Bug 23564 - PHP 5.6.38
Summary: PHP 5.6.38
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-09-12 14:04 CEST by David Walser
Modified: 2018-09-21 18:27 CEST (History)
7 users (show)

See Also:
Source RPM: php-5.6.36-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-09-12 14:04:30 CEST
Upstream has released PHP 5.6.37 on July 20:
http://us3.php.net/archive/2018.php#id2018-07-20-1

It fixes two security issues:
http://www.php.net/ChangeLog-5.php#5.6.37
Comment 1 Marja Van Waes 2018-09-12 20:03:01 CEST
Assigning to the PHP stack maintainers, CC'ing the registered maintainer.

Assignee: bugsquad => php
CC: (none) => mageia, marja11

Comment 2 Marc Krämer 2018-09-12 20:35:28 CEST
I'll do this with 7.2.10 or 5.6.38, depending which one is first. These issues  are not severe.
Comment 3 David Walser 2018-09-12 20:54:10 CEST
openSUSE has issued an advisory for this today (September 12):
https://lists.opensuse.org/opensuse-updates/2018-09/msg00052.html

I'm not sure if CVE-2017-9118 affects us (in pcre or php).
Comment 4 David Walser 2018-09-12 20:59:47 CEST
They aren't issuing 5.6.x updates very often anymore.  I'd just update it.
Comment 5 Marc Krämer 2018-09-12 21:05:38 CEST
we are not affected, tested for this issue. Suse released an update for php 5.5, not 5.6.
Comment 6 Marc Krämer 2018-09-13 15:37:36 CEST
as we have new releases for php 7 today, with  #76582 (XSS due to the header Transfer-Encoding: chunked).
I assume we'll get php 5.6.38.
Comment 7 David Walser 2018-09-13 15:48:20 CEST
I wouldn't assume that.  The 5.6.x and 7.x releases haven't been coordinated for a while now.
Marc Krämer 2018-09-14 01:45:24 CEST

Assignee: php => mageia

Marc Krämer 2018-09-14 01:45:32 CEST

Summary: PHP 5.6.37 => PHP 5.6.38

Comment 8 Marc Krämer 2018-09-14 03:02:52 CEST
Updated php packages fix security vulnerabilities:

- Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c(CVE-2018-14883)
- heap-buffer-overflow (READ of size 48) while reading exif data (CVE-2018-14851)
- XSS due to the header Transfer-Encoding: chunked 

========================
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14883
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14851

========================
Updated packages in core/updates_testing:
php-ini-5.6.38-1.mga6
apache-mod_php-5.6.38-1.mga6
php-cli-5.6.38-1.mga6
php-cgi-5.6.38-1.mga6
lib64php5_common5-5.6.38-1.mga6
php-devel-5.6.38-1.mga6
php-openssl-5.6.38-1.mga6
php-zlib-5.6.38-1.mga6
php-doc-5.6.38-1.mga6
php-bcmath-5.6.38-1.mga6
php-bz2-5.6.38-1.mga6
php-calendar-5.6.38-1.mga6
php-ctype-5.6.38-1.mga6
php-curl-5.6.38-1.mga6
php-dba-5.6.38-1.mga6
php-dom-5.6.38-1.mga6
php-enchant-5.6.38-1.mga6
php-exif-5.6.38-1.mga6
php-fileinfo-5.6.38-1.mga6
php-filter-5.6.38-1.mga6
php-ftp-5.6.38-1.mga6
php-gd-5.6.38-1.mga6
php-gettext-5.6.38-1.mga6
php-gmp-5.6.38-1.mga6
php-hash-5.6.38-1.mga6
php-iconv-5.6.38-1.mga6
php-imap-5.6.38-1.mga6
php-interbase-5.6.38-1.mga6
php-intl-5.6.38-1.mga6
php-json-5.6.38-1.mga6
php-ldap-5.6.38-1.mga6
php-mbstring-5.6.38-1.mga6
php-mcrypt-5.6.38-1.mga6
php-mssql-5.6.38-1.mga6
php-mysql-5.6.38-1.mga6
php-mysqli-5.6.38-1.mga6
php-mysqlnd-5.6.38-1.mga6
php-odbc-5.6.38-1.mga6
php-opcache-5.6.38-1.mga6
php-pcntl-5.6.38-1.mga6
php-pdo-5.6.38-1.mga6
php-pdo_dblib-5.6.38-1.mga6
php-pdo_firebird-5.6.38-1.mga6
php-pdo_mysql-5.6.38-1.mga6
php-pdo_odbc-5.6.38-1.mga6
php-pdo_pgsql-5.6.38-1.mga6
php-pdo_sqlite-5.6.38-1.mga6
php-pgsql-5.6.38-1.mga6
php-phar-5.6.38-1.mga6
php-posix-5.6.38-1.mga6
php-readline-5.6.38-1.mga6
php-recode-5.6.38-1.mga6
php-session-5.6.38-1.mga6
php-shmop-5.6.38-1.mga6
php-snmp-5.6.38-1.mga6
php-soap-5.6.38-1.mga6
php-sockets-5.6.38-1.mga6
php-sqlite3-5.6.38-1.mga6
php-sybase_ct-5.6.38-1.mga6
php-sysvmsg-5.6.38-1.mga6
php-sysvsem-5.6.38-1.mga6
php-sysvshm-5.6.38-1.mga6
php-tidy-5.6.38-1.mga6
php-tokenizer-5.6.38-1.mga6
php-xml-5.6.38-1.mga6
php-xmlreader-5.6.38-1.mga6
php-xmlrpc-5.6.38-1.mga6
php-xmlwriter-5.6.38-1.mga6
php-xsl-5.6.38-1.mga6
php-wddx-5.6.38-1.mga6
php-zip-5.6.38-1.mga6
php-fpm-5.6.38-1.mga6
phpdbg-5.6.38-1.mga6
php-debuginfo-5.6.38-1.mga6


Source RPMs: 
php-5.6.38-1.mga6.src.rpm

Assignee: mageia => qa-bugs

Comment 9 Herman Viaene 2018-09-15 11:18:04 CEST
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Ref to bug22843 Comment2 for some tests
phpinfo()
PHP Version => 5.6.38

System => Linux mach6.hviaene.thuis 4.14.69-desktop-1.mga6 #1 SMP Wed Sep 12 10:18:08 UTC 2018 
i686
Build Date => Sep 14 2018 00:09:24
Configure Command =>  './configure'  '--with-apxs2=/usr/bin/apxs' '--build=i586-mageia-linux-gn
and a lot more.....

but
$ php -S localhost:8000 -t php
Directory php does not exist.
I must be missing something

CC: (none) => herman.viaene

Comment 10 Herman Viaene 2018-09-15 11:29:32 CEST
$ php -S localhost:8000
PHP 5.6.38 Development Server started at Sat Sep 15 11:23:41 2018
Listening on http://localhost:8000
Document root is /home/tester6/Muziek
Press Ctrl-C to quit.

Pointing the browser to ocalhost:8000 results in error 404 and the messages:
[Sat Sep 15 11:24:15 2018] 127.0.0.1:37634 [404]: / - No such file or directory
[Sat Sep 15 11:24:15 2018] 127.0.0.1:37636 [404]: /favicon.ico - No such file or directory
[Sat Sep 15 11:24:15 2018] 127.0.0.1:37638 [404]: /favicon.ico - No such file or directory
I have no php development stuff on this laptop.
Comment 11 Herman Viaene 2018-09-15 12:00:07 CEST
Found an example at http://php.net/manual/fa/features.commandline.webserver.php
so created a file hello.php as given there, but at CLI:
$ php -S localhost:8000 hello.php
PHP 5.6.38 Development Server started at Sat Sep 15 11:38:20 2018
Listening on http://localhost:8000
Document root is /home/tester6/Documenten
Press Ctrl-C to quit.

/home/tester6/Documenten is the location of the hello.php file, but no feedback on the CLI as indicated in the website above.
Launching the browser gives a blank page, at least no error 404 anymore.

Found another https://www.sitepoint.com/taking-advantage-of-phps-built-in-server/
created the index.php file as indicated there, launched the server, pointed the browser to localhost:8000 and there is all the phpinfo as in the command at the CLI.
That should do as far as I am concerned.

Whiteboard: (none) => MGA6-32-OK

Comment 12 Frédéric "LpSolit" Buclin 2018-09-15 16:50:50 CEST
Tested with Drupal 8.6.1 and Booked 2.7.2 on a 64 bit machine. PHP is working fine.
Comment 13 PC LX 2018-09-15 17:04:29 CEST
Installed and tested without issues.

Tested using small and large scripts (e.g. wordpress, roundcube, drupal, custom), through CLI and Apache's mod_php.

System: Mageia 6, x86_64, Intel CPU.

$ uname -a
Linux marte 4.14.69-desktop-1.mga6 #1 SMP Wed Sep 12 10:35:26 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep php | sort
apache-mod_php-5.6.38-1.mga6
lib64php5_common5-5.6.38-1.mga6
php-channel-phpunit-1.3-15.mga6
php-cli-5.6.38-1.mga6
php-ctype-5.6.38-1.mga6
php-curl-5.6.38-1.mga6
php-dom-5.6.38-1.mga6
php-fileinfo-5.6.38-1.mga6
php-filter-5.6.38-1.mga6
php-ftp-5.6.38-1.mga6
php-gd-5.6.38-1.mga6
php-gettext-5.6.38-1.mga6
php-hash-5.6.38-1.mga6
php-iconv-5.6.38-1.mga6
php-ini-5.6.38-1.mga6
php-intl-5.6.38-1.mga6
php-json-5.6.38-1.mga6
php-mbstring-5.6.38-1.mga6
php-mcrypt-5.6.38-1.mga6
php-memcached-2.2.0-2.mga6
php-mysql-5.6.38-1.mga6
php-mysqli-5.6.38-1.mga6
php-mysqlnd-5.6.38-1.mga6
php-openssl-5.6.38-1.mga6
php-pdo-5.6.38-1.mga6
php-pdo_mysql-5.6.38-1.mga6
php-pdo_pgsql-5.6.38-1.mga6
php-pdo_sqlite-5.6.38-1.mga6
php-pear-1.10.1-3.mga6
php-pear-Auth_SASL-1.0.6-6.mga6
php-pear-channel-horde-1.0-20.mga6
php-pear-channel-symfony2-1.0-6.mga6
php-pear-Console_CommandLine-1.2.1-2.mga6
php-pear-Crypt_GPG-1.4.0-3.mga6
php-pear-DbUnit-1.3.1-5.mga6
php-pear-File_Iterator-1.3.4-5.mga6                                                                                                                                                          
php-pear-Mail_Mime-1.10.0-1.mga6                                                                                                                                                             
php-pear-MDB2-2.5.0-0.0.b11.mga6                                                                                                                                                             
php-pear-MDB2_Driver_mysql-1.5.0-0.0.b10.mga6                                                                                                                                                
php-pear-MDB2_Driver_mysqli-1.5.0-0.0.b9.mga6                                                                                                                                                
php-pear-MDB2_Driver_pgsql-1.5.0-0.0.b10.mga6                                                                                                                                                
php-pear-Net_IDNA2-0.1.1-6.mga6                                                                                                                                                              
php-pear-Net_LDAP2-2.2.0-0.mga6
php-pear-Net_Sieve-1.3.4-1.mga6
php-pear-Net_SMTP-1.7.1-1.mga6
php-pear-Net_Socket-1.0.14-5.mga6
php-pear-PHP_CodeCoverage-1.2.17-4.mga6
php-pear-PHP_Invoker-1.1.3-5.mga6
php-pear-PHP_Timer-1.0.5-5.mga6
php-pear-PHP_TokenStream-1.2.2-4.mga6
php-pear-PHPUnit-3.7.34-3.mga6
php-pear-PHPUnit_MockObject-1.2.3-5.mga6
php-pear-PHPUnit_Selenium-1.3.3-5.mga6
php-pear-PHPUnit_Story-1.0.2-5.mga6
php-pear-Symfony2_Yaml-2.4.4-4.mga6
php-pear-Text_Template-1.2.0-4.mga6
php-pgsql-5.6.38-1.mga6
php-phpmailer-5.2.24-1.1.mga6
php-posix-5.6.38-1.mga6
php-session-5.6.38-1.mga6
php-suhosin-0.9.38-1.mga6
php-sysvsem-5.6.38-1.mga6
php-sysvshm-5.6.38-1.mga6
php-timezonedb-2017.2-1.mga6
php-tokenizer-5.6.38-1.mga6
php-xdebug-2.4.0-1.mga6
php-xml-5.6.38-1.mga6
php-xmlreader-5.6.38-1.mga6
php-xmlwriter-5.6.38-1.mga6
php-zip-5.6.38-1.mga6
php-zlib-5.6.38-1.mga6

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
CC: (none) => mageia

Comment 14 Thomas Andrews 2018-09-19 03:07:27 CEST
Validating...

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2018-09-21 17:23:56 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 15 Mageia Robot 2018-09-21 18:27:57 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0390.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.