PHP 5.6.17 has been released on January 7: http://us3.php.net/archive/2016.php#id2016-01-07-3 It looks like most of the bugs fixed are indeed security issues: http://www.php.net/ChangeLog-5.php#5.6.17 but a CVE has only been requested (that I'm aware of) for php#70976: http://openwall.com/lists/oss-security/2016/01/14/8 (item #1 in the above request). Updated package uploaded for Mageia 5. Advisory: ======================== Updated php packages fix security vulnerabilities: The php package has been updated to version 5.6.17, which fixes several security issues and other bugs. See the upstream ChangeLog for more details. References: http://www.php.net/ChangeLog-5.php#5.6.17 Updated packages in core/updates_testing: ======================== php-ini-5.6.17-1.mga5 apache-mod_php-5.6.17-1.mga5 php-cli-5.6.17-1.mga5 php-cgi-5.6.17-1.mga5 libphp5_common5-5.6.17-1.mga5 php-devel-5.6.17-1.mga5 php-openssl-5.6.17-1.mga5 php-zlib-5.6.17-1.mga5 php-doc-5.6.17-1.mga5 php-bcmath-5.6.17-1.mga5 php-bz2-5.6.17-1.mga5 php-calendar-5.6.17-1.mga5 php-ctype-5.6.17-1.mga5 php-curl-5.6.17-1.mga5 php-dba-5.6.17-1.mga5 php-dom-5.6.17-1.mga5 php-enchant-5.6.17-1.mga5 php-exif-5.6.17-1.mga5 php-fileinfo-5.6.17-1.mga5 php-filter-5.6.17-1.mga5 php-ftp-5.6.17-1.mga5 php-gd-5.6.17-1.mga5 php-gettext-5.6.17-1.mga5 php-gmp-5.6.17-1.mga5 php-hash-5.6.17-1.mga5 php-iconv-5.6.17-1.mga5 php-imap-5.6.17-1.mga5 php-interbase-5.6.17-1.mga5 php-intl-5.6.17-1.mga5 php-json-5.6.17-1.mga5 php-ldap-5.6.17-1.mga5 php-mbstring-5.6.17-1.mga5 php-mcrypt-5.6.17-1.mga5 php-mssql-5.6.17-1.mga5 php-mysql-5.6.17-1.mga5 php-mysqli-5.6.17-1.mga5 php-mysqlnd-5.6.17-1.mga5 php-odbc-5.6.17-1.mga5 php-opcache-5.6.17-1.mga5 php-pcntl-5.6.17-1.mga5 php-pdo-5.6.17-1.mga5 php-pdo_dblib-5.6.17-1.mga5 php-pdo_firebird-5.6.17-1.mga5 php-pdo_mysql-5.6.17-1.mga5 php-pdo_odbc-5.6.17-1.mga5 php-pdo_pgsql-5.6.17-1.mga5 php-pdo_sqlite-5.6.17-1.mga5 php-pgsql-5.6.17-1.mga5 php-phar-5.6.17-1.mga5 php-posix-5.6.17-1.mga5 php-readline-5.6.17-1.mga5 php-recode-5.6.17-1.mga5 php-session-5.6.17-1.mga5 php-shmop-5.6.17-1.mga5 php-snmp-5.6.17-1.mga5 php-soap-5.6.17-1.mga5 php-sockets-5.6.17-1.mga5 php-sqlite3-5.6.17-1.mga5 php-sybase_ct-5.6.17-1.mga5 php-sysvmsg-5.6.17-1.mga5 php-sysvsem-5.6.17-1.mga5 php-sysvshm-5.6.17-1.mga5 php-tidy-5.6.17-1.mga5 php-tokenizer-5.6.17-1.mga5 php-xml-5.6.17-1.mga5 php-xmlreader-5.6.17-1.mga5 php-xmlrpc-5.6.17-1.mga5 php-xmlwriter-5.6.17-1.mga5 php-xsl-5.6.17-1.mga5 php-wddx-5.6.17-1.mga5 php-zip-5.6.17-1.mga5 php-fpm-5.6.17-1.mga5 phpdbg-5.6.17-1.mga5 from SRPMS: php-5.6.17-mga5.src.rpm Reproducible: Steps to Reproduce:
CVE-2016-1903 has been assigned for php#70976. Update to the advisory references. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1903 http://www.php.net/ChangeLog-5.php#5.6.17 http://openwall.com/lists/oss-security/2016/01/14/10
(In reply to David Walser from comment #1) > CVE-2016-1903 has been assigned for php#70976. > > Update to the advisory references. > > References: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1903 > http://www.php.net/ChangeLog-5.php#5.6.17 > http://openwall.com/lists/oss-security/2016/01/14/10 Scratch that, CVE-2016-1903 actually applies to libgd (which PHP bundles, but we build against the system one) and they messed up the fix anyway. Here they reverted the incorrect fix and implemented the correct one: https://github.com/php/php-src/commit/aa8d3a8cc612ba87c0497275f58a2317a90fb1c4 Running the test case (either original or corrected) doesn't produce a crash for me. I don't know if valgrind or AddressSanitizer or something would still see it as an out of bounds read. So I'm not sure whether or not libgd needs to be patched. Anyway, you can proceed with this update with the original advisory in Comment 0.
My normal test cases work fine on Mageia 5 i586.
Whiteboard: (none) => MGA5-32-OK
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK => MGA5-32-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0024.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/672323/