PHP 5.6.24 has been released today (July 21). It has not yet been announced. You can see the ChangeLog in git: http://git.php.net/?p=php-src.git;a=blob;f=NEWS;h=fb08c0213e29ec9d76511df2bd796396912fe87d;hb=refs/heads/PHP-5.6 Some of the fixes are security related. We'll update to libgd 2.2.3 when it's available, which should include the GD fixes. Freeze push requested for Cauldron, checked into SVN for Mageia 5 as well.
Updated packages uploaded for Mageia 5 and Cauldron. Holding this until the libgd 2.2.3 update is available. Updated packages in core/updates_testing: ======================== php-ini-5.6.24-1.mga5 apache-mod_php-5.6.24-1.mga5 php-cli-5.6.24-1.mga5 php-cgi-5.6.24-1.mga5 libphp5_common5-5.6.24-1.mga5 php-devel-5.6.24-1.mga5 php-openssl-5.6.24-1.mga5 php-zlib-5.6.24-1.mga5 php-doc-5.6.24-1.mga5 php-bcmath-5.6.24-1.mga5 php-bz2-5.6.24-1.mga5 php-calendar-5.6.24-1.mga5 php-ctype-5.6.24-1.mga5 php-curl-5.6.24-1.mga5 php-dba-5.6.24-1.mga5 php-dom-5.6.24-1.mga5 php-enchant-5.6.24-1.mga5 php-exif-5.6.24-1.mga5 php-fileinfo-5.6.24-1.mga5 php-filter-5.6.24-1.mga5 php-ftp-5.6.24-1.mga5 php-gd-5.6.24-1.mga5 php-gettext-5.6.24-1.mga5 php-gmp-5.6.24-1.mga5 php-hash-5.6.24-1.mga5 php-iconv-5.6.24-1.mga5 php-imap-5.6.24-1.mga5 php-interbase-5.6.24-1.mga5 php-intl-5.6.24-1.mga5 php-json-5.6.24-1.mga5 php-ldap-5.6.24-1.mga5 php-mbstring-5.6.24-1.mga5 php-mcrypt-5.6.24-1.mga5 php-mssql-5.6.24-1.mga5 php-mysql-5.6.24-1.mga5 php-mysqli-5.6.24-1.mga5 php-mysqlnd-5.6.24-1.mga5 php-odbc-5.6.24-1.mga5 php-opcache-5.6.24-1.mga5 php-pcntl-5.6.24-1.mga5 php-pdo-5.6.24-1.mga5 php-pdo_dblib-5.6.24-1.mga5 php-pdo_firebird-5.6.24-1.mga5 php-pdo_mysql-5.6.24-1.mga5 php-pdo_odbc-5.6.24-1.mga5 php-pdo_pgsql-5.6.24-1.mga5 php-pdo_sqlite-5.6.24-1.mga5 php-pgsql-5.6.24-1.mga5 php-phar-5.6.24-1.mga5 php-posix-5.6.24-1.mga5 php-readline-5.6.24-1.mga5 php-recode-5.6.24-1.mga5 php-session-5.6.24-1.mga5 php-shmop-5.6.24-1.mga5 php-snmp-5.6.24-1.mga5 php-soap-5.6.24-1.mga5 php-sockets-5.6.24-1.mga5 php-sqlite3-5.6.24-1.mga5 php-sybase_ct-5.6.24-1.mga5 php-sysvmsg-5.6.24-1.mga5 php-sysvsem-5.6.24-1.mga5 php-sysvshm-5.6.24-1.mga5 php-tidy-5.6.24-1.mga5 php-tokenizer-5.6.24-1.mga5 php-xml-5.6.24-1.mga5 php-xmlreader-5.6.24-1.mga5 php-xmlrpc-5.6.24-1.mga5 php-xmlwriter-5.6.24-1.mga5 php-xsl-5.6.24-1.mga5 php-wddx-5.6.24-1.mga5 php-zip-5.6.24-1.mga5 php-fpm-5.6.24-1.mga5 phpdbg-5.6.24-1.mga5 from php-5.6.24-1.mga5.src.rpm
Version: Cauldron => 5Depends on: (none) => 18938
libgd update is available, pushing to QA. Package list in Comment 1. Advisory: ======================== Updated php packages fix security vulnerabilities: The php package has been updated to version 5.6.24, which fixes several security issues and other bugs. See the upstream ChangeLog for more details. References: http://www.php.net/ChangeLog-5.php#5.6.24
Depends on: (none) => 18991Assignee: bugsquad => qa-bugs
Tested fine with my usual apache/php/libgd test case, Mageia 5 i586.
Whiteboard: (none) => MGA5-32-OK
CVE request: http://openwall.com/lists/oss-security/2016/07/24/1
CVE assignments: http://openwall.com/lists/oss-security/2016/07/24/2 Those revealed that one of the fixes is actually in the xmlrpc-epi library. We build against the system one, so I had to patch that too. I've also updated the timezone packages due to a request from a user. Testing procedure for timezone: https://bugs.mageia.org/show_bug.cgi?id=11559#c1 Advisory: ======================== Updated php and xmlrpc-epi packages fix security vulnerabilities: Stack-based buffer overflow vulnerability in virtual_file_ex() (CVE-2016-6289). Use After Free in unserialize() with Unexpected Session Deserialization (CVE-2016-6290). Out of bound read in exif_process_IFD_in_MAKERNOTE() (CVE-2016-6291). NULL Pointer Dereference in exif_process_user_comment() (CVE-2016-6292). locale_accept_from_http() out-of-bounds access (CVE-2016-6294). Use After Free Vulnerability in SNMP with GC and unserialize() (CVE-2016-6295). heap-buffer-overflow (write) simplestring_addn() simplestring.c in php-xmlrpc (CVE-2016-6296). Stack-based buffer overflow vulnerability in php_stream_zip_opener() (CVE-2016-6297). The php package has been updated to version 5.6.24, fixing these issues and several other bugs. See the upstream ChangeLog for details. The CVE-2016-6296 issue was in the xmlrpc-epi library, which has been patched. Additionally, the timezone and php-timezonedb packages have been updated with the latest timezone data. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6289 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6290 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6291 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6292 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6294 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6295 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6296 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6297 http://www.php.net/ChangeLog-5.php#5.6.24 http://mm.icann.org/pipermail/tz-announce/2016-March/000036.html http://mm.icann.org/pipermail/tz-announce/2016-March/000037.html http://mm.icann.org/pipermail/tz-announce/2016-April/000038.html http://mm.icann.org/pipermail/tz-announce/2016-June/000039.html http://mm.icann.org/pipermail/tz-announce/2016-July/000040.html ======================== Updated packages in core/updates_testing: ======================== php-ini-5.6.24-1.mga5 apache-mod_php-5.6.24-1.mga5 php-cli-5.6.24-1.mga5 php-cgi-5.6.24-1.mga5 libphp5_common5-5.6.24-1.mga5 php-devel-5.6.24-1.mga5 php-openssl-5.6.24-1.mga5 php-zlib-5.6.24-1.mga5 php-doc-5.6.24-1.mga5 php-bcmath-5.6.24-1.mga5 php-bz2-5.6.24-1.mga5 php-calendar-5.6.24-1.mga5 php-ctype-5.6.24-1.mga5 php-curl-5.6.24-1.mga5 php-dba-5.6.24-1.mga5 php-dom-5.6.24-1.mga5 php-enchant-5.6.24-1.mga5 php-exif-5.6.24-1.mga5 php-fileinfo-5.6.24-1.mga5 php-filter-5.6.24-1.mga5 php-ftp-5.6.24-1.mga5 php-gd-5.6.24-1.mga5 php-gettext-5.6.24-1.mga5 php-gmp-5.6.24-1.mga5 php-hash-5.6.24-1.mga5 php-iconv-5.6.24-1.mga5 php-imap-5.6.24-1.mga5 php-interbase-5.6.24-1.mga5 php-intl-5.6.24-1.mga5 php-json-5.6.24-1.mga5 php-ldap-5.6.24-1.mga5 php-mbstring-5.6.24-1.mga5 php-mcrypt-5.6.24-1.mga5 php-mssql-5.6.24-1.mga5 php-mysql-5.6.24-1.mga5 php-mysqli-5.6.24-1.mga5 php-mysqlnd-5.6.24-1.mga5 php-odbc-5.6.24-1.mga5 php-opcache-5.6.24-1.mga5 php-pcntl-5.6.24-1.mga5 php-pdo-5.6.24-1.mga5 php-pdo_dblib-5.6.24-1.mga5 php-pdo_firebird-5.6.24-1.mga5 php-pdo_mysql-5.6.24-1.mga5 php-pdo_odbc-5.6.24-1.mga5 php-pdo_pgsql-5.6.24-1.mga5 php-pdo_sqlite-5.6.24-1.mga5 php-pgsql-5.6.24-1.mga5 php-phar-5.6.24-1.mga5 php-posix-5.6.24-1.mga5 php-readline-5.6.24-1.mga5 php-recode-5.6.24-1.mga5 php-session-5.6.24-1.mga5 php-shmop-5.6.24-1.mga5 php-snmp-5.6.24-1.mga5 php-soap-5.6.24-1.mga5 php-sockets-5.6.24-1.mga5 php-sqlite3-5.6.24-1.mga5 php-sybase_ct-5.6.24-1.mga5 php-sysvmsg-5.6.24-1.mga5 php-sysvsem-5.6.24-1.mga5 php-sysvshm-5.6.24-1.mga5 php-tidy-5.6.24-1.mga5 php-tokenizer-5.6.24-1.mga5 php-xml-5.6.24-1.mga5 php-xmlreader-5.6.24-1.mga5 php-xmlrpc-5.6.24-1.mga5 php-xmlwriter-5.6.24-1.mga5 php-xsl-5.6.24-1.mga5 php-wddx-5.6.24-1.mga5 php-zip-5.6.24-1.mga5 php-fpm-5.6.24-1.mga5 phpdbg-5.6.24-1.mga5 libxmlrpc-epi0-0.54.2-5.1.mga5 libxmlrpc-epi-devel-0.54.2-5.1.mga5 timezone-2016f-1.mga5 timezone-java-2016f-1.mga5 php-timezonedb-2016.6-1.mga5 from SRPMS: php-5.6.24-1.mga5.src.rpm xmlrpc-epi-0.54.2-5.1.mga5.src.rpm timezone-2016f-1.mga5.src.rpm php-timezonedb-2016.6-1.mga5.src.rpm
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK => MGA5-32-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0267.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/695556/