Upstream has released PHP 5.6.30 on January 19: http://php.net/archive/2017.php#id2017-01-19-3 It fixes several security issues: http://php.net/ChangeLog-5.php#5.6.30 The GD issues are most likely handled in Bug 20171 (libgd update to 2.2.4). Update checked into SVN for Mageia 5 and Cauldron. Freeze push requested.
Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated php packages fix security vulnerabilities: Floating-point exception in php-exif when parsing a tag format (CVE-2016-10158). Crash in php-phar while loading hostile phar archive (CVE-2016-10159). Memory corruption in php-phar when loading hostile phar (CVE-2016-10160). Heap out of bounds read on unserialize in finish_nested_data() (CVE-2016-10161). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10158 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10159 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10160 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10161 http://php.net/ChangeLog-5.php#5.6.30 ======================== Updated packages in core/updates_testing: ======================== php-ini-5.6.30-1.mga5 apache-mod_php-5.6.30-1.mga5 php-cli-5.6.30-1.mga5 php-cgi-5.6.30-1.mga5 libphp5_common5-5.6.30-1.mga5 php-devel-5.6.30-1.mga5 php-openssl-5.6.30-1.mga5 php-zlib-5.6.30-1.mga5 php-doc-5.6.30-1.mga5 php-bcmath-5.6.30-1.mga5 php-bz2-5.6.30-1.mga5 php-calendar-5.6.30-1.mga5 php-ctype-5.6.30-1.mga5 php-curl-5.6.30-1.mga5 php-dba-5.6.30-1.mga5 php-dom-5.6.30-1.mga5 php-enchant-5.6.30-1.mga5 php-exif-5.6.30-1.mga5 php-fileinfo-5.6.30-1.mga5 php-filter-5.6.30-1.mga5 php-ftp-5.6.30-1.mga5 php-gd-5.6.30-1.mga5 php-gettext-5.6.30-1.mga5 php-gmp-5.6.30-1.mga5 php-hash-5.6.30-1.mga5 php-iconv-5.6.30-1.mga5 php-imap-5.6.30-1.mga5 php-interbase-5.6.30-1.mga5 php-intl-5.6.30-1.mga5 php-json-5.6.30-1.mga5 php-ldap-5.6.30-1.mga5 php-mbstring-5.6.30-1.mga5 php-mcrypt-5.6.30-1.mga5 php-mssql-5.6.30-1.mga5 php-mysql-5.6.30-1.mga5 php-mysqli-5.6.30-1.mga5 php-mysqlnd-5.6.30-1.mga5 php-odbc-5.6.30-1.mga5 php-opcache-5.6.30-1.mga5 php-pcntl-5.6.30-1.mga5 php-pdo-5.6.30-1.mga5 php-pdo_dblib-5.6.30-1.mga5 php-pdo_firebird-5.6.30-1.mga5 php-pdo_mysql-5.6.30-1.mga5 php-pdo_odbc-5.6.30-1.mga5 php-pdo_pgsql-5.6.30-1.mga5 php-pdo_sqlite-5.6.30-1.mga5 php-pgsql-5.6.30-1.mga5 php-phar-5.6.30-1.mga5 php-posix-5.6.30-1.mga5 php-readline-5.6.30-1.mga5 php-recode-5.6.30-1.mga5 php-session-5.6.30-1.mga5 php-shmop-5.6.30-1.mga5 php-snmp-5.6.30-1.mga5 php-soap-5.6.30-1.mga5 php-sockets-5.6.30-1.mga5 php-sqlite3-5.6.30-1.mga5 php-sybase_ct-5.6.30-1.mga5 php-sysvmsg-5.6.30-1.mga5 php-sysvsem-5.6.30-1.mga5 php-sysvshm-5.6.30-1.mga5 php-tidy-5.6.30-1.mga5 php-tokenizer-5.6.30-1.mga5 php-xml-5.6.30-1.mga5 php-xmlreader-5.6.30-1.mga5 php-xmlrpc-5.6.30-1.mga5 php-xmlwriter-5.6.30-1.mga5 php-xsl-5.6.30-1.mga5 php-wddx-5.6.30-1.mga5 php-zip-5.6.30-1.mga5 php-fpm-5.6.30-1.mga5 phpdbg-5.6.30-1.mga5 from php-5.6.30-1.mga5.src.rpm
Assignee: bugsquad => qa-bugs
Testing M5_64 Updated to: apache-mod_php-5.6.30-1.mga5 lib64php5_common5-5.6.30-1.mga5 php-bcmath-5.6.30-1.mga5 php-bz2-5.6.30-1.mga5 php-cli-5.6.30-1.mga5 php-ctype-5.6.30-1.mga5 php-curl-5.6.30-1.mga5 php-dom-5.6.30-1.mga5 php-fileinfo-5.6.30-1.mga5 php-filter-5.6.30-1.mga5 php-ftp-5.6.30-1.mga5 php-gd-5.6.30-1.mga5 php-gettext-5.6.30-1.mga5 php-hash-5.6.30-1.mga5 php-iconv-5.6.30-1.mga5 php-ini-5.6.30-1.mga5 php-intl-5.6.30-1.mga5 php-json-5.6.30-1.mga5 php-ldap-5.6.30-1.mga5 php-mbstring-5.6.30-1.mga5 php-mcrypt-5.6.30-1.mga5 php-mysql-5.6.30-1.mga5 php-mysqli-5.6.30-1.mga5 php-mysqlnd-5.6.30-1.mga5 php-openssl-5.6.30-1.mga5 php-pdo-5.6.30-1.mga5 php-pdo_mysql-5.6.30-1.mga5 php-pdo_pgsql-5.6.30-1.mga5 php-pdo_sqlite-5.6.30-1.mga5 php-pgsql-5.6.30-1.mga5 php-posix-5.6.30-1.mga5 php-session-5.6.30-1.mga5 php-snmp-5.6.30-1.mga5 php-soap-5.6.30-1.mga5 php-sockets-5.6.30-1.mga5 php-sqlite3-5.6.30-1.mga5 php-sysvsem-5.6.30-1.mga5 php-sysvshm-5.6.30-1.mga5 php-tidy-5.6.30-1.mga5 php-tokenizer-5.6.30-1.mga5 php-xml-5.6.30-1.mga5 php-xmlreader-5.6.30-1.mga5 php-xmlrpc-5.6.30-1.mga5 php-xmlwriter-5.6.30-1.mga5 php-zip-5.6.30-1.mga5 php-zlib-5.6.30-1.mga5 Played with: - Bugzilla - Cacti - Drupal - MediaWiki - Moodle All behaved normally. This updated deemed OK.
Whiteboard: (none) => MGA5-64-OKCC: (none) => lewyssmith
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
$ uname -a Linux localhost 4.4.39-desktop-1.mga5 #1 SMP Fri Dec 16 18:52:20 UTC 2016 i686 i686 i686 GNU/Linux The following 151 packages are going to be installed: - apache-2.4.10-16.4.mga5.i586 - apache-mod_php-5.6.30-1.mga5.i586 - autoconf-2.69-6.mga5.noarch - automake-1.14.1-3.mga5.noarch - bison-3.0.4-1.mga5.i586 - byacc-20141128-1.mga5.i586 - chrpath-0.16-3.mga5.i586 - dos2unix-6.0.6-3.mga5.i586 - flex-2.5.39-3.1.mga5.i586 - glibc-devel-2.20-23.mga5.i586 - kernel-userspace-headers-4.4.45-1.mga5.i586 - libapr-util1_0-1.5.4-4.mga5.i586 - libapr1_0-1.5.1-3.mga5.i586 - libaudit-devel-2.4.4-1.mga5.i586 - libc-client0-2007f-6.mga5.i586 - libfbclient2-2.5.3.26778-4.mga5.i586 - libfreetds0-0.91-8.mga5.i586 - libgcrypt-devel-1.5.4-5.3.mga5.i586 - libgpg-error-devel-1.13-3.mga5.i586 - liblzma-devel-5.2.0-1.mga5.i586 - libmbfl1-1.2.0-12.mga5.i586 - libmcrypt-2.5.8-18.mga5.i586 - libmcrypt4-2.5.8-18.mga5.i586 - libonig2-5.9.5-3.mga5.i586 - libopenssl-devel-1.0.2k-1.mga5.i586 - libopenssl-engines1.0.0-1.0.2k-1.mga5.i586 - libopenssl1.0.0-1.0.2k-1.mga5.i586 - libpam-devel-1.1.8-10.1.mga5.i586 - libpcre-devel-8.38-1.mga5.i586 - libpcre16_0-8.38-1.mga5.i586 - libpcre32_0-8.38-1.mga5.i586 - libphp5_common5-5.6.30-1.mga5.i586 - libpq5-9.4.9-1.mga5.i586 - libstdc++5-3.3.6-11.mga5.i586 - libstdc++5-devel-3.3.6-11.mga5.i586 - libt1lib5-5.1.2-18.mga5.i586 - libtidy0.99_0-20090904-9.mga5.i586 - libtool-2.4.2-13.mga5.i586 - libtool-base-2.4.2-13.mga5.i586 - libxml2-devel-2.9.4-1.1.mga5.i586 - libxmlrpc-epi0-0.54.2-5.1.mga5.i586 - libxslt-devel-1.1.29-1.1.mga5.i586 - libzip2-0.11.2-4.mga5.i586 - libzlib-devel-1.2.8-7.1.mga5.i586 - m4-1.4.17-4.mga5.i586 - net-snmp-mibs-5.7.2-23.mga5.i586 - openssl-1.0.2k-1.mga5.i586 - php-bcmath-5.6.30-1.mga5.i586 - php-bz2-5.6.30-1.mga5.i586 - php-calendar-5.6.30-1.mga5.i586 - php-cgi-5.6.30-1.mga5.i586 - php-cli-5.6.30-1.mga5.i586 - php-ctype-5.6.30-1.mga5.i586 - php-curl-5.6.30-1.mga5.i586 - php-dba-5.6.30-1.mga5.i586 - php-devel-5.6.30-1.mga5.i586 - php-doc-5.6.30-1.mga5.noarch - php-dom-5.6.30-1.mga5.i586 - php-enchant-5.6.30-1.mga5.i586 - php-exif-5.6.30-1.mga5.i586 - php-fileinfo-5.6.30-1.mga5.i586 - php-filter-5.6.30-1.mga5.i586 - php-fpm-5.6.30-1.mga5.i586 - php-ftp-5.6.30-1.mga5.i586 - php-gd-5.6.30-1.mga5.i586 - php-gettext-5.6.30-1.mga5.i586 - php-gmp-5.6.30-1.mga5.i586 - php-hash-5.6.30-1.mga5.i586 - php-iconv-5.6.30-1.mga5.i586 - php-imap-5.6.30-1.mga5.i586 - php-ini-5.6.30-1.mga5.i586 - php-interbase-5.6.30-1.mga5.i586 - php-intl-5.6.30-1.mga5.i586 - php-json-5.6.30-1.mga5.i586 - php-ldap-5.6.30-1.mga5.i586 - php-mbstring-5.6.30-1.mga5.i586 - php-mcrypt-5.6.30-1.mga5.i586 - php-mssql-5.6.30-1.mga5.i586 - php-mysql-5.6.30-1.mga5.i586 - php-mysqli-5.6.30-1.mga5.i586 - php-mysqlnd-5.6.30-1.mga5.i586 - php-odbc-5.6.30-1.mga5.i586 - php-opcache-5.6.30-1.mga5.i586 - php-openssl-5.6.30-1.mga5.i586 - php-pcntl-5.6.30-1.mga5.i586 - php-pdo-5.6.30-1.mga5.i586 - php-pdo_dblib-5.6.30-1.mga5.i586 - php-pdo_firebird-5.6.30-1.mga5.i586 - php-pdo_mysql-5.6.30-1.mga5.i586 - php-pdo_odbc-5.6.30-1.mga5.i586 - php-pdo_pgsql-5.6.30-1.mga5.i586 - php-pdo_sqlite-5.6.30-1.mga5.i586 - php-pear-1.9.5-8.mga5.noarch - php-pear-Auth-1.6.4-5.mga5.noarch - php-pear-Auth_RADIUS-1.0.7-7.mga5.noarch - php-pear-Auth_SASL-1.0.6-5.mga5.noarch - php-pear-Console_ProgressBar-0.5.2beta-8.mga5.noarch - php-pear-Crypt_CHAP-1.5.0-5.mga5.noarch - php-pear-DB-1.8.2-1.mga5.noarch - php-pear-File_Passwd-1.1.7-8.mga5.noarch - php-pear-File_SMBPasswd-1.0.3-8.mga5.noarch - php-pear-HTTP_Client-1.2.1-9.mga5.noarch - php-pear-HTTP_Request-1.4.4-9.mga5.noarch - php-pear-Log-1.12.8-3.mga5.noarch - php-pear-Mail-1.2.0-5.mga5.noarch - php-pear-Mail_mimeDecode-1.5.5-6.mga5.noarch - php-pear-MDB2-2.5.0-0.0.b9.mga5.noarch - php-pear-MDB2_Driver_mysql-1.5.0-0.0.b8.mga5.noarch - php-pear-MDB2_Driver_mysqli-1.5.0-0.0.b8.mga5.noarch - php-pear-MDB2_Driver_pgsql-1.5.0-0.0.b8.mga5.noarch - php-pear-Net_DIME-1.0.2-5.mga5.noarch - php-pear-Net_POP3-1.3.8-5.mga5.noarch - php-pear-Net_Server-1.0.3-5.mga5.noarch - php-pear-Net_SMTP-1.6.2-4.mga5.noarch - php-pear-Net_Socket-1.0.14-4.mga5.noarch - php-pear-Net_URL-1.0.15-9.mga5.noarch - php-pear-Net_Vpopmaild-0.3.2-7.mga5.noarch - php-pear-PHP_Fork-0.3.2-8.mga5.noarch - php-pear-SOAP-0.13.0-7.mga5.noarch - php-pgsql-5.6.30-1.mga5.i586 - php-phar-5.6.30-1.mga5.i586 - php-posix-5.6.30-1.mga5.i586 - php-radius-1.2.7-8.mga5.i586 - php-readline-5.6.30-1.mga5.i586 - php-recode-5.6.30-1.mga5.i586 - php-session-5.6.30-1.mga5.i586 - php-shmop-5.6.30-1.mga5.i586 - php-snmp-5.6.30-1.mga5.i586 - php-soap-5.6.30-1.mga5.i586 - php-sockets-5.6.30-1.mga5.i586 - php-sqlite3-5.6.30-1.mga5.i586 - php-suhosin-0.9.37.1-1.mga5.i586 - php-sybase_ct-5.6.30-1.mga5.i586 - php-sysvmsg-5.6.30-1.mga5.i586 - php-sysvsem-5.6.30-1.mga5.i586 - php-sysvshm-5.6.30-1.mga5.i586 - php-tidy-5.6.30-1.mga5.i586 - php-timezonedb-2016.6-1.mga5.i586 - php-tokenizer-5.6.30-1.mga5.i586 - php-wddx-5.6.30-1.mga5.i586 - php-xml-5.6.30-1.mga5.i586 - php-xmlreader-5.6.30-1.mga5.i586 - php-xmlrpc-5.6.30-1.mga5.i586 - php-xmlwriter-5.6.30-1.mga5.i586 - php-xsl-5.6.30-1.mga5.i586 - php-zip-5.6.30-1.mga5.i586 - php-zlib-5.6.30-1.mga5.i586 - phpdbg-5.6.30-1.mga5.i586 - re2c-0.13.6-3.mga5.i586 - t1lib-config-5.1.2-18.mga5.i586 - webserver-base-2.0-8.mga5.i586 170MB of additional disk space will be used. 36MB of packages will be retrieved. Is it ok to continue? Testing [brian@localhost sf_vmshare]$ php php12.php <html> <head> <title>PHP Test</title> </head> <body> //error class begin 5.6.30<br>Outer try <br> Middle try<br> Middle finally<br> Inner try<br> Inner finally<br> Outer catch <br>Outer finally <br><br> my usual tests work I tried heap unserializable test $ php php_unserial.php PHP Warning: Bad unserialize data in /media/sf_vmshare/php_unserial.php on line 2 PHP Notice: unserialize(): Error at offset 13 of 15 bytes in /media/sf_vmshare/php_unserial.php on line 2 -------------------- Looks to be working.
CC: (none) => brtians1Whiteboard: MGA5-64-OK advisory => MGA5-64-OK mga5-32-ok advisory
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0040.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
URL: (none) => https://lwn.net/Vulnerabilities/713785/