Upstream has released version 5.6.12 on August 6: http://php.net/archive/2015.php#id2015-08-06-4 It says that there are 12 security fixes, and some of the fixes in the changelog do sound like security fixes, but it's not entirely clear what the 12 are, and there are no CVEs yet. Advisory to come later, as usual. References: http://www.php.net/ChangeLog-5.php#5.6.12 Updated packages in core/updates_testing: ======================== php-ini-5.6.12-1.mga5 apache-mod_php-5.6.12-1.mga5 php-cli-5.6.12-1.mga5 php-cgi-5.6.12-1.mga5 libphp5_common5-5.6.12-1.mga5 php-devel-5.6.12-1.mga5 php-openssl-5.6.12-1.mga5 php-zlib-5.6.12-1.mga5 php-doc-5.6.12-1.mga5 php-bcmath-5.6.12-1.mga5 php-bz2-5.6.12-1.mga5 php-calendar-5.6.12-1.mga5 php-ctype-5.6.12-1.mga5 php-curl-5.6.12-1.mga5 php-dba-5.6.12-1.mga5 php-dom-5.6.12-1.mga5 php-enchant-5.6.12-1.mga5 php-exif-5.6.12-1.mga5 php-fileinfo-5.6.12-1.mga5 php-filter-5.6.12-1.mga5 php-ftp-5.6.12-1.mga5 php-gd-5.6.12-1.mga5 php-gettext-5.6.12-1.mga5 php-gmp-5.6.12-1.mga5 php-hash-5.6.12-1.mga5 php-iconv-5.6.12-1.mga5 php-imap-5.6.12-1.mga5 php-interbase-5.6.12-1.mga5 php-intl-5.6.12-1.mga5 php-json-5.6.12-1.mga5 php-ldap-5.6.12-1.mga5 php-mbstring-5.6.12-1.mga5 php-mcrypt-5.6.12-1.mga5 php-mssql-5.6.12-1.mga5 php-mysql-5.6.12-1.mga5 php-mysqli-5.6.12-1.mga5 php-mysqlnd-5.6.12-1.mga5 php-odbc-5.6.12-1.mga5 php-opcache-5.6.12-1.mga5 php-pcntl-5.6.12-1.mga5 php-pdo-5.6.12-1.mga5 php-pdo_dblib-5.6.12-1.mga5 php-pdo_firebird-5.6.12-1.mga5 php-pdo_mysql-5.6.12-1.mga5 php-pdo_odbc-5.6.12-1.mga5 php-pdo_pgsql-5.6.12-1.mga5 php-pdo_sqlite-5.6.12-1.mga5 php-pgsql-5.6.12-1.mga5 php-phar-5.6.12-1.mga5 php-posix-5.6.12-1.mga5 php-readline-5.6.12-1.mga5 php-recode-5.6.12-1.mga5 php-session-5.6.12-1.mga5 php-shmop-5.6.12-1.mga5 php-snmp-5.6.12-1.mga5 php-soap-5.6.12-1.mga5 php-sockets-5.6.12-1.mga5 php-sqlite3-5.6.12-1.mga5 php-sybase_ct-5.6.12-1.mga5 php-sysvmsg-5.6.12-1.mga5 php-sysvsem-5.6.12-1.mga5 php-sysvshm-5.6.12-1.mga5 php-tidy-5.6.12-1.mga5 php-tokenizer-5.6.12-1.mga5 php-xml-5.6.12-1.mga5 php-xmlreader-5.6.12-1.mga5 php-xmlrpc-5.6.12-1.mga5 php-xmlwriter-5.6.12-1.mga5 php-xsl-5.6.12-1.mga5 php-wddx-5.6.12-1.mga5 php-zip-5.6.12-1.mga5 php-fpm-5.6.12-1.mga5 phpdbg-5.6.12-1.mga5 from php-5.6.12-mga5.src.rpm Reproducible: Steps to Reproduce:
Okay - I installed and tested. Results are different from php 5.6.11 that I tsted before. Before I ran the test and it continued on to the book reading. This time it just stopped at the old test. Me thinks they may have undone something. I did run test: php Bug #70012 Exception lost with nested finally block php 5.6.12 did work. An excerpt from my testing. ---------------------------- //error class begin 5.6.12 Outer try Middle try Middle finally Inner try Inner finally Outer catch Outer finally //error test end **The Project Gutenberg Etext of Heart of Darkness, by Conrad** --------------------------- Because code that worked in php 5.6.11 persisted through and now doesn't bothers me, But the new test does seem to work properly. David - what do you think? I'll attach my latest test.
CC: (none) => brtians1
Created attachment 6918 [details] php12_test_brian
Hello I tested it in a Mageia 5 64 bits using ampache 3.8 not from the repo but downloaded from ampache.org, and it works the same as before. I have been able to update the catalog, connect my android device and play some remote music.
CC: (none) => panasum
32-bit testing seemed okay other than notes above. Pana please note yours worked as well Brian
Whiteboard: (none) => MGA5-32-OK
(In reply to Brian Rockwell from comment #1) > Okay - I installed and tested. Results are different from php 5.6.11 that I > tsted before. Before I ran the test and it continued on to the book > reading. > > This time it just stopped at the old test. Me thinks they may have undone > something. > > Because code that worked in php 5.6.11 persisted through and now doesn't > bothers me, But the new test does seem to work properly. > > David - what do you think? I'll attach my latest test. What exactly are you saying doesn't work now? I ran your test case on 5.6.9 and there was an Outer shouldnt get here that was printed, and in 5.6.12 it prints Outer catch, so I guess that's showing some bug that was fixed. Nothing looks obviously wrong about the output in 5.6.12.
I am trying to test the file in comment 2 but I do not know much about php. Which is the correct way of launching it? If I launch it as `php ph12.php` this is what I get in the terminal: <html> <head> <title>PHP Test</title> </head> <body> //error class begin 5.6.12<br>Outer try <br> Middle try<br> Middle finally<br> Inner try<br> Inner finally<br> Outer catch <br>Outer finally <br><br> //error test end content of the test file <br><br><p></p> <p> 2 </p. <p> </p> </body> </html> I am not sure if this is the right behaviour or if I have to launch it in a different way. This behaviour was the same in the previous version of php.
Ok, If I open this output in firefox this is what I get: -------------------------------------------------- //error class begin 5.6.12 Outer try Middle try Middle finally Inner try Inner finally Outer catch Outer finally //error test end CONTENT OF THE TEST FILE test 1 2 3 3 -------------------------------------------------- For me it looks ok, but I do not know which should be the right output. Tested in Mageia 5 64 bits
(In reply to Pana Sum from comment #6) > I am trying to test the file in comment 2 but I do not know much about php. > Which is the correct way of launching it? If I launch it as `php ph12.php` Yeah that's how I ran it too, it's a perfectly valid way to test it. His output looks like he was viewing the generated HTML in a browser, so it was formatted. Running it at the console as we did gives a more direct view of what PHP is doing with it.
correct - ran from browser using apache. David - I was referring to my old test I ran against 5.6.11. That test under 5.6.12 seems to fail. But testing the 5.6.12 test case seems to work correctly, so I'm okay.
Tested with MGA5-64 all is working as designed.
Whiteboard: MGA5-32-OK => MGA5-32-OK mga5-64-OK
fyi - I went back and tested the 5.6.11 test case against it by running at command line. If flagged the error and stopped. So it successfully protected itself. I am fine with this being released. Brian
This can be validated, just as Bug 16553 already was. CVEs were just requested for issues fixed in this one: http://openwall.com/lists/oss-security/2015/08/19/3 Let's see if we hear something on that soon.
I'll try this one, should be fun. Sec Bug #70019 Files extracted from archive may be placed outside of destination directory If this validates are you ready to release?
If we don't hear anything on the CVE assignments by meeting time this Thursday, we can use this general advisory. Advisory: ======================== Updated php packages fix security vulnerabilities: The php package has been updated to version 5.6.12, which fixes several security issues and other bugs. See the upstream ChangeLog for more details. References: http://www.php.net/ChangeLog-5.php#5.6.12
Created attachment 6939 [details] process to tar file
Created attachment 6940 [details] untaring file in another directory
Validating. Still needs advisory to be uploaded by QA though.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Whiteboard: MGA5-32-OK mga5-64-OK => MGA5-32-OK mga5-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0318.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/655408/
CVE-2015-6831, CVE-2015-6832, CVE-2015-6833 assigned to this update: http://openwall.com/lists/oss-security/2015/09/08/7
(In reply to David Walser from comment #20) > CVE-2015-6831, CVE-2015-6832, CVE-2015-6833 assigned to this update: > http://openwall.com/lists/oss-security/2015/09/08/7 LWN reference: http://lwn.net/Vulnerabilities/658453/