PHP 5.6.20 has been released either yesterday or today (March 30-31). It has not yet been announced. You can see the ChangeLog in git: http://git.php.net/?p=php-src.git;a=blob;f=NEWS;h=e72c7ca911d1cf33e569ccd9cc0fb5e787ec174f;hb=refs/heads/PHP-5.6 Many of the fixes appear security-related. The fileinfo one also affects the file package. It is already fixed in the version in Cauldron, but the Mageia 5 version doesn't have the fix, which is here: https://github.com/file/file/commit/6713ca45e7757297381f4b4cdb9cf5e624a9ad36 I'll file a separate bug for that. Advisory: ======================== Updated php packages fix security vulnerabilities: The php package has been updated to version 5.6.20, which fixes several security issues and other bugs. See the upstream ChangeLog for more details. References: http://www.php.net/ChangeLog-5.php#5.6.20 ======================== Updated packages in core/updates_testing: ======================== php-ini-5.6.20-1.mga5 apache-mod_php-5.6.20-1.mga5 php-cli-5.6.20-1.mga5 php-cgi-5.6.20-1.mga5 libphp5_common5-5.6.20-1.mga5 php-devel-5.6.20-1.mga5 php-openssl-5.6.20-1.mga5 php-zlib-5.6.20-1.mga5 php-doc-5.6.20-1.mga5 php-bcmath-5.6.20-1.mga5 php-bz2-5.6.20-1.mga5 php-calendar-5.6.20-1.mga5 php-ctype-5.6.20-1.mga5 php-curl-5.6.20-1.mga5 php-dba-5.6.20-1.mga5 php-dom-5.6.20-1.mga5 php-enchant-5.6.20-1.mga5 php-exif-5.6.20-1.mga5 php-fileinfo-5.6.20-1.mga5 php-filter-5.6.20-1.mga5 php-ftp-5.6.20-1.mga5 php-gd-5.6.20-1.mga5 php-gettext-5.6.20-1.mga5 php-gmp-5.6.20-1.mga5 php-hash-5.6.20-1.mga5 php-iconv-5.6.20-1.mga5 php-imap-5.6.20-1.mga5 php-interbase-5.6.20-1.mga5 php-intl-5.6.20-1.mga5 php-json-5.6.20-1.mga5 php-ldap-5.6.20-1.mga5 php-mbstring-5.6.20-1.mga5 php-mcrypt-5.6.20-1.mga5 php-mssql-5.6.20-1.mga5 php-mysql-5.6.20-1.mga5 php-mysqli-5.6.20-1.mga5 php-mysqlnd-5.6.20-1.mga5 php-odbc-5.6.20-1.mga5 php-opcache-5.6.20-1.mga5 php-pcntl-5.6.20-1.mga5 php-pdo-5.6.20-1.mga5 php-pdo_dblib-5.6.20-1.mga5 php-pdo_firebird-5.6.20-1.mga5 php-pdo_mysql-5.6.20-1.mga5 php-pdo_odbc-5.6.20-1.mga5 php-pdo_pgsql-5.6.20-1.mga5 php-pdo_sqlite-5.6.20-1.mga5 php-pgsql-5.6.20-1.mga5 php-phar-5.6.20-1.mga5 php-posix-5.6.20-1.mga5 php-readline-5.6.20-1.mga5 php-recode-5.6.20-1.mga5 php-session-5.6.20-1.mga5 php-shmop-5.6.20-1.mga5 php-snmp-5.6.20-1.mga5 php-soap-5.6.20-1.mga5 php-sockets-5.6.20-1.mga5 php-sqlite3-5.6.20-1.mga5 php-sybase_ct-5.6.20-1.mga5 php-sysvmsg-5.6.20-1.mga5 php-sysvsem-5.6.20-1.mga5 php-sysvshm-5.6.20-1.mga5 php-tidy-5.6.20-1.mga5 php-tokenizer-5.6.20-1.mga5 php-xml-5.6.20-1.mga5 php-xmlreader-5.6.20-1.mga5 php-xmlrpc-5.6.20-1.mga5 php-xmlwriter-5.6.20-1.mga5 php-xsl-5.6.20-1.mga5 php-wddx-5.6.20-1.mga5 php-zip-5.6.20-1.mga5 php-fpm-5.6.20-1.mga5 phpdbg-5.6.20-1.mga5 from php-5.6.20-1.mga5.src.rpm
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
Tested phpmyadmin and a short proof-of-concept CLI PHP program - seems to work fine on mageia v5 x86-64. marking as MGA5-64-OK.
CC: (none) => shlomifWhiteboard: advisory => MGA5-64-OK advisory
Testing on x86_64 with working Dokuwiki on top of Nginx and php-fpm. After upgrade of installed packages dokuwiki is still working, I've logged in, can update pages, and various admin features are working. Tested on: Mageia release 5 (Official) for x86_64 Package(s) Under Test: rpm -qa | egrep '^php.*5\.6\.*' php-cli-5.6.19-1.mga5 php-ctype-5.6.19-1.mga5 php-dom-5.6.19-1.mga5 php-filter-5.6.19-1.mga5 php-fpm-5.6.19-1.mga5 php-ftp-5.6.19-1.mga5 php-gettext-5.6.19-1.mga5 php-hash-5.6.19-1.mga5 php-ini-5.6.19-1.mga5 php-json-5.6.19-1.mga5 php-openssl-5.6.19-1.mga5 php-posix-5.6.19-1.mga5 php-session-5.6.19-1.mga5 php-sysvsem-5.6.19-1.mga5 php-sysvshm-5.6.19-1.mga5 php-tokenizer-5.6.19-1.mga5 php-xml-5.6.19-1.mga5 php-xmlreader-5.6.19-1.mga5 php-xmlwriter-5.6.19-1.mga5 php-zlib-5.6.19-1.mga5 Package(s) Testing Upgrade: urpmi {php-cli,php-ctype,php-dom,php-filter,php-fpm,php-ftp,php-gettext,php-hash,php-ini,php-json,php-openssl,php-posix,php-session,php-sysvsem,php-sysvshm,php-tokenizer,php-xml,php-xmlreader,php-xmlwriter,php-zlib} rpm -qa | egrep '^php.*5\.6\.*' php-zlib-5.6.20-1.mga5 php-hash-5.6.20-1.mga5 php-fpm-5.6.20-1.mga5 php-xmlwriter-5.6.20-1.mga5 php-gettext-5.6.20-1.mga5 php-xml-5.6.20-1.mga5 php-dom-5.6.20-1.mga5 php-ctype-5.6.20-1.mga5 php-ini-5.6.20-1.mga5 php-ftp-5.6.20-1.mga5 php-posix-5.6.20-1.mga5 php-filter-5.6.20-1.mga5 php-openssl-5.6.20-1.mga5 php-sysvsem-5.6.20-1.mga5 php-cli-5.6.20-1.mga5 php-json-5.6.20-1.mga5 php-session-5.6.20-1.mga5 php-xmlreader-5.6.20-1.mga5 php-sysvshm-5.6.20-1.mga5 php-tokenizer-5.6.20-1.mga5 Kernal Version: 4.1.15-desktop-2.mga5 x86_64 Hardware Information: product: Standard PC (i440FX + PIIX, 1996) vendor: QEMU
CC: (none) => dpremy
Tested phpmyadmin and a short proof-of-concept CLI PHP program - seems to work fine on a mageia v5 32-bit i586 VM. Marking as MGA5-32-OK.
Whiteboard: MGA5-64-OK advisory => MGA5-64-OK MGA5-32-OK advisory
Linux localhost 4.4.6-desktop586-1.mga5 #1 SMP Wed Mar 16 20:11:36 UTC 2016 i686 i686 i686 GNU/Linux installed php 5.6.20 - installed properly phpinfo Apache/2.4.10 (Mageia) OpenSSL/1.0.2g PHP/5.6.20 mod_perl/2.0.8-dev Perl/v5.20.1 seems to be working fine to me, I did not try any detailed file manipulation code.
CC: (none) => brtians1
URL: (none) => http://lwn.net/Vulnerabilities/682390/
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0131.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
CVE request: http://openwall.com/lists/oss-security/2016/04/11/7
CVEs have been assigned: http://openwall.com/lists/oss-security/2016/04/24/1 - CVE-2015-8865 - CVE-2016-4070 - CVE-2016-4071 - CVE-2016-4072 - CVE-2016-4073 - CVE-2016-8866 - CVE-2016-8867