(In reply to David Walser from comment #0)
> Upstream has released PHP 5.6.31 on July 6:
> http://php.net/archive/2017.php#id2017-01-19-3
> 
> It fixes several security issues:
> http://php.net/ChangeLog-5.php#5.6.31
> 
> Fedora has issued an advisory for this on July 18:
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/2TMO6AAFFZRWCXEL7MSQ3P7M6Z6NKL4J/
> 
> I have built updated packages for Mageia 5, Mageia 6, and Cauldron (listed
> below).  However, the GD issue also affects libgd, so we need to address
> that too.
> 

For cauldron, too, right?
Oden is the registered libgd maintainer, CC'ing him, but assigning to all packagers collectively, in case he's still unavailable,

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11, oe

yes, this is OK on cauldron too

Assignee: pkg-bugs => qa-bugs
CC: (none) => mageia

Assigning to myself until libgd update is built.

CC: (none) => nicolas.salguero, qa-bugs
Assignee: qa-bugs => luigiwalser

libgd update is built.  Advisory to come.

Updated packages in core/updates_testing:
========================
libgd3-2.2.4-1.2.mga5
libgd-devel-2.2.4-1.2.mga5
libgd-static-devel-2.2.4-1.2.mga5
gd-utils-2.2.4-1.2.mga5
libgd3-2.2.4-3.1.mga6
libgd-devel-2.2.4-3.1.mga6
libgd-static-devel-2.2.4-3.1.mga6
gd-utils-2.2.4-3.1.mga6

from SRPMS:
libgd-2.2.4-1.2.mga5.src.rpm
libgd-2.2.4-3.1.mga6.src.rpm

Assignee: luigiwalser => qa-bugs
CC: qa-bugs => (none)

Packages listed in Comment 0 and Comment 4.

Advisory:
========================

Updated php and libgd packages fix security vulnerabilities:

Buffer over-read into uninitialized memory in libgd (CVE-2017-7890).

Security issues from bundled oniguruma in php-mbstring (CVE-2017-9224,
CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229).

References:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7890
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9224
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9226
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9227
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9229
http://php.net/ChangeLog-5.php#5.6.31

Installed and tested with several large scripts (e.g. wordpress), without noticeable regressions.

$ uname -a
Linux marte 4.4.79-desktop-1.mga5 #1 SMP Fri Jul 28 02:50:06 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep php | sort
apache-mod_php-5.6.31-1.mga5
lib64php5_common5-5.6.31-1.mga5
php-cli-5.6.31-1.mga5
php-ctype-5.6.31-1.mga5
php-curl-5.6.31-1.mga5
php-dom-5.6.31-1.mga5
php-filter-5.6.31-1.mga5
php-ftp-5.6.31-1.mga5
php-gd-5.6.31-1.mga5
php-gettext-5.6.31-1.mga5
php-hash-5.6.31-1.mga5
php-ini-5.6.31-1.mga5
php-json-5.6.31-1.mga5
php-mbstring-5.6.31-1.mga5
php-mysqli-5.6.31-1.mga5
php-mysqlnd-5.6.31-1.mga5
php-openssl-5.6.31-1.mga5
php-pdo-5.6.31-1.mga5
php-pdo_mysql-5.6.31-1.mga5
php-posix-5.6.31-1.mga5
php-session-5.6.31-1.mga5
php-suhosin-0.9.37.1-1.mga5                                                                                                                                                 
php-sysvsem-5.6.31-1.mga5                                                                                                                                                   
php-sysvshm-5.6.31-1.mga5                                                                                                                                                   
php-timezonedb-2016.6-1.mga5                                                                                                                                                
php-tokenizer-5.6.31-1.mga5
php-xdebug-2.2.5-3.mga5
php-xml-5.6.31-1.mga5
php-xmlreader-5.6.31-1.mga5
php-xmlwriter-5.6.31-1.mga5
php-zlib-5.6.31-1.mga5

Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
CC: (none) => mageia

Tested with Drupal 8.3.5 and Booked 2.6.7 without any problem too (Mageia 6 64-bit).

In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
mariadb phpmyadmin php-ini php-fpm

install mariadb phpmyadmin php-ini php-fpm from core & updates testing

Package php-fpm-5.6.31-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.31-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.10-2.mga5.noarch is already installed
[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.6.31-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.6.31-1.mga5.i586 is already installed

localhost/phpmyadmin opens and creates a database named "test01"
I can close localhost/phpmyadmin then reopen and access db test01

CC: (none) => wilcal.int

In VirtualBox, M6, KDE, 32-bit

Package(s) under test:
mariadb phpmyadmin php-ini php-fpm

install mariadb phpmyadmin php-ini php-fpm from core

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.1.25-1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.7.1-1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.6.30-2.mga6.i586 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.6.30-2.mga6.i586 is already installed

cannot set password as in M5. I get the following error:

[root@localhost wilcal]# mysqladmin -u root password
New password: testphp
Confirm new password: testphp 
mysqladmin: 
You cannot use 'password' command as mysqld runs
 with grant tables disabled (was started with --skip-grant-tables).
Use: "mysqladmin flush-privileges password '*'" instead

mysqladmin flush-privileges password 'testphp'
mysqladmin flush-privileges password testphp
mysqladmin flush-privileges password '*'

All get the same error.
What's the proper code to set the password?

@ William : try # mysql_secure_installation

CC: (none) => herman.viaene

MGA6-32 on Asus A6000VM MATE
No installation issues
Used phpmyadmin to create a new database, a table within, a new user with all grants and finally remove the database. All OK

(In reply to Herman Viaene from comment #10)

> @ William : try # mysql_secure_installation

so the command would be:

mysqladmin mysql_secure_installation password testphp

No , plain
# mysql_secure_installation
and then answer the questions, first time just enter at root password.

(In reply to Herman Viaene from comment #13)

> # mysql_secure_installation
> and then answer the questions, first time just enter at root password.

Enter current password for root (enter for none): 
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2 "No such file or directory")

I'm not such a big expert on mysql. But Google helps a lot often. Obvious thing to check:  mysql-server is installed (I remember I had to select it manually at some time), and if yes, is it running?

Thanks Herman. This time I made sure mysql is running and

# mysql_secure_installation

then allowing everything for testing worked. I'll get back to this later today and document all this here.

Thanks

Procedure to set up msqld.service on M6.

install mariadb phpmyadmin php-ini php-fpm from core

[root@localhost wilcal]# systemctl start mysqld.service
[root@localhost wilcal]# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] Y      
New password: testphp
Re-enter new password: testphp 
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] n
 ... skipping.

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] n
 ... skipping.

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] n
 ... skipping.

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!
[root@localhost wilcal]# 

http://localhost/phpmyadmin/index.php ( will now work )

In VirtualBox, M6, KDE, 32-bit

Package(s) under test:
mariadb phpmyadmin php-ini php-fpm

install mariadb phpmyadmin php-ini php-fpm from core

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.1.25-1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.7.1-1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.6.30-2.mga6.i586 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.6.30-2.mga6.i586 is already installed

http://localhost/phpmyadmin/index.php opens and creates a database
named "test01" I can close localhost/phpmyadmin then reopen it, access
and modify db test01.

install php-ini php-fpm from updates testing

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.1.25-1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.7.1-1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.6.31-1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.6.31-1.mga6.i586 is already installed

http://localhost/phpmyadmin/index.php opens and creates a database
named "test02" I can close localhost/phpmyadmin then reopen it, access
and modify db test02.

In VirtualBox, M6, KDE, 64-bit

Package(s) under test:
mariadb phpmyadmin php-ini php-fpm

install mariadb phpmyadmin php-ini php-fpm from core

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.1.25-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.7.1-1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.6.30-2.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.6.30-2.mga6.x86_64 is already installed

http://localhost/phpmyadmin/index.php opens and creates a database
named "test01" I can close localhost/phpmyadmin then reopen it, access
and modify db test01.

install php-ini php-fpm from updates testing

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.1.25-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.7.1-1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi php-ini
Package php-ini-5.6.31-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi php-fpm
Package php-fpm-5.6.31-1.mga6.x86_64 is already installed

http://localhost/phpmyadmin/index.php opens and creates a database
named "test02" I can close localhost/phpmyadmin then reopen it, access
and modify db test02.

OK Herman, looks good here in both M5 & M6.
New setup proceedure for M6 in Comment 17.
Anything else you can think of before I push this one on?

You could have a look at the snag I have while testing glpi, it is php related. Check if that problem exists in your installation.

(In reply to Herman Viaene from comment #21)

> You could have a look at the snag I have while testing glpi, it is php
> related. Check if that problem exists in your installation.

Where is that documented?

bug 21331 comment 5

This update works fine.
21331 can be looked at seperately
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0246.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED