Bug 16553 - PHP 5.5.28
Summary: PHP 5.5.28
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/655408/
Whiteboard: MGA4-64-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-08-07 17:13 CEST by David Walser
Modified: 2015-09-25 19:52 CEST (History)
2 users (show)

See Also:
Source RPM: php-5.5.27-1.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-08-07 17:13:18 CEST 
Upstream has released version 5.5.28 on August 6:
http://php.net/archive/2015.php#id2015-08-06-3

It says that there are 12 security fixes, and some of the fixes in the changelog do sound like security fixes, but it's not entirely clear what the 12 are, and there are no CVEs yet.  Advisory to come later, as usual.

References:
http://www.php.net/ChangeLog-5.php#5.5.28

Updated packages in core/updates_testing:
========================
php-ini-5.5.28-1.mga4
apache-mod_php-5.5.28-1.mga4
php-cli-5.5.28-1.mga4
php-cgi-5.5.28-1.mga4
libphp5_common5-5.5.28-1.mga4
php-devel-5.5.28-1.mga4
php-openssl-5.5.28-1.mga4
php-zlib-5.5.28-1.mga4
php-doc-5.5.28-1.mga4
php-bcmath-5.5.28-1.mga4
php-bz2-5.5.28-1.mga4
php-calendar-5.5.28-1.mga4
php-ctype-5.5.28-1.mga4
php-curl-5.5.28-1.mga4
php-dba-5.5.28-1.mga4
php-dom-5.5.28-1.mga4
php-enchant-5.5.28-1.mga4
php-exif-5.5.28-1.mga4
php-fileinfo-5.5.28-1.mga4
php-filter-5.5.28-1.mga4
php-ftp-5.5.28-1.mga4
php-gd-5.5.28-1.mga4
php-gettext-5.5.28-1.mga4
php-gmp-5.5.28-1.mga4
php-hash-5.5.28-1.mga4
php-iconv-5.5.28-1.mga4
php-imap-5.5.28-1.mga4
php-interbase-5.5.28-1.mga4
php-intl-5.5.28-1.mga4
php-json-5.5.28-1.mga4
php-ldap-5.5.28-1.mga4
php-mbstring-5.5.28-1.mga4
php-mcrypt-5.5.28-1.mga4
php-mssql-5.5.28-1.mga4
php-mysql-5.5.28-1.mga4
php-mysqli-5.5.28-1.mga4
php-mysqlnd-5.5.28-1.mga4
php-odbc-5.5.28-1.mga4
php-opcache-5.5.28-1.mga4
php-pcntl-5.5.28-1.mga4
php-pdo-5.5.28-1.mga4
php-pdo_dblib-5.5.28-1.mga4
php-pdo_firebird-5.5.28-1.mga4
php-pdo_mysql-5.5.28-1.mga4
php-pdo_odbc-5.5.28-1.mga4
php-pdo_pgsql-5.5.28-1.mga4
php-pdo_sqlite-5.5.28-1.mga4
php-pgsql-5.5.28-1.mga4
php-phar-5.5.28-1.mga4
php-posix-5.5.28-1.mga4
php-readline-5.5.28-1.mga4
php-recode-5.5.28-1.mga4
php-session-5.5.28-1.mga4
php-shmop-5.5.28-1.mga4
php-snmp-5.5.28-1.mga4
php-soap-5.5.28-1.mga4
php-sockets-5.5.28-1.mga4
php-sqlite3-5.5.28-1.mga4
php-sybase_ct-5.5.28-1.mga4
php-sysvmsg-5.5.28-1.mga4
php-sysvsem-5.5.28-1.mga4
php-sysvshm-5.5.28-1.mga4
php-tidy-5.5.28-1.mga4
php-tokenizer-5.5.28-1.mga4
php-xml-5.5.28-1.mga4
php-xmlreader-5.5.28-1.mga4
php-xmlrpc-5.5.28-1.mga4
php-xmlwriter-5.5.28-1.mga4
php-xsl-5.5.28-1.mga4
php-wddx-5.5.28-1.mga4
php-zip-5.5.28-1.mga4
php-fpm-5.5.28-1.mga4
php-apc-3.1.15-4.18.mga4
php-apc-admin-3.1.15-4.18.mga4

from SRPMS:
php-5.5.28-1.mga4.src.rpm
php-apc-3.1.15-4.18.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Lewis Smith 2015-08-09 22:24:49 CEST 
Testing Mageia 4 x64

Updated all my installed PHP pkgs to those above in Updates Testing. (hint: to find them easily, sort on the version column).
Played extensively with setting up MediaWiki, eventually using the configured result. Used tried briefly phppgadmin, phpmyadmin, Wordpress, Moodle. No problems noticed, so OKing this.

CC: (none) => lewyssmith
Whiteboard: (none) => MGA4-64-OK

Comment 2 Samuel Verschelde 2015-08-18 10:52:45 CEST 
Tested various webapps, works ok here. It's Mageia 4 64 too but I think it's enough to validate (and IIRC php comes with its own testing suite which is run during build).

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 3 Samuel Verschelde 2015-08-18 10:53:13 CEST 
Needs an advisory though.
Comment 4 David Walser 2015-08-19 14:47:27 CEST 
Thanks Samuel.

CVEs were just requested for issues fixed in this one:
http://openwall.com/lists/oss-security/2015/08/19/3

Let's see if we hear something on that soon.
Comment 5 David Walser 2015-08-20 02:58:31 CEST 
If we don't hear anything on the CVE assignments by meeting time this Thursday, we can use this general advisory.

Advisory:
========================

Updated php packages fix security vulnerabilities:

The php package has been updated to version 5.5.28, which fixes several
security issues and other bugs.  See the upstream ChangeLog for more details.

References:
http://www.php.net/ChangeLog-5.php#5.5.28
Rémi Verschelde 2015-08-21 16:21:00 CEST

Whiteboard: MGA4-64-OK => MGA4-64-OK advisory

Comment 6 Mageia Robot 2015-08-21 20:56:13 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0319.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-08-24 19:24:47 CEST

URL: (none) => http://lwn.net/Vulnerabilities/655408/

Comment 7 David Walser 2015-09-08 21:05:29 CEST 
CVE-2015-6831, CVE-2015-6832, CVE-2015-6833 assigned to this update:
http://openwall.com/lists/oss-security/2015/09/08/7
Comment 8 David Walser 2015-09-25 19:52:28 CEST 
(In reply to David Walser from comment #7)
> CVE-2015-6831, CVE-2015-6832, CVE-2015-6833 assigned to this update:
> http://openwall.com/lists/oss-security/2015/09/08/7

LWN reference:
http://lwn.net/Vulnerabilities/658453/
Note You need to log in before you can comment on or make changes to this bug.