PHP 5.6.18 has been released today (February 4). The announcement and changelog haven't been posted to their website yet, but you can see the changelog in the NEWS file in git: http://git.php.net/?p=php-src.git;a=blob;f=NEWS;h=6dba6e4fa7eee0eadd78a9ad865913a3c142aac2;hb=62cf13d3aa08b15107b02a0505a4f30142fa37b4 Several of the fixes look security relevant. Updated package uploaded for Mageia 5. Advisory: ======================== Updated php packages fix security vulnerabilities: The php package has been updated to version 5.6.18, which fixes several security issues and other bugs. See the upstream ChangeLog for more details. References: http://www.php.net/ChangeLog-5.php#5.6.18 Updated packages in core/updates_testing: ======================== php-ini-5.6.18-1.mga5 apache-mod_php-5.6.18-1.mga5 php-cli-5.6.18-1.mga5 php-cgi-5.6.18-1.mga5 libphp5_common5-5.6.18-1.mga5 php-devel-5.6.18-1.mga5 php-openssl-5.6.18-1.mga5 php-zlib-5.6.18-1.mga5 php-doc-5.6.18-1.mga5 php-bcmath-5.6.18-1.mga5 php-bz2-5.6.18-1.mga5 php-calendar-5.6.18-1.mga5 php-ctype-5.6.18-1.mga5 php-curl-5.6.18-1.mga5 php-dba-5.6.18-1.mga5 php-dom-5.6.18-1.mga5 php-enchant-5.6.18-1.mga5 php-exif-5.6.18-1.mga5 php-fileinfo-5.6.18-1.mga5 php-filter-5.6.18-1.mga5 php-ftp-5.6.18-1.mga5 php-gd-5.6.18-1.mga5 php-gettext-5.6.18-1.mga5 php-gmp-5.6.18-1.mga5 php-hash-5.6.18-1.mga5 php-iconv-5.6.18-1.mga5 php-imap-5.6.18-1.mga5 php-interbase-5.6.18-1.mga5 php-intl-5.6.18-1.mga5 php-json-5.6.18-1.mga5 php-ldap-5.6.18-1.mga5 php-mbstring-5.6.18-1.mga5 php-mcrypt-5.6.18-1.mga5 php-mssql-5.6.18-1.mga5 php-mysql-5.6.18-1.mga5 php-mysqli-5.6.18-1.mga5 php-mysqlnd-5.6.18-1.mga5 php-odbc-5.6.18-1.mga5 php-opcache-5.6.18-1.mga5 php-pcntl-5.6.18-1.mga5 php-pdo-5.6.18-1.mga5 php-pdo_dblib-5.6.18-1.mga5 php-pdo_firebird-5.6.18-1.mga5 php-pdo_mysql-5.6.18-1.mga5 php-pdo_odbc-5.6.18-1.mga5 php-pdo_pgsql-5.6.18-1.mga5 php-pdo_sqlite-5.6.18-1.mga5 php-pgsql-5.6.18-1.mga5 php-phar-5.6.18-1.mga5 php-posix-5.6.18-1.mga5 php-readline-5.6.18-1.mga5 php-recode-5.6.18-1.mga5 php-session-5.6.18-1.mga5 php-shmop-5.6.18-1.mga5 php-snmp-5.6.18-1.mga5 php-soap-5.6.18-1.mga5 php-sockets-5.6.18-1.mga5 php-sqlite3-5.6.18-1.mga5 php-sybase_ct-5.6.18-1.mga5 php-sysvmsg-5.6.18-1.mga5 php-sysvsem-5.6.18-1.mga5 php-sysvshm-5.6.18-1.mga5 php-tidy-5.6.18-1.mga5 php-tokenizer-5.6.18-1.mga5 php-xml-5.6.18-1.mga5 php-xmlreader-5.6.18-1.mga5 php-xmlrpc-5.6.18-1.mga5 php-xmlwriter-5.6.18-1.mga5 php-xsl-5.6.18-1.mga5 php-wddx-5.6.18-1.mga5 php-zip-5.6.18-1.mga5 php-fpm-5.6.18-1.mga5 phpdbg-5.6.18-1.mga5 from SRPMS: php-5.6.18-mga5.src.rpm Reproducible: Steps to Reproduce:
Testing M5 x64 real h/w Updated via MCC/Update System from Updates Testing the 45 PHP pkgs from the list I had already installed, to 5.6.18-1.mga. Tried Bugzilla, Drupal, MediaWiki, PHPmyAdmin, PHPpgAdmin. Nothing untoward noticed, so for me this update is OK.
CC: (none) => lewyssmithWhiteboard: (none) => MGA5-64-OK
Good job Lewis. Validating. Please push to 5 updates, thanks.
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK => has_procedure advisory MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0058.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/674929/
php#71488, a php-phar issue fixed in this update it, apparently was assigned CVE-2016-2554: http://lwn.net/Vulnerabilities/679620/
More phar issues in this update were assigned CVE-2016-4342 and CVE-2016-4343: http://openwall.com/lists/oss-security/2016/04/28/6
(In reply to David Walser from comment #5) > More phar issues in this update were assigned CVE-2016-4342 and > CVE-2016-4343: > http://openwall.com/lists/oss-security/2016/04/28/6 LWN reference: http://lwn.net/Vulnerabilities/688055/
This update also fixed CVE-2016-10712: https://lists.opensuse.org/opensuse-updates/2018-02/msg00102.html