Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned). (CVE-2019-11048) Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp files are not cleaned). (CVE-2019-11048) Fixed bug #79441 (Segfault in mb_chr() if internal encoding is unsupported). Fixed bug #79491 (Search for .user.iniFixed bug #79468 (SIGSEGV when closing stream handle with a stream filter appended). extends up to root dir).
Updated php packages fix security vulnerabilities: - Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned). [1] - Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp files are not cleaned). [2] - Fixed bug #79441 (Segfault in mb_chr() if internal encoding is unsupported). - Fixed bug #79491 (Search for .user.iniFixed bug #79468 (SIGSEGV when closing stream handle with a stream filter appended). extends up to root dir). References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11048 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11048 [3] https://www.php.net/ChangeLog-7.php#7.3.18 ======================== Updated packages in core/updates_testing: php-ini-7.3.18-1.mga7 apache-mod_php-7.3.18-1.mga7 php-cli-7.3.18-1.mga7 php-cgi-7.3.18-1.mga7 libphp_common7-7.3.18-1.mga7 php-devel-7.3.18-1.mga7 php-openssl-7.3.18-1.mga7 php-zlib-7.3.18-1.mga7 php-doc-7.3.18-1.mga7 php-bcmath-7.3.18-1.mga7 php-bz2-7.3.18-1.mga7 php-calendar-7.3.18-1.mga7 php-ctype-7.3.18-1.mga7 php-curl-7.3.18-1.mga7 php-dba-7.3.18-1.mga7 php-dom-7.3.18-1.mga7 php-enchant-7.3.18-1.mga7 php-exif-7.3.18-1.mga7 php-fileinfo-7.3.18-1.mga7 php-filter-7.3.18-1.mga7 php-ftp-7.3.18-1.mga7 php-gd-7.3.18-1.mga7 php-gettext-7.3.18-1.mga7 php-gmp-7.3.18-1.mga7 php-hash-7.3.18-1.mga7 php-iconv-7.3.18-1.mga7 php-imap-7.3.18-1.mga7 php-interbase-7.3.18-1.mga7 php-intl-7.3.18-1.mga7 php-json-7.3.18-1.mga7 php-ldap-7.3.18-1.mga7 php-mbstring-7.3.18-1.mga7 php-mysqli-7.3.18-1.mga7 php-mysqlnd-7.3.18-1.mga7 php-odbc-7.3.18-1.mga7 php-opcache-7.3.18-1.mga7 php-pcntl-7.3.18-1.mga7 php-pdo-7.3.18-1.mga7 php-pdo_dblib-7.3.18-1.mga7 php-pdo_firebird-7.3.18-1.mga7 php-pdo_mysql-7.3.18-1.mga7 php-pdo_odbc-7.3.18-1.mga7 php-pdo_pgsql-7.3.18-1.mga7 php-pdo_sqlite-7.3.18-1.mga7 php-pgsql-7.3.18-1.mga7 php-phar-7.3.18-1.mga7 php-posix-7.3.18-1.mga7 php-readline-7.3.18-1.mga7 php-recode-7.3.18-1.mga7 php-session-7.3.18-1.mga7 php-shmop-7.3.18-1.mga7 php-snmp-7.3.18-1.mga7 php-soap-7.3.18-1.mga7 php-sockets-7.3.18-1.mga7 php-sodium-7.3.18-1.mga7 php-sqlite3-7.3.18-1.mga7 php-sysvmsg-7.3.18-1.mga7 php-sysvsem-7.3.18-1.mga7 php-sysvshm-7.3.18-1.mga7 php-tidy-7.3.18-1.mga7 php-tokenizer-7.3.18-1.mga7 php-xml-7.3.18-1.mga7 php-xmlreader-7.3.18-1.mga7 php-xmlrpc-7.3.18-1.mga7 php-xmlwriter-7.3.18-1.mga7 php-xsl-7.3.18-1.mga7 php-wddx-7.3.18-1.mga7 php-zip-7.3.18-1.mga7 php-fpm-7.3.18-1.mga7 phpdbg-7.3.18-1.mga7 php-debugsource-7.3.18-1.mga7 php-debuginfo-7.3.18-1.mga7 apache-mod_php-debuginfo-7.3.18-1.mga7 php-cli-debuginfo-7.3.18-1.mga7 php-cgi-debuginfo-7.3.18-1.mga7 libphp_common7-debuginfo-7.3.18-1.mga7 php-openssl-debuginfo-7.3.18-1.mga7 php-zlib-debuginfo-7.3.18-1.mga7 php-bcmath-debuginfo-7.3.18-1.mga7 php-bz2-debuginfo-7.3.18-1.mga7 php-calendar-debuginfo-7.3.18-1.mga7 php-ctype-debuginfo-7.3.18-1.mga7 php-curl-debuginfo-7.3.18-1.mga7 php-dba-debuginfo-7.3.18-1.mga7 php-dom-debuginfo-7.3.18-1.mga7 php-enchant-debuginfo-7.3.18-1.mga7 php-exif-debuginfo-7.3.18-1.mga7 php-fileinfo-debuginfo-7.3.18-1.mga7 php-filter-debuginfo-7.3.18-1.mga7 php-ftp-debuginfo-7.3.18-1.mga7 php-gd-debuginfo-7.3.18-1.mga7 php-gettext-debuginfo-7.3.18-1.mga7 php-gmp-debuginfo-7.3.18-1.mga7 php-hash-debuginfo-7.3.18-1.mga7 php-iconv-debuginfo-7.3.18-1.mga7 php-imap-debuginfo-7.3.18-1.mga7 php-interbase-debuginfo-7.3.18-1.mga7 php-intl-debuginfo-7.3.18-1.mga7 php-json-debuginfo-7.3.18-1.mga7 php-ldap-debuginfo-7.3.18-1.mga7 php-mbstring-debuginfo-7.3.18-1.mga7 php-mysqli-debuginfo-7.3.18-1.mga7 php-mysqlnd-debuginfo-7.3.18-1.mga7 php-odbc-debuginfo-7.3.18-1.mga7 php-opcache-debuginfo-7.3.18-1.mga7 php-pcntl-debuginfo-7.3.18-1.mga7 php-pdo-debuginfo-7.3.18-1.mga7 php-pdo_dblib-debuginfo-7.3.18-1.mga7 php-pdo_firebird-debuginfo-7.3.18-1.mga7 php-pdo_mysql-debuginfo-7.3.18-1.mga7 php-pdo_odbc-debuginfo-7.3.18-1.mga7 php-pdo_pgsql-debuginfo-7.3.18-1.mga7 php-pdo_sqlite-debuginfo-7.3.18-1.mga7 php-pgsql-debuginfo-7.3.18-1.mga7 php-phar-debuginfo-7.3.18-1.mga7 php-posix-debuginfo-7.3.18-1.mga7 php-readline-debuginfo-7.3.18-1.mga7 php-recode-debuginfo-7.3.18-1.mga7 php-session-debuginfo-7.3.18-1.mga7 php-shmop-debuginfo-7.3.18-1.mga7 php-snmp-debuginfo-7.3.18-1.mga7 php-soap-debuginfo-7.3.18-1.mga7 php-sockets-debuginfo-7.3.18-1.mga7 php-sodium-debuginfo-7.3.18-1.mga7 php-sqlite3-debuginfo-7.3.18-1.mga7 php-sysvmsg-debuginfo-7.3.18-1.mga7 php-sysvsem-debuginfo-7.3.18-1.mga7 php-sysvshm-debuginfo-7.3.18-1.mga7 php-tidy-debuginfo-7.3.18-1.mga7 php-tokenizer-debuginfo-7.3.18-1.mga7 php-xml-debuginfo-7.3.18-1.mga7 php-xmlreader-debuginfo-7.3.18-1.mga7 php-xmlrpc-debuginfo-7.3.18-1.mga7 php-xmlwriter-debuginfo-7.3.18-1.mga7 php-xsl-debuginfo-7.3.18-1.mga7 php-wddx-debuginfo-7.3.18-1.mga7 php-zip-debuginfo-7.3.18-1.mga7 php-fpm-debuginfo-7.3.18-1.mga7 phpdbg-debuginfo-7.3.18-1.mga7 SRPM: php-7.3.18-1.mga7.src.rpm
Assignee: mageia => qa-bugs
MGA7-64 Plasma on Lenovo B50 Installed all but the debug stuff $ php -r 'phpinfo();' | more phpinfo() PHP Version => 7.3.18 System => Linux mach5.hviaene.thuis 5.6.8-desktop-1.mga7 #1 SMP Thu Apr 30 06:12:53 UTC 2020 x86_64 Build Date => May 14 2020 10:58:37 Configure Command => './configure' '--with-apxs2=/usr/bin/apxs' '--with-pic' '--build=x86_64-mageia-linux-gnu' '--prefix= /usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--included ir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var/lib' '--mandir=/usr/share/man' '-- enable-shared=yes' '--enable-static=no' '--disable-debug' '--enable-bcmath=shared' '--enable-calendar=shared' '--enable-cty pe=shared' '--enable-dba=shared' '--enable-dom=shared,/usr' '--enable-exif=shared' '--enable-fileinfo=shared' '--enable-fil ter=shared' '--enable-ftp=shared' '--enable-gd-native-ttf' '--enable-hash=shared,/usr' '--enable-inline-optimization' '--en able-intl=shared' '--enable-json=shared' '--enable-libxml=/usr' '--enable-mbregex' '--enable-mbstring=shared,/usr' '--enabl e-mysqlnd=shared,/usr/bin/mysql_config' '--enable-opcache=shared' '--enable-pcntl=shared' '--enable-pdo=shared,/usr' '--ena ble-phar=shared' '--enable-phpdbg' '--enable-phpdbg-webhelper' '--enable-posix=shared' '--enable-session=shared,/usr' '--en able-shmop=shared,/usr' '--enable-simplexml' '--enable-soap=shared,/usr' '--enable-sockets=shared,/usr' '--enable-sysvmsg=s hared,/usr' '--enable-sysvsem=shared,/usr' '--enable-sysvshm=shared,/usr' '--enable-tokenizer=shared,/usr' '--enable-wddx=s hared' '--enable-xmlreader=shared,/usr' '--enable-xml=shared,/usr' '--enable-xmlwriter=shared,/usr' '--enable-zip=shared' ' --with-bz2=shared,/usr' '--with-cdb' '--with-config-file-path=/etc' '--with-config-file-scan-dir=/etc/php.d' '--with-curl=s hared,/usr' '--with-db4' '--with-enchant=shared,/usr' '--with-freetype-dir=/usr' '--with-gdbm' '--with-gd=shared,/usr' '--w ith-gettext=shared,/usr' '--with-gmp=shared,/usr' '--with-iconv=shared' '--with-icu-dir=/usr' '--with-imap=shared,/usr' '-- with-imap-ssl=/usr' '--with-interbase=shared,/usr/lib64/firebird' '--with-jpeg-dir=/usr' '--with-ldap-sasl=/usr' '--with-ld ap=shared,/usr' '--with-libdir=lib64' '--with-libjson' '--with-libmbfl=/usr' '--with-libxml-dir=/usr' '--with-libzip=/usr' '--with-mysqli=shared,mysqlnd' '--with-mysql-sock=/var/lib/mysql/mysql.sock' '--with-onig=/usr' '--with-openssl-dir=/usr' ' --with-openssl=shared,/usr' '--without-curlwrappers' '--without-pear' '--with-pcre-dir=/usr' '--with-pcre-regex=/usr' '--wi th-pdo-dblib=shared,/usr' '--with-pdo-firebird=shared,/usr/lib64/firebird' '--with-pdo-mysql=shared,mysqlnd' '--with-pdo-od bc=shared,unixODBC,/usr' '--with-pdo-pgsql=shared,/usr' '--with-pdo-sqlite=shared,/usr' '--with-pgsql=shared,/usr' '--with- png-dir=/usr' '--with-readline=shared,/usr' '--with-recode=shared,/usr' '--with-snmp=shared,/usr' '--with-sodium=shared,/us r' '--with-sqlite3=shared,/usr' '--with-system-ciphers' '--with-tidy=shared,/usr' '--with-unixODBC=shared,/usr' '--with-web p-dir=/usr' '--with-xmlrpc=shared,/usr' '--with-xpm-dir=/usr/X11R6' '--with-xsl=shared,/usr' '--with-zlib-dir=/usr' '--with -zlib=/usr' '--with-zlib=shared,/usr' 'build_alias=x86_64-mageia-linux-gnu' Used phpmyadmin to exercise, all worked OK.
CC: (none) => herman.viaene
Installed and tested without issues. Using PHP FastCGI Process Manager. Tested with various large scripts (phpmyadmin, phpPgAdmin, roundcubemail, wordpress, drupal, etc) using HTTP(S) and CLI. No issues found. System: Mageia 7, x86_64, Apache, PHP FPM, Intel CPU. $ uname -a Linux marte 5.6.8-desktop-1.mga7 #1 SMP Thu Apr 30 06:12:53 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep php.*7.3.18 | sort apache-mod_php-7.3.18-1.mga7 lib64php_common7-7.3.18-1.mga7 php-bz2-7.3.18-1.mga7 php-cli-7.3.18-1.mga7 php-ctype-7.3.18-1.mga7 php-curl-7.3.18-1.mga7 php-dom-7.3.18-1.mga7 php-exif-7.3.18-1.mga7 php-fileinfo-7.3.18-1.mga7 php-filter-7.3.18-1.mga7 php-fpm-7.3.18-1.mga7 php-ftp-7.3.18-1.mga7 php-gd-7.3.18-1.mga7 php-gettext-7.3.18-1.mga7 php-hash-7.3.18-1.mga7 php-iconv-7.3.18-1.mga7 php-ini-7.3.18-1.mga7 php-intl-7.3.18-1.mga7 php-json-7.3.18-1.mga7 php-ldap-7.3.18-1.mga7 php-mbstring-7.3.18-1.mga7 php-mysqli-7.3.18-1.mga7 php-mysqlnd-7.3.18-1.mga7 php-openssl-7.3.18-1.mga7 php-pdo-7.3.18-1.mga7 php-pdo_mysql-7.3.18-1.mga7 php-pdo_sqlite-7.3.18-1.mga7 php-pgsql-7.3.18-1.mga7 php-posix-7.3.18-1.mga7 php-session-7.3.18-1.mga7 php-sockets-7.3.18-1.mga7 php-sysvsem-7.3.18-1.mga7 php-sysvshm-7.3.18-1.mga7 php-tokenizer-7.3.18-1.mga7 php-xml-7.3.18-1.mga7 php-xmlreader-7.3.18-1.mga7 php-xmlwriter-7.3.18-1.mga7 php-zip-7.3.18-1.mga7 php-zlib-7.3.18-1.mga7 $ systemctl status php-fpm.socket ● php-fpm.socket - php-fpm Server Socket Loaded: loaded (/usr/local/lib/systemd/system/php-fpm.socket; enabled; vendor preset: disabled) Active: inactive (dead) since Sat 2020-05-16 19:56:38 WEST; 9min ago Listen: /var/lib/php-fpm/php-fpm.sock (Stream) mai 16 10:27:32 marte systemd[1]: Listening on php-fpm Server Socket. mai 16 19:56:38 marte systemd[1]: php-fpm.socket: Succeeded. mai 16 19:56:38 marte systemd[1]: Closed php-fpm Server Socket. $ systemctl status php-fpm.service ● php-fpm.service - The PHP FastCGI Process Manager Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled; vendor preset: disabled) Active: active (running) since Sat 2020-05-16 19:56:38 WEST; 10min ago Main PID: 15521 (php-fpm) Status: "Processes active: 0, idle: 3, Requests: 96, slow: 0, Traffic: 0req/sec" Tasks: 4 (limit: 4697) Memory: 84.1M CGroup: /system.slice/php-fpm.service ├─15521 php-fpm: master process (/etc/php-fpm.conf) ├─15522 php-fpm: pool www ├─15629 php-fpm: pool www └─15715 php-fpm: pool www mai 16 19:56:38 marte systemd[1]: Starting The PHP FastCGI Process Manager... mai 16 19:56:38 marte systemd[1]: Started The PHP FastCGI Process Manager.
CC: (none) => mageia
This update has been in use for a week without issues so I'm giving the OK for x86_64 based on comment 2 and comment 3.
Whiteboard: (none) => MGA7-64-OK
Validating. Advisory information in Comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => mageia
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0236.html
Status: NEW => RESOLVEDResolution: (none) => FIXED