Upstream has released PHP 5.6.31 on July 6: http://php.net/archive/2017.php#id2017-01-19-3 It fixes several security issues: http://php.net/ChangeLog-5.php#5.6.31 Fedora has issued an advisory for this on July 18: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2TMO6AAFFZRWCXEL7MSQ3P7M6Z6NKL4J/ I have built updated packages for Mageia 5, Mageia 6, and Cauldron (listed below). However, the GD issue also affects libgd, so we need to address that too. Updated packages in core/updates_testing: ======================== php-ini-5.6.31-1.mga5 apache-mod_php-5.6.31-1.mga5 php-cli-5.6.31-1.mga5 php-cgi-5.6.31-1.mga5 libphp5_common5-5.6.31-1.mga5 php-devel-5.6.31-1.mga5 php-openssl-5.6.31-1.mga5 php-zlib-5.6.31-1.mga5 php-doc-5.6.31-1.mga5 php-bcmath-5.6.31-1.mga5 php-bz2-5.6.31-1.mga5 php-calendar-5.6.31-1.mga5 php-ctype-5.6.31-1.mga5 php-curl-5.6.31-1.mga5 php-dba-5.6.31-1.mga5 php-dom-5.6.31-1.mga5 php-enchant-5.6.31-1.mga5 php-exif-5.6.31-1.mga5 php-fileinfo-5.6.31-1.mga5 php-filter-5.6.31-1.mga5 php-ftp-5.6.31-1.mga5 php-gd-5.6.31-1.mga5 php-gettext-5.6.31-1.mga5 php-gmp-5.6.31-1.mga5 php-hash-5.6.31-1.mga5 php-iconv-5.6.31-1.mga5 php-imap-5.6.31-1.mga5 php-interbase-5.6.31-1.mga5 php-intl-5.6.31-1.mga5 php-json-5.6.31-1.mga5 php-ldap-5.6.31-1.mga5 php-mbstring-5.6.31-1.mga5 php-mcrypt-5.6.31-1.mga5 php-mssql-5.6.31-1.mga5 php-mysql-5.6.31-1.mga5 php-mysqli-5.6.31-1.mga5 php-mysqlnd-5.6.31-1.mga5 php-odbc-5.6.31-1.mga5 php-opcache-5.6.31-1.mga5 php-pcntl-5.6.31-1.mga5 php-pdo-5.6.31-1.mga5 php-pdo_dblib-5.6.31-1.mga5 php-pdo_firebird-5.6.31-1.mga5 php-pdo_mysql-5.6.31-1.mga5 php-pdo_odbc-5.6.31-1.mga5 php-pdo_pgsql-5.6.31-1.mga5 php-pdo_sqlite-5.6.31-1.mga5 php-pgsql-5.6.31-1.mga5 php-phar-5.6.31-1.mga5 php-posix-5.6.31-1.mga5 php-readline-5.6.31-1.mga5 php-recode-5.6.31-1.mga5 php-session-5.6.31-1.mga5 php-shmop-5.6.31-1.mga5 php-snmp-5.6.31-1.mga5 php-soap-5.6.31-1.mga5 php-sockets-5.6.31-1.mga5 php-sqlite3-5.6.31-1.mga5 php-sybase_ct-5.6.31-1.mga5 php-sysvmsg-5.6.31-1.mga5 php-sysvsem-5.6.31-1.mga5 php-sysvshm-5.6.31-1.mga5 php-tidy-5.6.31-1.mga5 php-tokenizer-5.6.31-1.mga5 php-xml-5.6.31-1.mga5 php-xmlreader-5.6.31-1.mga5 php-xmlrpc-5.6.31-1.mga5 php-xmlwriter-5.6.31-1.mga5 php-xsl-5.6.31-1.mga5 php-wddx-5.6.31-1.mga5 php-zip-5.6.31-1.mga5 php-fpm-5.6.31-1.mga5 phpdbg-5.6.31-1.mga5 php-ini-5.6.31-1.mga6 apache-mod_php-5.6.31-1.mga6 php-cli-5.6.31-1.mga6 php-cgi-5.6.31-1.mga6 libphp5_common5-5.6.31-1.mga6 php-devel-5.6.31-1.mga6 php-openssl-5.6.31-1.mga6 php-zlib-5.6.31-1.mga6 php-doc-5.6.31-1.mga6 php-bcmath-5.6.31-1.mga6 php-bz2-5.6.31-1.mga6 php-calendar-5.6.31-1.mga6 php-ctype-5.6.31-1.mga6 php-curl-5.6.31-1.mga6 php-dba-5.6.31-1.mga6 php-dom-5.6.31-1.mga6 php-enchant-5.6.31-1.mga6 php-exif-5.6.31-1.mga6 php-fileinfo-5.6.31-1.mga6 php-filter-5.6.31-1.mga6 php-ftp-5.6.31-1.mga6 php-gd-5.6.31-1.mga6 php-gettext-5.6.31-1.mga6 php-gmp-5.6.31-1.mga6 php-hash-5.6.31-1.mga6 php-iconv-5.6.31-1.mga6 php-imap-5.6.31-1.mga6 php-interbase-5.6.31-1.mga6 php-intl-5.6.31-1.mga6 php-json-5.6.31-1.mga6 php-ldap-5.6.31-1.mga6 php-mbstring-5.6.31-1.mga6 php-mcrypt-5.6.31-1.mga6 php-mssql-5.6.31-1.mga6 php-mysql-5.6.31-1.mga6 php-mysqli-5.6.31-1.mga6 php-mysqlnd-5.6.31-1.mga6 php-odbc-5.6.31-1.mga6 php-opcache-5.6.31-1.mga6 php-pcntl-5.6.31-1.mga6 php-pdo-5.6.31-1.mga6 php-pdo_dblib-5.6.31-1.mga6 php-pdo_firebird-5.6.31-1.mga6 php-pdo_mysql-5.6.31-1.mga6 php-pdo_odbc-5.6.31-1.mga6 php-pdo_pgsql-5.6.31-1.mga6 php-pdo_sqlite-5.6.31-1.mga6 php-pgsql-5.6.31-1.mga6 php-phar-5.6.31-1.mga6 php-posix-5.6.31-1.mga6 php-readline-5.6.31-1.mga6 php-recode-5.6.31-1.mga6 php-session-5.6.31-1.mga6 php-shmop-5.6.31-1.mga6 php-snmp-5.6.31-1.mga6 php-soap-5.6.31-1.mga6 php-sockets-5.6.31-1.mga6 php-sqlite3-5.6.31-1.mga6 php-sybase_ct-5.6.31-1.mga6 php-sysvmsg-5.6.31-1.mga6 php-sysvsem-5.6.31-1.mga6 php-sysvshm-5.6.31-1.mga6 php-tidy-5.6.31-1.mga6 php-tokenizer-5.6.31-1.mga6 php-xml-5.6.31-1.mga6 php-xmlreader-5.6.31-1.mga6 php-xmlrpc-5.6.31-1.mga6 php-xmlwriter-5.6.31-1.mga6 php-xsl-5.6.31-1.mga6 php-wddx-5.6.31-1.mga6 php-zip-5.6.31-1.mga6 php-fpm-5.6.31-1.mga6 phpdbg-5.6.31-1.mga6 from SRPMS: php-5.6.31-1.mga5.src.rpm php-5.6.31-1.mga6.src.rpm
Whiteboard: (none) => MGA5TOO
(In reply to David Walser from comment #0) > Upstream has released PHP 5.6.31 on July 6: > http://php.net/archive/2017.php#id2017-01-19-3 > > It fixes several security issues: > http://php.net/ChangeLog-5.php#5.6.31 > > Fedora has issued an advisory for this on July 18: > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/2TMO6AAFFZRWCXEL7MSQ3P7M6Z6NKL4J/ > > I have built updated packages for Mageia 5, Mageia 6, and Cauldron (listed > below). However, the GD issue also affects libgd, so we need to address > that too. > For cauldron, too, right? Oden is the registered libgd maintainer, CC'ing him, but assigning to all packagers collectively, in case he's still unavailable,
Assignee: bugsquad => pkg-bugsCC: (none) => marja11, oe
yes, this is OK on cauldron too
Assignee: pkg-bugs => qa-bugsCC: (none) => mageia
Assigning to myself until libgd update is built.
CC: (none) => nicolas.salguero, qa-bugsAssignee: qa-bugs => luigiwalser
libgd update is built. Advisory to come. Updated packages in core/updates_testing: ======================== libgd3-2.2.4-1.2.mga5 libgd-devel-2.2.4-1.2.mga5 libgd-static-devel-2.2.4-1.2.mga5 gd-utils-2.2.4-1.2.mga5 libgd3-2.2.4-3.1.mga6 libgd-devel-2.2.4-3.1.mga6 libgd-static-devel-2.2.4-3.1.mga6 gd-utils-2.2.4-3.1.mga6 from SRPMS: libgd-2.2.4-1.2.mga5.src.rpm libgd-2.2.4-3.1.mga6.src.rpm
Assignee: luigiwalser => qa-bugsCC: qa-bugs => (none)
Packages listed in Comment 0 and Comment 4. Advisory: ======================== Updated php and libgd packages fix security vulnerabilities: Buffer over-read into uninitialized memory in libgd (CVE-2017-7890). Security issues from bundled oniguruma in php-mbstring (CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7890 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9224 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9226 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9227 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9228 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9229 http://php.net/ChangeLog-5.php#5.6.31
Installed and tested with several large scripts (e.g. wordpress), without noticeable regressions. $ uname -a Linux marte 4.4.79-desktop-1.mga5 #1 SMP Fri Jul 28 02:50:06 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep php | sort apache-mod_php-5.6.31-1.mga5 lib64php5_common5-5.6.31-1.mga5 php-cli-5.6.31-1.mga5 php-ctype-5.6.31-1.mga5 php-curl-5.6.31-1.mga5 php-dom-5.6.31-1.mga5 php-filter-5.6.31-1.mga5 php-ftp-5.6.31-1.mga5 php-gd-5.6.31-1.mga5 php-gettext-5.6.31-1.mga5 php-hash-5.6.31-1.mga5 php-ini-5.6.31-1.mga5 php-json-5.6.31-1.mga5 php-mbstring-5.6.31-1.mga5 php-mysqli-5.6.31-1.mga5 php-mysqlnd-5.6.31-1.mga5 php-openssl-5.6.31-1.mga5 php-pdo-5.6.31-1.mga5 php-pdo_mysql-5.6.31-1.mga5 php-posix-5.6.31-1.mga5 php-session-5.6.31-1.mga5 php-suhosin-0.9.37.1-1.mga5 php-sysvsem-5.6.31-1.mga5 php-sysvshm-5.6.31-1.mga5 php-timezonedb-2016.6-1.mga5 php-tokenizer-5.6.31-1.mga5 php-xdebug-2.2.5-3.mga5 php-xml-5.6.31-1.mga5 php-xmlreader-5.6.31-1.mga5 php-xmlwriter-5.6.31-1.mga5 php-zlib-5.6.31-1.mga5
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OKCC: (none) => mageia
Tested with Drupal 8.3.5 and Booked 2.6.7 without any problem too (Mageia 6 64-bit).
In VirtualBox, M5, KDE, 32-bit Package(s) under test: mariadb phpmyadmin php-ini php-fpm install mariadb phpmyadmin php-ini php-fpm from core & updates testing Package php-fpm-5.6.31-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi mariadb Package mariadb-10.0.31-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.4.15.10-2.mga5.noarch is already installed [root@localhost wilcal]# urpmi php-ini Package php-ini-5.6.31-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.6.31-1.mga5.i586 is already installed localhost/phpmyadmin opens and creates a database named "test01" I can close localhost/phpmyadmin then reopen and access db test01
CC: (none) => wilcal.int
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-32-OK MGA5-64-OK
In VirtualBox, M6, KDE, 32-bit Package(s) under test: mariadb phpmyadmin php-ini php-fpm install mariadb phpmyadmin php-ini php-fpm from core [root@localhost wilcal]# urpmi mariadb Package mariadb-10.1.25-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.7.1-1.mga6.noarch is already installed [root@localhost wilcal]# urpmi php-ini Package php-ini-5.6.30-2.mga6.i586 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.6.30-2.mga6.i586 is already installed cannot set password as in M5. I get the following error: [root@localhost wilcal]# mysqladmin -u root password New password: testphp Confirm new password: testphp mysqladmin: You cannot use 'password' command as mysqld runs with grant tables disabled (was started with --skip-grant-tables). Use: "mysqladmin flush-privileges password '*'" instead mysqladmin flush-privileges password 'testphp' mysqladmin flush-privileges password testphp mysqladmin flush-privileges password '*' All get the same error. What's the proper code to set the password?
@ William : try # mysql_secure_installation
CC: (none) => herman.viaene
MGA6-32 on Asus A6000VM MATE No installation issues Used phpmyadmin to create a new database, a table within, a new user with all grants and finally remove the database. All OK
(In reply to Herman Viaene from comment #10) > @ William : try # mysql_secure_installation so the command would be: mysqladmin mysql_secure_installation password testphp
No , plain # mysql_secure_installation and then answer the questions, first time just enter at root password.
(In reply to Herman Viaene from comment #13) > # mysql_secure_installation > and then answer the questions, first time just enter at root password. Enter current password for root (enter for none): ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2 "No such file or directory")
I'm not such a big expert on mysql. But Google helps a lot often. Obvious thing to check: mysql-server is installed (I remember I had to select it manually at some time), and if yes, is it running?
Thanks Herman. This time I made sure mysql is running and # mysql_secure_installation then allowing everything for testing worked. I'll get back to this later today and document all this here. Thanks
Procedure to set up msqld.service on M6. install mariadb phpmyadmin php-ini php-fpm from core [root@localhost wilcal]# systemctl start mysqld.service [root@localhost wilcal]# mysql_secure_installation NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! In order to log into MariaDB to secure it, we'll need the current password for the root user. If you've just installed MariaDB, and you haven't set the root password yet, the password will be blank, so you should just press enter here. Enter current password for root (enter for none): OK, successfully used password, moving on... Setting the root password ensures that nobody can log into the MariaDB root user without the proper authorisation. Set root password? [Y/n] Y New password: testphp Re-enter new password: testphp Password updated successfully! Reloading privilege tables.. ... Success! By default, a MariaDB installation has an anonymous user, allowing anyone to log into MariaDB without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? [Y/n] n ... skipping. Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? [Y/n] n ... skipping. By default, MariaDB comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? [Y/n] n ... skipping. Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? [Y/n] y ... Success! Cleaning up... All done! If you've completed all of the above steps, your MariaDB installation should now be secure. Thanks for using MariaDB! [root@localhost wilcal]# http://localhost/phpmyadmin/index.php ( will now work )
In VirtualBox, M6, KDE, 32-bit Package(s) under test: mariadb phpmyadmin php-ini php-fpm install mariadb phpmyadmin php-ini php-fpm from core [root@localhost wilcal]# urpmi mariadb Package mariadb-10.1.25-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.7.1-1.mga6.noarch is already installed [root@localhost wilcal]# urpmi php-ini Package php-ini-5.6.30-2.mga6.i586 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.6.30-2.mga6.i586 is already installed http://localhost/phpmyadmin/index.php opens and creates a database named "test01" I can close localhost/phpmyadmin then reopen it, access and modify db test01. install php-ini php-fpm from updates testing [root@localhost wilcal]# urpmi mariadb Package mariadb-10.1.25-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.7.1-1.mga6.noarch is already installed [root@localhost wilcal]# urpmi php-ini Package php-ini-5.6.31-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.6.31-1.mga6.i586 is already installed http://localhost/phpmyadmin/index.php opens and creates a database named "test02" I can close localhost/phpmyadmin then reopen it, access and modify db test02.
In VirtualBox, M6, KDE, 64-bit Package(s) under test: mariadb phpmyadmin php-ini php-fpm install mariadb phpmyadmin php-ini php-fpm from core [root@localhost wilcal]# urpmi mariadb Package mariadb-10.1.25-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.7.1-1.mga6.noarch is already installed [root@localhost wilcal]# urpmi php-ini Package php-ini-5.6.30-2.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.6.30-2.mga6.x86_64 is already installed http://localhost/phpmyadmin/index.php opens and creates a database named "test01" I can close localhost/phpmyadmin then reopen it, access and modify db test01. install php-ini php-fpm from updates testing [root@localhost wilcal]# urpmi mariadb Package mariadb-10.1.25-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.7.1-1.mga6.noarch is already installed [root@localhost wilcal]# urpmi php-ini Package php-ini-5.6.31-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi php-fpm Package php-fpm-5.6.31-1.mga6.x86_64 is already installed http://localhost/phpmyadmin/index.php opens and creates a database named "test02" I can close localhost/phpmyadmin then reopen it, access and modify db test02.
OK Herman, looks good here in both M5 & M6. New setup proceedure for M6 in Comment 17. Anything else you can think of before I push this one on?
Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK
You could have a look at the snag I have while testing glpi, it is php related. Check if that problem exists in your installation.
(In reply to Herman Viaene from comment #21) > You could have a look at the snag I have while testing glpi, it is php > related. Check if that problem exists in your installation. Where is that documented?
bug 21331 comment 5
This update works fine. 21331 can be looked at seperately Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK => advisory MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0246.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED