Upstream has released version 5.5.27 on July 10: http://php.net/archive/2015.php#id2015-07-10-2 It appears that some of the fixes are security relevant. We'll try for an advisory later. References: http://php.net/ChangeLog-5.php#5.5.27 Updated packages in core/updates_testing: ======================== php-ini-5.5.27-1.mga4 apache-mod_php-5.5.27-1.mga4 php-cli-5.5.27-1.mga4 php-cgi-5.5.27-1.mga4 libphp5_common5-5.5.27-1.mga4 php-devel-5.5.27-1.mga4 php-openssl-5.5.27-1.mga4 php-zlib-5.5.27-1.mga4 php-doc-5.5.27-1.mga4 php-bcmath-5.5.27-1.mga4 php-bz2-5.5.27-1.mga4 php-calendar-5.5.27-1.mga4 php-ctype-5.5.27-1.mga4 php-curl-5.5.27-1.mga4 php-dba-5.5.27-1.mga4 php-dom-5.5.27-1.mga4 php-enchant-5.5.27-1.mga4 php-exif-5.5.27-1.mga4 php-fileinfo-5.5.27-1.mga4 php-filter-5.5.27-1.mga4 php-ftp-5.5.27-1.mga4 php-gd-5.5.27-1.mga4 php-gettext-5.5.27-1.mga4 php-gmp-5.5.27-1.mga4 php-hash-5.5.27-1.mga4 php-iconv-5.5.27-1.mga4 php-imap-5.5.27-1.mga4 php-interbase-5.5.27-1.mga4 php-intl-5.5.27-1.mga4 php-json-5.5.27-1.mga4 php-ldap-5.5.27-1.mga4 php-mbstring-5.5.27-1.mga4 php-mcrypt-5.5.27-1.mga4 php-mssql-5.5.27-1.mga4 php-mysql-5.5.27-1.mga4 php-mysqli-5.5.27-1.mga4 php-mysqlnd-5.5.27-1.mga4 php-odbc-5.5.27-1.mga4 php-opcache-5.5.27-1.mga4 php-pcntl-5.5.27-1.mga4 php-pdo-5.5.27-1.mga4 php-pdo_dblib-5.5.27-1.mga4 php-pdo_firebird-5.5.27-1.mga4 php-pdo_mysql-5.5.27-1.mga4 php-pdo_odbc-5.5.27-1.mga4 php-pdo_pgsql-5.5.27-1.mga4 php-pdo_sqlite-5.5.27-1.mga4 php-pgsql-5.5.27-1.mga4 php-phar-5.5.27-1.mga4 php-posix-5.5.27-1.mga4 php-readline-5.5.27-1.mga4 php-recode-5.5.27-1.mga4 php-session-5.5.27-1.mga4 php-shmop-5.5.27-1.mga4 php-snmp-5.5.27-1.mga4 php-soap-5.5.27-1.mga4 php-sockets-5.5.27-1.mga4 php-sqlite3-5.5.27-1.mga4 php-sybase_ct-5.5.27-1.mga4 php-sysvmsg-5.5.27-1.mga4 php-sysvsem-5.5.27-1.mga4 php-sysvshm-5.5.27-1.mga4 php-tidy-5.5.27-1.mga4 php-tokenizer-5.5.27-1.mga4 php-xml-5.5.27-1.mga4 php-xmlreader-5.5.27-1.mga4 php-xmlrpc-5.5.27-1.mga4 php-xmlwriter-5.5.27-1.mga4 php-xsl-5.5.27-1.mga4 php-wddx-5.5.27-1.mga4 php-zip-5.5.27-1.mga4 php-fpm-5.5.27-1.mga4 php-apc-3.1.15-4.15.mga4 php-apc-admin-3.1.15-4.15.mga4 php-timezonedb-2015.4-1.mga4 from SRPMS: php-5.5.27-1.mga4.src.rpm php-apc-3.1.15-4.17.mga4.src.rpm Reproducible: Steps to Reproduce:
In VirtualBox, M4, KDE, 32-bit Install and setup mariadb In root terminal: systemctl start mysqld.service Set password to: testphp [root@localhost wilcal]# mysqladmin -u root password type password "testphp" twice Package(s) under test: php-ini php-fpm owncloud drupal phpmyadmin default install of php-ini php-fpm drupal glpi owncloud phpmyadmin [root@localhost wilcal]# urpmi php-ini Package php-ini-5.5.26-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.5.26-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.7-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi drupal Package drupal-7.38-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.2.13.3-1.mga4.noarch is already installed localhost/owncloud opens and runs localhost/drupal opens and runs localhost/phpmyadmin opens, runs and creates a database named "test" install package from updates_testing [root@localhost wilcal]# urpmi php-ini Package php-ini-5.5.27-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.5.27-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi owncloud Package owncloud-6.0.7-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi drupal Package drupal-7.38-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.2.13.3-1.mga4.noarch is already installed localhost/owncloud opens and runs localhost/drupal opens and runs localhost/phpmyadmin opens, runs and creates a database named "testagain" Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.26-1.mga4.x86_64 virtualbox-guest-additions-4.3.26-1.mga4.x86_64
CC: (none) => wilcal.int
In VirtualBox, M4, KDE, 64-bit Install and setup mariadb In root terminal: systemctl start mysqld.service Set password to: testphp [root@localhost wilcal]# mysqladmin -u root password type password "testphp" twice Package(s) under test: php-ini php-fpm drupal phpmyadmin default install of php-ini php-fpm drupal phpmyadmin [root@localhost wilcal]# urpmi php-ini Package php-ini-5.5.26-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.5.26-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi drupal Package drupal-7.38-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.2.13.3-1.mga4.noarch is already installed localhost/drupal opens and runs localhost/phpmyadmin opens, runs and creates a database named "test" install package from updates_testing [root@localhost wilcal]# urpmi php-ini Package php-ini-5.5.27-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.5.27-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi drupal Package drupal-7.38-1.mga4.noarch is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.2.13.3-1.mga4.noarch is already installed localhost/drupal opens and runs localhost/phpmyadmin opens, runs and creates a database named "testagain" Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.26-1.mga4.x86_64 virtualbox-guest-additions-4.3.26-1.mga4.x86_64
CVE-2015-5589 and CVE-2015-5590 have been assigned to the phar issues fixed here: http://openwall.com/lists/oss-security/2015/07/18/1
Testing MGA4 x64 Updated all applicable PHP modules in Updates Testing to 5.5.27-1. Played with: - phpmyadmin - phppgadmin - Drupal - Moodle - MediaWiki - Cacti [relevant ?] Nothing untoward noticed. OK as far as I am concerned; but needs more tests by others to formalise this.
CC: (none) => lewyssmith
I played with various PHP webapps myself while testing apache, mga 4 64 too but I consider it enough to validate the update (and hasn't PHP a testsuite included?)
Keywords: (none) => validated_updateWhiteboard: (none) => MGA4-64-OKCC: (none) => sysadmin-bugs
(In reply to Samuel VERSCHELDE from comment #5) > I played with various PHP webapps myself while testing apache, mga 4 64 too > but I consider it enough to validate the update (and hasn't PHP a testsuite > included?) It does indeed have an extensive build-time test suite, which we do run. I don't know if we've ever rejected a PHP update because it broke something. The only issue I can remember running into are PoCs that weren't fully fixed.
Here's an advisory for now. An inquiry was made about the CVE that should be used for php-mysqlnd's version of the BACKRONYM flaw, but it hasn't been answered yet. Advisory: ======================== Updated php packages fix security vulnerabilities: Segfault in Phar::convertToData on invalid file (CVE-2015-5589). Buffer overflow and stack smashing error in phar_fix_filepath (CVE-2015-5590). The php package has been updated to version 5.5.27, which fixes these issues, as well as other possible bugs and security issues, including the BACKRONYM flaw, which allows php-mysqlnd client connections that were supposed to use SSL/TLS to be downgraded to not use it. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5589 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5590 http://php.net/ChangeLog-5.php#5.5.27 http://openwall.com/lists/oss-security/2015/07/18/1
CC: (none) => davidwhodginsWhiteboard: MGA4-64-OK => MGA4-64-OK advisory
Assignee: qa-bugs => sysadmin-bugs
Assignee: sysadmin-bugs => qa-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0276.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/652175/