Upstream has released PHP 5.6.35 on March 29: http://us3.php.net/archive/2018.php#id2018-03-29-3 It fixes one security issue: http://www.php.net/ChangeLog-5.php#5.6.35 Advisory: ======================== Updated php packages fix security vulnerability: Dumpable FPM child processes allow bypassing opcache access controls (php#75605). References: http://php.net/ChangeLog-5.php#5.6.35 ======================== Updated packages in core/updates_testing: ======================== php-ini-5.6.35-1.mga5 apache-mod_php-5.6.35-1.mga5 php-cli-5.6.35-1.mga5 php-cgi-5.6.35-1.mga5 lib64php5_common5-5.6.35-1.mga5 php-devel-5.6.35-1.mga5 php-openssl-5.6.35-1.mga5 php-zlib-5.6.35-1.mga5 php-doc-5.6.35-1.mga5 php-bcmath-5.6.35-1.mga5 php-bz2-5.6.35-1.mga5 php-calendar-5.6.35-1.mga5 php-ctype-5.6.35-1.mga5 php-curl-5.6.35-1.mga5 php-dba-5.6.35-1.mga5 php-dom-5.6.35-1.mga5 php-enchant-5.6.35-1.mga5 php-exif-5.6.35-1.mga5 php-fileinfo-5.6.35-1.mga5 php-filter-5.6.35-1.mga5 php-ftp-5.6.35-1.mga5 php-gd-5.6.35-1.mga5 php-gettext-5.6.35-1.mga5 php-gmp-5.6.35-1.mga5 php-hash-5.6.35-1.mga5 php-iconv-5.6.35-1.mga5 php-imap-5.6.35-1.mga5 php-interbase-5.6.35-1.mga5 php-intl-5.6.35-1.mga5 php-json-5.6.35-1.mga5 php-ldap-5.6.35-1.mga5 php-mbstring-5.6.35-1.mga5 php-mcrypt-5.6.35-1.mga5 php-mssql-5.6.35-1.mga5 php-mysql-5.6.35-1.mga5 php-mysqli-5.6.35-1.mga5 php-mysqlnd-5.6.35-1.mga5 php-odbc-5.6.35-1.mga5 php-opcache-5.6.35-1.mga5 php-pcntl-5.6.35-1.mga5 php-pdo-5.6.35-1.mga5 php-pdo_dblib-5.6.35-1.mga5 php-pdo_firebird-5.6.35-1.mga5 php-pdo_mysql-5.6.35-1.mga5 php-pdo_odbc-5.6.35-1.mga5 php-pdo_pgsql-5.6.35-1.mga5 php-pdo_sqlite-5.6.35-1.mga5 php-pgsql-5.6.35-1.mga5 php-phar-5.6.35-1.mga5 php-posix-5.6.35-1.mga5 php-readline-5.6.35-1.mga5 php-recode-5.6.35-1.mga5 php-session-5.6.35-1.mga5 php-shmop-5.6.35-1.mga5 php-snmp-5.6.35-1.mga5 php-soap-5.6.35-1.mga5 php-sockets-5.6.35-1.mga5 php-sqlite3-5.6.35-1.mga5 php-sybase_ct-5.6.35-1.mga5 php-sysvmsg-5.6.35-1.mga5 php-sysvsem-5.6.35-1.mga5 php-sysvshm-5.6.35-1.mga5 php-tidy-5.6.35-1.mga5 php-tokenizer-5.6.35-1.mga5 php-xml-5.6.35-1.mga5 php-xmlreader-5.6.35-1.mga5 php-xmlrpc-5.6.35-1.mga5 php-xmlwriter-5.6.35-1.mga5 php-xsl-5.6.35-1.mga5 php-wddx-5.6.35-1.mga5 php-zip-5.6.35-1.mga5 php-fpm-5.6.35-1.mga5 phpdbg-5.6.35-1.mga5 php-ini-5.6.35-1.mga6 apache-mod_php-5.6.35-1.mga6 php-cli-5.6.35-1.mga6 php-cgi-5.6.35-1.mga6 lib64php5_common5-5.6.35-1.mga6 php-devel-5.6.35-1.mga6 php-openssl-5.6.35-1.mga6 php-zlib-5.6.35-1.mga6 php-doc-5.6.35-1.mga6 php-bcmath-5.6.35-1.mga6 php-bz2-5.6.35-1.mga6 php-calendar-5.6.35-1.mga6 php-ctype-5.6.35-1.mga6 php-curl-5.6.35-1.mga6 php-dba-5.6.35-1.mga6 php-dom-5.6.35-1.mga6 php-enchant-5.6.35-1.mga6 php-exif-5.6.35-1.mga6 php-fileinfo-5.6.35-1.mga6 php-filter-5.6.35-1.mga6 php-ftp-5.6.35-1.mga6 php-gd-5.6.35-1.mga6 php-gettext-5.6.35-1.mga6 php-gmp-5.6.35-1.mga6 php-hash-5.6.35-1.mga6 php-iconv-5.6.35-1.mga6 php-imap-5.6.35-1.mga6 php-interbase-5.6.35-1.mga6 php-intl-5.6.35-1.mga6 php-json-5.6.35-1.mga6 php-ldap-5.6.35-1.mga6 php-mbstring-5.6.35-1.mga6 php-mcrypt-5.6.35-1.mga6 php-mssql-5.6.35-1.mga6 php-mysql-5.6.35-1.mga6 php-mysqli-5.6.35-1.mga6 php-mysqlnd-5.6.35-1.mga6 php-odbc-5.6.35-1.mga6 php-opcache-5.6.35-1.mga6 php-pcntl-5.6.35-1.mga6 php-pdo-5.6.35-1.mga6 php-pdo_dblib-5.6.35-1.mga6 php-pdo_firebird-5.6.35-1.mga6 php-pdo_mysql-5.6.35-1.mga6 php-pdo_odbc-5.6.35-1.mga6 php-pdo_pgsql-5.6.35-1.mga6 php-pdo_sqlite-5.6.35-1.mga6 php-pgsql-5.6.35-1.mga6 php-phar-5.6.35-1.mga6 php-posix-5.6.35-1.mga6 php-readline-5.6.35-1.mga6 php-recode-5.6.35-1.mga6 php-session-5.6.35-1.mga6 php-shmop-5.6.35-1.mga6 php-snmp-5.6.35-1.mga6 php-soap-5.6.35-1.mga6 php-sockets-5.6.35-1.mga6 php-sqlite3-5.6.35-1.mga6 php-sybase_ct-5.6.35-1.mga6 php-sysvmsg-5.6.35-1.mga6 php-sysvsem-5.6.35-1.mga6 php-sysvshm-5.6.35-1.mga6 php-tidy-5.6.35-1.mga6 php-tokenizer-5.6.35-1.mga6 php-xml-5.6.35-1.mga6 php-xmlreader-5.6.35-1.mga6 php-xmlrpc-5.6.35-1.mga6 php-xmlwriter-5.6.35-1.mga6 php-xsl-5.6.35-1.mga6 php-wddx-5.6.35-1.mga6 php-zip-5.6.35-1.mga6 php-fpm-5.6.35-1.mga6 phpdbg-5.6.35-1.mga6 from SRPMS: php-5.6.35-1.mga5.src.rpm php-5.6.35-1.mga6.src.rpm
Whiteboard: (none) => MGA5TOO
Installed and tested without issues. Tested using several small and large scripts (e.g. wordpress, drupal, custom scripts). System: Mageia 6, x86_64, Intel CPU. $ uname -a Linux marte 4.14.30-desktop-3.mga6 #1 SMP Sun Mar 25 22:17:31 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep php | sort apache-mod_php-5.6.35-1.mga6 lib64php5_common5-5.6.35-1.mga6 php-cli-5.6.35-1.mga6 php-ctype-5.6.35-1.mga6 php-curl-5.6.35-1.mga6 php-dom-5.6.35-1.mga6 php-filter-5.6.35-1.mga6 php-ftp-5.6.35-1.mga6 php-gd-5.6.35-1.mga6 php-gettext-5.6.35-1.mga6 php-hash-5.6.35-1.mga6 php-ini-5.6.35-1.mga6 php-intl-5.6.35-1.mga6 php-json-5.6.35-1.mga6 php-mbstring-5.6.35-1.mga6 php-memcached-2.2.0-2.mga6 php-mysqli-5.6.35-1.mga6 php-mysqlnd-5.6.35-1.mga6 php-openssl-5.6.35-1.mga6 php-pdo-5.6.35-1.mga6 php-pdo_mysql-5.6.35-1.mga6 php-pdo_pgsql-5.6.35-1.mga6 php-pdo_sqlite-5.6.35-1.mga6 php-phpmailer-5.2.24-1.1.mga6 php-posix-5.6.35-1.mga6 php-session-5.6.35-1.mga6 php-suhosin-0.9.38-1.mga6 php-sysvsem-5.6.35-1.mga6 php-sysvshm-5.6.35-1.mga6 php-timezonedb-2017.2-1.mga6 php-tokenizer-5.6.35-1.mga6 php-xdebug-2.4.0-1.mga6 php-xml-5.6.35-1.mga6 php-xmlreader-5.6.35-1.mga6 php-xmlwriter-5.6.35-1.mga6 php-zlib-5.6.35-1.mga6
CC: (none) => mageia
Mageia 5 :: x86_64 It is a fairly complex process to demonstrate this bug so we shall not attempt it. Installed all packages and then updated them all. Some basic tests: $ php -r 'phpinfo();' <lots of information about the PHP installation> $ php -S localhost:8000 -t php PHP 5.6.35 Development Server started at Mon Apr 2 11:30:11 2018 Listening on http://localhost:8000 Document root is /home/lcl/dev/php Press Ctrl-C to quit. With the php server running localhost:8000 in a browser shows a page with "It works!" and localhost:8000/sample.php shows a message from the sample script. localhost:8000/create-png.php This displays a page containing a blue square on a black background. I do not have anything more complex with which to test php so am passing it as OK for 64-bits and also adding the OK for mga6 based on comment 1.
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK MGA6-64-OKCC: (none) => tarazed25
Thanks PC_LX & Len. Advisory from c0, no CVE yet. Validating.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0191.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED