Bug 17899 - PHP 5.6.19
Summary: PHP 5.6.19
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/679764/
Whiteboard: advisory MGA5-32-OK MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-03-07 21:35 CET by David Walser
Modified: 2016-03-14 17:16 CET (History)
3 users (show)

See Also:
Source RPM: php-5.6.18-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-03-07 21:35:15 CET
PHP 5.6.19 has been released on March 3:
http://php.net/archive/2016.php#id2016-03-03-3

It fixes several security bugs.  There are no CVEs (yet?).
http://php.net/ChangeLog-5.php#5.6.19

Updated packages uploaded for Mageia 5 and Cauldron.

The timezone and php-timezonedb packages have also been updated.

Advisory:
========================

Updated php packages fix security vulnerabilities:

The php package has been updated to version 5.6.19, which fixes several
security issues and other bugs.  See the upstream ChangeLog for more details.

The timezone information in the timezone and php-timezonedb packages has also
been updated to the latest, version 2016a.

References:
http://www.php.net/ChangeLog-5.php#5.6.19
http://mm.icann.org/pipermail/tz-announce/2015-October/000034.html
http://mm.icann.org/pipermail/tz-announce/2016-January/000035.html
========================

Updated packages in core/updates_testing:
========================
php-ini-5.6.19-1.mga5
apache-mod_php-5.6.19-1.mga5
php-cli-5.6.19-1.mga5
php-cgi-5.6.19-1.mga5
libphp5_common5-5.6.19-1.mga5
php-devel-5.6.19-1.mga5
php-openssl-5.6.19-1.mga5
php-zlib-5.6.19-1.mga5
php-doc-5.6.19-1.mga5
php-bcmath-5.6.19-1.mga5
php-bz2-5.6.19-1.mga5
php-calendar-5.6.19-1.mga5
php-ctype-5.6.19-1.mga5
php-curl-5.6.19-1.mga5
php-dba-5.6.19-1.mga5
php-dom-5.6.19-1.mga5
php-enchant-5.6.19-1.mga5
php-exif-5.6.19-1.mga5
php-fileinfo-5.6.19-1.mga5
php-filter-5.6.19-1.mga5
php-ftp-5.6.19-1.mga5
php-gd-5.6.19-1.mga5
php-gettext-5.6.19-1.mga5
php-gmp-5.6.19-1.mga5
php-hash-5.6.19-1.mga5
php-iconv-5.6.19-1.mga5
php-imap-5.6.19-1.mga5
php-interbase-5.6.19-1.mga5
php-intl-5.6.19-1.mga5
php-json-5.6.19-1.mga5
php-ldap-5.6.19-1.mga5
php-mbstring-5.6.19-1.mga5
php-mcrypt-5.6.19-1.mga5
php-mssql-5.6.19-1.mga5
php-mysql-5.6.19-1.mga5
php-mysqli-5.6.19-1.mga5
php-mysqlnd-5.6.19-1.mga5
php-odbc-5.6.19-1.mga5
php-opcache-5.6.19-1.mga5
php-pcntl-5.6.19-1.mga5
php-pdo-5.6.19-1.mga5
php-pdo_dblib-5.6.19-1.mga5
php-pdo_firebird-5.6.19-1.mga5
php-pdo_mysql-5.6.19-1.mga5
php-pdo_odbc-5.6.19-1.mga5
php-pdo_pgsql-5.6.19-1.mga5
php-pdo_sqlite-5.6.19-1.mga5
php-pgsql-5.6.19-1.mga5
php-phar-5.6.19-1.mga5
php-posix-5.6.19-1.mga5
php-readline-5.6.19-1.mga5
php-recode-5.6.19-1.mga5
php-session-5.6.19-1.mga5
php-shmop-5.6.19-1.mga5
php-snmp-5.6.19-1.mga5
php-soap-5.6.19-1.mga5
php-sockets-5.6.19-1.mga5
php-sqlite3-5.6.19-1.mga5
php-sybase_ct-5.6.19-1.mga5
php-sysvmsg-5.6.19-1.mga5
php-sysvsem-5.6.19-1.mga5
php-sysvshm-5.6.19-1.mga5
php-tidy-5.6.19-1.mga5
php-tokenizer-5.6.19-1.mga5
php-xml-5.6.19-1.mga5
php-xmlreader-5.6.19-1.mga5
php-xmlrpc-5.6.19-1.mga5
php-xmlwriter-5.6.19-1.mga5
php-xsl-5.6.19-1.mga5
php-wddx-5.6.19-1.mga5
php-zip-5.6.19-1.mga5
php-fpm-5.6.19-1.mga5
phpdbg-5.6.19-1.mga5
timezone-2016a-1.mga5
timezone-java-2016a-1.mga5
php-timezonedb-2016.1-1.mga5

from SRPMS:
php-5.6.19-mga5.src.rpm
timezone-2016a-1.mga5.src.rpm
php-timezonedb-2016.1-1.mga5.src.rpm
Dave Hodgins 2016-03-07 21:52:31 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 1 David Walser 2016-03-09 15:53:22 CET
Fedora has issued an advisory for this on March 5:
https://lists.fedoraproject.org/pipermail/package-announce/2016-March/178442.html

URL: (none) => http://lwn.net/Vulnerabilities/674929/

Comment 2 William Kenney 2016-03-09 20:02:32 CET
In VirtualBox, M5, KDE, 32-bit

Install and setup mariadb
In root terminal: systemctl start mysqld.service
Set password to: testphp
[root@localhost wilcal]# mysqladmin -u root password
type password "testphp" twice

Package(s) under test:
php-ini php-fpm mariadb phpmyadmin

default install of php-ini php-fpm drupal glpi owncloud phpmyadmin

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.6.10-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.6.10-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.23-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.5-1.2.mga5.noarch is already installed

localhost/phpmyadmin opens and creates a database named "test01"
I can close localhost/phpmyadmin then reopen and access db test01

install php-ini & php-fpm from updates_testing

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.6.19-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.6.19-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.5-1.2.mga5.noarch is already installed

localhost/phpmyadmin opens and I can access db "test01"
localhost/phpmyadmin opens and creates a database named "test02"
I can close localhost/phpmyadmin then reopen and access db's test01 & test02

CC: (none) => wilcal.int

Comment 3 William Kenney 2016-03-09 20:21:28 CET
In VirtualBox, M5, KDE, 64-bit

Install and setup mariadb
In root terminal: systemctl start mysqld.service
Set password to: testphp
[root@localhost wilcal]# mysqladmin -u root password
type password "testphp" twice

Package(s) under test:
php-ini php-fpm mariadb phpmyadmin

default install of php-ini php-fpm drupal glpi owncloud phpmyadmin

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.6.18-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.6.18-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.23-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.5-1.2.mga5.noarch is already installed

localhost/phpmyadmin opens and creates a database named "test01"
I can close localhost/phpmyadmin then reopen and access db test01

install php-ini & php-fpm from updates_testing

[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.6.19-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.6.19-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.23-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.5-1.2.mga5.noarch is already installed

localhost/phpmyadmin opens and I can access db "test01"
localhost/phpmyadmin opens and creates a database named "test02"
I can close localhost/phpmyadmin then reopen and access db's test01 & test02
Comment 4 William Kenney 2016-03-09 20:21:51 CET
Looks ok to me
Comment 5 David Walser 2016-03-10 16:00:33 CET
CVEs have been requested:
http://openwall.com/lists/oss-security/2016/03/10/5
William Kenney 2016-03-10 21:43:54 CET

Whiteboard: advisory => advisory MGA5-32-OK MGA5-64-OK

Dave Hodgins 2016-03-11 00:30:00 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2016-03-11 00:50:13 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0110.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-03-11 16:42:43 CET

URL: http://lwn.net/Vulnerabilities/674929/ => http://lwn.net/Vulnerabilities/679764/

Comment 7 David Walser 2016-03-14 17:16:33 CET
php#71587 - CVE-2016-3141
php#71498 - CVE-2016-3142

http://openwall.com/lists/oss-security/2016/03/14/7
http://openwall.com/lists/oss-security/2016/03/14/8

Note You need to log in before you can comment on or make changes to this bug.