.php#5.5.26 http://php.net/ChangeLog-5.php#5.6.10 There are several apparent security issues fixed, but no CVEs posted yet. The pcre and sqlite3 CVEs mentioned were fixed by previous updates for those. Updated packages uploaded for Mageia 4 and Cauldron. Generic advisory for now as there are no CVEs for the PHP bugs. The most likely candidate for a CVE is the php#69545 improved fix (an apparently incomplete fix was in PHP 5.5.25, this was CVE-2015-4022). Advisory: ======================== Updated php packages fix security vulnerabilities: PHP has been updated to version 5.5.26, which fixes multiple bugs and potential security issues. Please see the upstream ChangeLog for details. References: http://php.net/ChangeLog-5.php#5.5.26 ======================== Updated packages in core/updates_testing: ======================== php-ini-5.5.26-1.mga4 apache-mod_php-5.5.26-1.mga4 php-cli-5.5.26-1.mga4 php-cgi-5.5.26-1.mga4 libphp5_common5-5.5.26-1.mga4 php-devel-5.5.26-1.mga4 php-openssl-5.5.26-1.mga4 php-zlib-5.5.26-1.mga4 php-doc-5.5.26-1.mga4 php-bcmath-5.5.26-1.mga4 php-bz2-5.5.26-1.mga4 php-calendar-5.5.26-1.mga4 php-ctype-5.5.26-1.mga4 php-curl-5.5.26-1.mga4 php-dba-5.5.26-1.mga4 php-dom-5.5.26-1.mga4 php-enchant-5.5.26-1.mga4 php-exif-5.5.26-1.mga4 php-fileinfo-5.5.26-1.mga4 php-filter-5.5.26-1.mga4 php-ftp-5.5.26-1.mga4 php-gd-5.5.26-1.mga4 php-gettext-5.5.26-1.mga4 php-gmp-5.5.26-1.mga4 php-hash-5.5.26-1.mga4 php-iconv-5.5.26-1.mga4 php-imap-5.5.26-1.mga4 php-interbase-5.5.26-1.mga4 php-intl-5.5.26-1.mga4 php-json-5.5.26-1.mga4 php-ldap-5.5.26-1.mga4 php-mbstring-5.5.26-1.mga4 php-mcrypt-5.5.26-1.mga4 php-mssql-5.5.26-1.mga4 php-mysql-5.5.26-1.mga4 php-mysqli-5.5.26-1.mga4 php-mysqlnd-5.5.26-1.mga4 php-odbc-5.5.26-1.mga4 php-opcache-5.5.26-1.mga4 php-pcntl-5.5.26-1.mga4 php-pdo-5.5.26-1.mga4 php-pdo_dblib-5.5.26-1.mga4 php-pdo_firebird-5.5.26-1.mga4 php-pdo_mysql-5.5.26-1.mga4 php-pdo_odbc-5.5.26-1.mga4 php-pdo_pgsql-5.5.26-1.mga4 php-pdo_sqlite-5.5.26-1.mga4 php-pgsql-5.5.26-1.mga4 php-phar-5.5.26-1.mga4 php-posix-5.5.26-1.mga4 php-readline-5.5.26-1.mga4 php-recode-5.5.26-1.mga4 php-session-5.5.26-1.mga4 php-shmop-5.5.26-1.mga4 php-snmp-5.5.26-1.mga4 php-soap-5.5.26-1.mga4 php-sockets-5.5.26-1.mga4 php-sqlite3-5.5.26-1.mga4 php-sybase_ct-5.5.26-1.mga4 php-sysvmsg-5.5.26-1.mga4 php-sysvsem-5.5.26-1.mga4 php-sysvshm-5.5.26-1.mga4 php-tidy-5.5.26-1.mga4 php-tokenizer-5.5.26-1.mga4 php-xml-5.5.26-1.mga4 php-xmlreader-5.5.26-1.mga4 php-xmlrpc-5.5.26-1.mga4 php-xmlwriter-5.5.26-1.mga4 php-xsl-5.5.26-1.mga4 php-wddx-5.5.26-1.mga4 php-zip-5.5.26-1.mga4 php-fpm-5.5.26-1.mga4 php-apc-3.1.15-4.15.mga4 php-apc-admin-3.1.15-4.15.mga4 php-timezonedb-2015.4-1.mga4 from SRPMS: php-5.5.26-1.mga4.src.rpm php-apc-3.1.15-4.16.mga4.src.rpm Reproducible: Steps to Reproduce:
Several CVEs have been assigned, mostly for issues fixed in older versions of PHP: http://openwall.com/lists/oss-security/2015/06/16/12 CVE-2015-4598 applies to php#69719 fixed in this update: Incorrect handling of paths with NULs
CVE request for other fixes in this update: http://openwall.com/lists/oss-security/2015/06/18/3
CVE assignment: http://openwall.com/lists/oss-security/2015/06/18/6 Advisory: ======================== Updated php packages fix security vulnerabilities: Incorrect handling of paths with NULs (CVE-2015-4598). OS command injection vulnerability in escapeshellarg (CVE-2015-4642). Integer overflow in ftp_genlist() resulting in heap overflow (CVE-2015-4643). Segfault in php_pgsql_meta_data (CVE-2015-4644). PHP has been updated to version 5.5.26, which fixes multiple bugs and potential security issues. Please see the upstream ChangeLog for details. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4598 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4642 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4643 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4644 http://php.net/ChangeLog-5.php#5.5.26 http://openwall.com/lists/oss-security/2015/06/16/12 http://openwall.com/lists/oss-security/2015/06/18/6
LWN reference for CVE-2015-4598 (and several unrelated ones): http://lwn.net/Vulnerabilities/649071/
Tested Mageia 4 i586 with my old php-gd, php-dba, php-cgi, apache-mod_userdir, apache-mod_suexec test case from https://bugs.mageia.org/show_bug.cgi?id=3895#c35
Whiteboard: (none) => MGA4-32-OK
Advisory committed to svn. Someone from the sysadmin team please push 16115.adv to updates.
Keywords: (none) => validated_updateWhiteboard: MGA4-32-OK => MGA4-32-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0258.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/650306/