PHP 5.6.23 has been tagged in git and the tarball should be available shortly. Here's the NEWS file: http://git.php.net/?p=php-src.git;a=blob;f=NEWS;h=61ea56c65dc05a58f4e3723668c337b286a4bebc;hb=refs/heads/PHP-5.6.23 It looks like the gd fixes haven't made their way into libgd's git yet, but it sounds like they should shortly and libgd 2.2.2 with the fixes should also be available soon, according to a comment in this PHP bug: https://bugs.php.net/bug.php?id=72446 So, we should update php and libgd together once they're available.
(In reply to David Walser from comment #0) > PHP 5.6.23 has been tagged in git and the tarball should be available > shortly. > > Here's the NEWS file: > http://git.php.net/?p=php-src.git;a=blob;f=NEWS; > h=61ea56c65dc05a58f4e3723668c337b286a4bebc;hb=refs/heads/PHP-5.6.23 > > It looks like the gd fixes haven't made their way into libgd's git yet, but > it sounds like they should shortly and libgd 2.2.2 with the fixes should > also be available soon, according to a comment in this PHP bug: > https://bugs.php.net/bug.php?id=72446 > > So, we should update php and libgd together once they're available. Assigning to all packagers collectively, since there is no maintainer for php. @ Oden, I'm CC'ing you for libgd, *not* because I want to annoy you, but *only* because you're registered as its maintainer. Wouldn't you have released the packages you maintain if you don't want to get messages about them?
CC: (none) => makowski.mageia, marja11, oeAssignee: bugsquad => pkg-bugsSource RPM: php-5.6.22-1.mga5.src.rpm => php-5.6.22-1.mga5, libgd
CVE request: http://www.openwall.com/lists/oss-security/2016/06/23/2
CVE assignments: http://openwall.com/lists/oss-security/2016/06/23/4
URL: (none) => http://lwn.net/Vulnerabilities/692867/
Depends on: (none) => 18805
libgd update in Bug 18805. Advisory: ======================== Updated php packages fix security vulnerabilities: php-mbstring _php_mb_regex_ereg_replace_exec() - double free (CVE-2016-5768). php-mcrypt heap Overflow due to integer overflows (CVE-2016-5769). php-SPL int/size_t confusion in SplFileObject::fread (CVE-2016-5770). php-SPL Use After Free Vulnerability in PHP's GC algorithm and unserialize (CVE-2016-5771). php-WDDX Double Free Courruption in wddx_deserialize (CVE-2016-5772). php-zip ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize (CVE-2016-5773). The php package has been updated to version 5.6.23, fixing these issues and several other bugs. See the upstream ChangeLog for details. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5768 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5769 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5770 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5771 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5772 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5773 http://php.net/ChangeLog-5.php#5.6.23 ======================== Updated packages in core/updates_testing: ======================== php-ini-5.6.23-1.mga5 apache-mod_php-5.6.23-1.mga5 php-cli-5.6.23-1.mga5 php-cgi-5.6.23-1.mga5 libphp5_common5-5.6.23-1.mga5 php-devel-5.6.23-1.mga5 php-openssl-5.6.23-1.mga5 php-zlib-5.6.23-1.mga5 php-doc-5.6.23-1.mga5 php-bcmath-5.6.23-1.mga5 php-bz2-5.6.23-1.mga5 php-calendar-5.6.23-1.mga5 php-ctype-5.6.23-1.mga5 php-curl-5.6.23-1.mga5 php-dba-5.6.23-1.mga5 php-dom-5.6.23-1.mga5 php-enchant-5.6.23-1.mga5 php-exif-5.6.23-1.mga5 php-fileinfo-5.6.23-1.mga5 php-filter-5.6.23-1.mga5 php-ftp-5.6.23-1.mga5 php-gd-5.6.23-1.mga5 php-gettext-5.6.23-1.mga5 php-gmp-5.6.23-1.mga5 php-hash-5.6.23-1.mga5 php-iconv-5.6.23-1.mga5 php-imap-5.6.23-1.mga5 php-interbase-5.6.23-1.mga5 php-intl-5.6.23-1.mga5 php-json-5.6.23-1.mga5 php-ldap-5.6.23-1.mga5 php-mbstring-5.6.23-1.mga5 php-mcrypt-5.6.23-1.mga5 php-mssql-5.6.23-1.mga5 php-mysql-5.6.23-1.mga5 php-mysqli-5.6.23-1.mga5 php-mysqlnd-5.6.23-1.mga5 php-odbc-5.6.23-1.mga5 php-opcache-5.6.23-1.mga5 php-pcntl-5.6.23-1.mga5 php-pdo-5.6.23-1.mga5 php-pdo_dblib-5.6.23-1.mga5 php-pdo_firebird-5.6.23-1.mga5 php-pdo_mysql-5.6.23-1.mga5 php-pdo_odbc-5.6.23-1.mga5 php-pdo_pgsql-5.6.23-1.mga5 php-pdo_sqlite-5.6.23-1.mga5 php-pgsql-5.6.23-1.mga5 php-phar-5.6.23-1.mga5 php-posix-5.6.23-1.mga5 php-readline-5.6.23-1.mga5 php-recode-5.6.23-1.mga5 php-session-5.6.23-1.mga5 php-shmop-5.6.23-1.mga5 php-snmp-5.6.23-1.mga5 php-soap-5.6.23-1.mga5 php-sockets-5.6.23-1.mga5 php-sqlite3-5.6.23-1.mga5 php-sybase_ct-5.6.23-1.mga5 php-sysvmsg-5.6.23-1.mga5 php-sysvsem-5.6.23-1.mga5 php-sysvshm-5.6.23-1.mga5 php-tidy-5.6.23-1.mga5 php-tokenizer-5.6.23-1.mga5 php-xml-5.6.23-1.mga5 php-xmlreader-5.6.23-1.mga5 php-xmlrpc-5.6.23-1.mga5 php-xmlwriter-5.6.23-1.mga5 php-xsl-5.6.23-1.mga5 php-wddx-5.6.23-1.mga5 php-zip-5.6.23-1.mga5 php-fpm-5.6.23-1.mga5 phpdbg-5.6.23-1.mga5 from php-5.6.23-1.mga5.src.rpm
Assignee: pkg-bugs => qa-bugs
Tested with my X86_64 dev platform : kdevelop + xdebug. All is Ok.
Status: NEW => ASSIGNEDCC: (none) => lists.jjorgeWhiteboard: (none) => MGA5-64-OK
Working fine with my normal battery of tests on Mageia 5 i586.
Whiteboard: MGA5-64-OK => MGA5-32-OK MGA5-64-OK
Thanks to José & David for rapid tests, validating this update.
Keywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
CC: (none) => davidwhodginsWhiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0238.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED