PHP 5.6.14 has been released today (October 1). The website hasn't posted the announcement or changelog for it yet, but you can see what the changelog is in the NEWS file in git: http://git.php.net/?p=php-src.git;a=blob;f=NEWS;h=6b95607aef2aa0aa1ea9584ec731ba20f93eb234;hb=refs/heads/PHP-5.6 It should show up here soon: http://php.net/ChangeLog-5.php It fixes two security issues in php-phar and fixes several other bugs. I will be updating php-timezonedb with this update as well. In the process of building this update, advisory and package list will be as follows. Advisory: ======================== Updated php packages fix security vulnerabilities: The php package has been updated to version 5.6.14, which fixes two security issues in phar and several other bugs. See the upstream ChangeLog for more details. References: http://www.php.net/ChangeLog-5.php#5.6.14 Updated packages in core/updates_testing: ======================== php-ini-5.6.14-1.mga5 apache-mod_php-5.6.14-1.mga5 php-cli-5.6.14-1.mga5 php-cgi-5.6.14-1.mga5 libphp5_common5-5.6.14-1.mga5 php-devel-5.6.14-1.mga5 php-openssl-5.6.14-1.mga5 php-zlib-5.6.14-1.mga5 php-doc-5.6.14-1.mga5 php-bcmath-5.6.14-1.mga5 php-bz2-5.6.14-1.mga5 php-calendar-5.6.14-1.mga5 php-ctype-5.6.14-1.mga5 php-curl-5.6.14-1.mga5 php-dba-5.6.14-1.mga5 php-dom-5.6.14-1.mga5 php-enchant-5.6.14-1.mga5 php-exif-5.6.14-1.mga5 php-fileinfo-5.6.14-1.mga5 php-filter-5.6.14-1.mga5 php-ftp-5.6.14-1.mga5 php-gd-5.6.14-1.mga5 php-gettext-5.6.14-1.mga5 php-gmp-5.6.14-1.mga5 php-hash-5.6.14-1.mga5 php-iconv-5.6.14-1.mga5 php-imap-5.6.14-1.mga5 php-interbase-5.6.14-1.mga5 php-intl-5.6.14-1.mga5 php-json-5.6.14-1.mga5 php-ldap-5.6.14-1.mga5 php-mbstring-5.6.14-1.mga5 php-mcrypt-5.6.14-1.mga5 php-mssql-5.6.14-1.mga5 php-mysql-5.6.14-1.mga5 php-mysqli-5.6.14-1.mga5 php-mysqlnd-5.6.14-1.mga5 php-odbc-5.6.14-1.mga5 php-opcache-5.6.14-1.mga5 php-pcntl-5.6.14-1.mga5 php-pdo-5.6.14-1.mga5 php-pdo_dblib-5.6.14-1.mga5 php-pdo_firebird-5.6.14-1.mga5 php-pdo_mysql-5.6.14-1.mga5 php-pdo_odbc-5.6.14-1.mga5 php-pdo_pgsql-5.6.14-1.mga5 php-pdo_sqlite-5.6.14-1.mga5 php-pgsql-5.6.14-1.mga5 php-phar-5.6.14-1.mga5 php-posix-5.6.14-1.mga5 php-readline-5.6.14-1.mga5 php-recode-5.6.14-1.mga5 php-session-5.6.14-1.mga5 php-shmop-5.6.14-1.mga5 php-snmp-5.6.14-1.mga5 php-soap-5.6.14-1.mga5 php-sockets-5.6.14-1.mga5 php-sqlite3-5.6.14-1.mga5 php-sybase_ct-5.6.14-1.mga5 php-sysvmsg-5.6.14-1.mga5 php-sysvsem-5.6.14-1.mga5 php-sysvshm-5.6.14-1.mga5 php-tidy-5.6.14-1.mga5 php-tokenizer-5.6.14-1.mga5 php-xml-5.6.14-1.mga5 php-xmlreader-5.6.14-1.mga5 php-xmlrpc-5.6.14-1.mga5 php-xmlwriter-5.6.14-1.mga5 php-xsl-5.6.14-1.mga5 php-wddx-5.6.14-1.mga5 php-zip-5.6.14-1.mga5 php-fpm-5.6.14-1.mga5 phpdbg-5.6.14-1.mga5 php-timezonedb-2015.6.1-1.mga5 from SRPMS: php-5.6.14-mga5.src.rpm php-timezonedb-2015.6.1-1.mga5.src.rpm Reproducible: Steps to Reproduce:
Updated packages uploaded for Mageia 5 and Cauldron. Advisory and package list in Comment 0.
Assignee: bugsquad => qa-bugs
Test php with various webapps and for php-timezonedb see.. https://bugs.mageia.org/show_bug.cgi?id=11559#c1
Whiteboard: (none) => has_procedure
CVE request: http://openwall.com/lists/oss-security/2015/10/05/8
I'd guess installing the update and running owncloud would test it. I'll try it later tonight if I get some time.
CC: (none) => brtians1
I tested one of the diagnostics (without compile) - worked the same, but nothing bad there. before Current PHP version: 5.6.13 PHP Fatal error: Uncaught exception 'UnexpectedValueException' with message 'internal corruption of phar "/home/brian/php_tests/fuzz-test.zip" (truncated entry)' in /home/brian/php_tests/php14.php:3 Stack trace: #0 /home/brian/php_tests/php14.php(3): PharData->__construct('fuzz-test.zip') #1 {main} thrown in /home/brian/php_tests/php14.php on line 3 after Current PHP version: 5.6.14 PHP Fatal error: Uncaught exception 'UnexpectedValueException' with message 'internal corruption of phar "/home/brian/php_tests/fuzz-test.zip" (truncated entry)' in /home/brian/php_tests/php14.php:3 Stack trace: #0 /home/brian/php_tests/php14.php(3): PharData->__construct('fuzz-test.zip') #1 {main} thrown in /home/brian/php_tests/php14.php on line 3
Tested owncloud it is working fine in 32-bit Linux localhost 4.1.8-desktop-1.mga5 #1 SMP Sun Sep 20 12:33:42 UTC 2015 i686 i686 i686 GNU/Linux
Created attachment 7103 [details] php test I ran for first note
Whiteboard: has_procedure => has_procedure MGA5-32-OK
CC: (none) => davidwhodginsWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisory
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0395.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/660425/
CVE-2015-7803 and CVE-2015-7804 have been assigned for this: http://openwall.com/lists/oss-security/2015/10/10/4