Upstream has released version 5.6.11 on July 10: http://php.net/archive/2015.php#id2015-07-10-3 It says there are 5 security fixes including a CVE that is also being fixed in the mariadb update currently assigned to QA, so I'm not sure what the deal is there. I also don't know which exactly are the 5 security fixes, but the segfaults and use-after-frees are likely candidates. I'll hold off on the advisory for now. References: http://php.net/ChangeLog-5.php#5.6.11 Updated packages in core/updates_testing: ======================== php-ini-5.6.11-1.mga5 apache-mod_php-5.6.11-1.mga5 php-cli-5.6.11-1.mga5 php-cgi-5.6.11-1.mga5 libphp5_common5-5.6.11-1.mga5 php-devel-5.6.11-1.mga5 php-openssl-5.6.11-1.mga5 php-zlib-5.6.11-1.mga5 php-doc-5.6.11-1.mga5 php-bcmath-5.6.11-1.mga5 php-bz2-5.6.11-1.mga5 php-calendar-5.6.11-1.mga5 php-ctype-5.6.11-1.mga5 php-curl-5.6.11-1.mga5 php-dba-5.6.11-1.mga5 php-dom-5.6.11-1.mga5 php-enchant-5.6.11-1.mga5 php-exif-5.6.11-1.mga5 php-fileinfo-5.6.11-1.mga5 php-filter-5.6.11-1.mga5 php-ftp-5.6.11-1.mga5 php-gd-5.6.11-1.mga5 php-gettext-5.6.11-1.mga5 php-gmp-5.6.11-1.mga5 php-hash-5.6.11-1.mga5 php-iconv-5.6.11-1.mga5 php-imap-5.6.11-1.mga5 php-interbase-5.6.11-1.mga5 php-intl-5.6.11-1.mga5 php-json-5.6.11-1.mga5 php-ldap-5.6.11-1.mga5 php-mbstring-5.6.11-1.mga5 php-mcrypt-5.6.11-1.mga5 php-mssql-5.6.11-1.mga5 php-mysql-5.6.11-1.mga5 php-mysqli-5.6.11-1.mga5 php-mysqlnd-5.6.11-1.mga5 php-odbc-5.6.11-1.mga5 php-opcache-5.6.11-1.mga5 php-pcntl-5.6.11-1.mga5 php-pdo-5.6.11-1.mga5 php-pdo_dblib-5.6.11-1.mga5 php-pdo_firebird-5.6.11-1.mga5 php-pdo_mysql-5.6.11-1.mga5 php-pdo_odbc-5.6.11-1.mga5 php-pdo_pgsql-5.6.11-1.mga5 php-pdo_sqlite-5.6.11-1.mga5 php-pgsql-5.6.11-1.mga5 php-phar-5.6.11-1.mga5 php-posix-5.6.11-1.mga5 php-readline-5.6.11-1.mga5 php-recode-5.6.11-1.mga5 php-session-5.6.11-1.mga5 php-shmop-5.6.11-1.mga5 php-snmp-5.6.11-1.mga5 php-soap-5.6.11-1.mga5 php-sockets-5.6.11-1.mga5 php-sqlite3-5.6.11-1.mga5 php-sybase_ct-5.6.11-1.mga5 php-sysvmsg-5.6.11-1.mga5 php-sysvsem-5.6.11-1.mga5 php-sysvshm-5.6.11-1.mga5 php-tidy-5.6.11-1.mga5 php-tokenizer-5.6.11-1.mga5 php-xml-5.6.11-1.mga5 php-xmlreader-5.6.11-1.mga5 php-xmlrpc-5.6.11-1.mga5 php-xmlwriter-5.6.11-1.mga5 php-xsl-5.6.11-1.mga5 php-wddx-5.6.11-1.mga5 php-zip-5.6.11-1.mga5 php-fpm-5.6.11-1.mga5 phpdbg-5.6.11-1.mga5 from php-5.6.11-mga5.src.rpm Reproducible: Steps to Reproduce:
I could install and try some rudimentary programs. I'm not a PHP guy, but it looks fairly simple, other than installing a webserver, a database and getting them all linked together.
CC: (none) => brtians1
well I did something wrong. Suggestions? 4 installation transactions failed There was a problem during the installation: php-dom is needed by php-xmlreader-3:5.6.11-1.mga5.x86_64 php-ctype >= 3:5.6.11 is needed by apache-mod_php-3:5.6.11-1.mga5.x86_64 php-hash >= 3:5.6.11 is needed by apache-mod_php-3:5.6.11-1.mga5.x86_64 php-posix >= 3:5.6.11 is needed by apache-mod_php-3:5.6.11-1.mga5.x86_64 php-session >= 3:5.6.11 is needed by apache-mod_php-3:5.6.11-1.mga5.x86_64
The best way to update is to have php installed, enable updates_testing, update the media (urpmi.update -a or equivalent), make sure updates_testing is marked as an update medium (have to edit /etc/urpmi/urpmi.cfg and add an "update" line for that one), run MageiaUpdate, and make sure all of the 5.6.11-1.mga5 packages are checked (uncheck everything else) and let it update them all. Trying to update them piecemeal will just result in some of the not getting updated, which doesn't work.
that's what I did. I'll run the urmpi.update -a again and try again.
the second round worked. I verified version of php and ran the hello world routine through apache. Seems to be all tying together. I'll mess with it some more when I have a moment. Brian
I tested php Bug #69732 and also tested file reads, by reading a Project Gutenberg Etext of Heart of Darkness into a web-page. I have not tested all functions, but from what I can tell php 5.6.11 is working as designed. I'll post this patch is okay.
Whiteboard: (none) => MGA5-64-OK
Installed on MGA5 I586 VM. Ran tests for apache and php. Working as designed.
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK
Created attachment 6877 [details] Test case I used. you can change the name of the file to any text doc
Advisory needed for this one David please.
Indeed, thanks Claire. I haven't seen any clarification on CVEs anywhere, so just a general advisory for now. Advisory: ======================== Updated php packages fix security vulnerabilities: The php package has been updated to version 5.6.11, fixing several bugs and security issues. See the upstream Changelog for more details. References: http://php.net/ChangeLog-5.php#5.6.11
Well done Brian for the testing. We normally use various webapps eg. wordpress, moodle, mediawiki, phpmyadmin etc Advisory uploaded. Validating. Please push to 5 updates Thanks
Whiteboard: MGA5-64-OK MGA5-32-OK => has_procedure advisory MGA5-64-OK MGA5-32-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0303.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/653505/