Update to 7.3.27 fixes CVE-2021-21702
Updated php fixes security issue: SOAP: Fixed bug #80672 (Null Dereference in SoapClient) References: [1] https://www.php.net/ChangeLog-7.php#7.3.27 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21702 Updated packages in core/updates_testing: ======================== php-ini-7.3.27-1.mga7 apache-mod_php-7.3.27-1.mga7 php-cli-7.3.27-1.mga7 php-cgi-7.3.27-1.mga7 lib64php_common7-7.3.27-1.mga7 php-devel-7.3.27-1.mga7 php-openssl-7.3.27-1.mga7 php-zlib-7.3.27-1.mga7 php-doc-7.3.27-1.mga7 php-bcmath-7.3.27-1.mga7 php-bz2-7.3.27-1.mga7 php-calendar-7.3.27-1.mga7 php-ctype-7.3.27-1.mga7 php-curl-7.3.27-1.mga7 php-dba-7.3.27-1.mga7 php-dom-7.3.27-1.mga7 php-enchant-7.3.27-1.mga7 php-exif-7.3.27-1.mga7 php-fileinfo-7.3.27-1.mga7 php-filter-7.3.27-1.mga7 php-ftp-7.3.27-1.mga7 php-gd-7.3.27-1.mga7 php-gettext-7.3.27-1.mga7 php-gmp-7.3.27-1.mga7 php-iconv-7.3.27-1.mga7 php-imap-7.3.27-1.mga7 php-interbase-7.3.27-1.mga7 php-intl-7.3.27-1.mga7 php-json-7.3.27-1.mga7 php-ldap-7.3.27-1.mga7 php-mbstring-7.3.27-1.mga7 php-mysqli-7.3.27-1.mga7 php-mysqlnd-7.3.27-1.mga7 php-odbc-7.3.27-1.mga7 php-opcache-7.3.27-1.mga7 php-pcntl-7.3.27-1.mga7 php-pdo-7.3.27-1.mga7 php-pdo_dblib-7.3.27-1.mga7 php-pdo_firebird-7.3.27-1.mga7 php-pdo_mysql-7.3.27-1.mga7 php-pdo_odbc-7.3.27-1.mga7 php-pdo_pgsql-7.3.27-1.mga7 php-pdo_sqlite-7.3.27-1.mga7 php-pgsql-7.3.27-1.mga7 php-phar-7.3.27-1.mga7 php-posix-7.3.27-1.mga7 php-readline-7.3.27-1.mga7 php-recode-7.3.27-1.mga7 php-session-7.3.27-1.mga7 php-shmop-7.3.27-1.mga7 php-snmp-7.3.27-1.mga7 php-soap-7.3.27-1.mga7 php-sockets-7.3.27-1.mga7 php-sodium-7.3.27-1.mga7 php-sqlite3-7.3.27-1.mga7 php-sysvmsg-7.3.27-1.mga7 php-sysvsem-7.3.27-1.mga7 php-sysvshm-7.3.27-1.mga7 php-tidy-7.3.27-1.mga7 php-tokenizer-7.3.27-1.mga7 php-xml-7.3.27-1.mga7 php-xmlreader-7.3.27-1.mga7 php-xmlrpc-7.3.27-1.mga7 php-xmlwriter-7.3.27-1.mga7 php-xsl-7.3.27-1.mga7 php-wddx-7.3.27-1.mga7 php-zip-7.3.27-1.mga7 php-fpm-7.3.27-1.mga7 php-fpm-apache-7.3.27-1.mga7 phpdbg-7.3.27-1.mga7 php-debugsource-7.3.27-1.mga7 php-debuginfo-7.3.27-1.mga7 apache-mod_php-debuginfo-7.3.27-1.mga7 php-cli-debuginfo-7.3.27-1.mga7 php-cgi-debuginfo-7.3.27-1.mga7 lib64php_common7-debuginfo-7.3.27-1.mga7 php-openssl-debuginfo-7.3.27-1.mga7 php-zlib-debuginfo-7.3.27-1.mga7 php-bcmath-debuginfo-7.3.27-1.mga7 php-bz2-debuginfo-7.3.27-1.mga7 php-calendar-debuginfo-7.3.27-1.mga7 php-ctype-debuginfo-7.3.27-1.mga7 php-curl-debuginfo-7.3.27-1.mga7 php-dba-debuginfo-7.3.27-1.mga7 php-dom-debuginfo-7.3.27-1.mga7 php-enchant-debuginfo-7.3.27-1.mga7 php-exif-debuginfo-7.3.27-1.mga7 php-fileinfo-debuginfo-7.3.27-1.mga7 php-filter-debuginfo-7.3.27-1.mga7 php-ftp-debuginfo-7.3.27-1.mga7 php-gd-debuginfo-7.3.27-1.mga7 php-gettext-debuginfo-7.3.27-1.mga7 php-gmp-debuginfo-7.3.27-1.mga7 php-iconv-debuginfo-7.3.27-1.mga7 php-imap-debuginfo-7.3.27-1.mga7 php-interbase-debuginfo-7.3.27-1.mga7 php-intl-debuginfo-7.3.27-1.mga7 php-json-debuginfo-7.3.27-1.mga7 php-ldap-debuginfo-7.3.27-1.mga7 php-mbstring-debuginfo-7.3.27-1.mga7 php-mysqli-debuginfo-7.3.27-1.mga7 php-mysqlnd-debuginfo-7.3.27-1.mga7 php-odbc-debuginfo-7.3.27-1.mga7 php-opcache-debuginfo-7.3.27-1.mga7 php-pcntl-debuginfo-7.3.27-1.mga7 php-pdo-debuginfo-7.3.27-1.mga7 php-pdo_dblib-debuginfo-7.3.27-1.mga7 php-pdo_firebird-debuginfo-7.3.27-1.mga7 php-pdo_mysql-debuginfo-7.3.27-1.mga7 php-pdo_odbc-debuginfo-7.3.27-1.mga7 php-pdo_pgsql-debuginfo-7.3.27-1.mga7 php-pdo_sqlite-debuginfo-7.3.27-1.mga7 php-pgsql-debuginfo-7.3.27-1.mga7 php-phar-debuginfo-7.3.27-1.mga7 php-posix-debuginfo-7.3.27-1.mga7 php-readline-debuginfo-7.3.27-1.mga7 php-recode-debuginfo-7.3.27-1.mga7 php-session-debuginfo-7.3.27-1.mga7 php-shmop-debuginfo-7.3.27-1.mga7 php-snmp-debuginfo-7.3.27-1.mga7 php-soap-debuginfo-7.3.27-1.mga7 php-sockets-debuginfo-7.3.27-1.mga7 php-sodium-debuginfo-7.3.27-1.mga7 php-sqlite3-debuginfo-7.3.27-1.mga7 php-sysvmsg-debuginfo-7.3.27-1.mga7 php-sysvsem-debuginfo-7.3.27-1.mga7 php-sysvshm-debuginfo-7.3.27-1.mga7 php-tidy-debuginfo-7.3.27-1.mga7 php-tokenizer-debuginfo-7.3.27-1.mga7 php-xml-debuginfo-7.3.27-1.mga7 php-xmlreader-debuginfo-7.3.27-1.mga7 php-xmlrpc-debuginfo-7.3.27-1.mga7 php-xmlwriter-debuginfo-7.3.27-1.mga7 php-xsl-debuginfo-7.3.27-1.mga7 php-wddx-debuginfo-7.3.27-1.mga7 php-zip-debuginfo-7.3.27-1.mga7 php-fpm-debuginfo-7.3.27-1.mga7 phpdbg-debuginfo-7.3.27-1.mga7 SRPM: php-7.3.27-1.mga7.src.rpm
Assignee: mageia => qa-bugsCVE: (none) => CVE-2021-21702
please validate php-7.4.15-1.mga7.src.rpm from backports_testing too!
Summary: PHP: new security vulunaribility => PHP 7.3.27 (fixes CVE-2021-21702)
(In reply to Marc Krämer from comment #2) > please validate php-7.4.15-1.mga7.src.rpm from backports_testing too! They can't unless you file a bug for it.
Blocks: (none) => 28297
@David: it is a bit annoying to file 2 bugs. Having backports with regular updates often hangs until the next one is ready :(
Installed and tested without issues. Using php-fpm instead of mod_php. Tested several scripts (phpmyadmin, wordpress, drupal, roundcubemail, mediawiki). Tested HTTP 1.1, HTTP 2, TLS and CLI. System: Mageia 7, x86_64, Intel CPU. $ uname -a Linux marte 5.10.12-desktop-1.mga7 #1 SMP Sat Jan 30 14:29:33 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep php.*7.3 | sort apache-mod_php-7.3.27-1.mga7 lib64php_common7-7.3.27-1.mga7 php-bz2-7.3.27-1.mga7 php-cli-7.3.27-1.mga7 php-ctype-7.3.27-1.mga7 php-curl-7.3.27-1.mga7 php-dom-7.3.27-1.mga7 php-exif-7.3.27-1.mga7 php-fileinfo-7.3.27-1.mga7 php-filter-7.3.27-1.mga7 php-fpm-7.3.27-1.mga7 php-ftp-7.3.27-1.mga7 php-gd-7.3.27-1.mga7 php-gettext-7.3.27-1.mga7 php-iconv-7.3.27-1.mga7 php-ini-7.3.27-1.mga7 php-intl-7.3.27-1.mga7 php-json-7.3.27-1.mga7 php-ldap-7.3.27-1.mga7 php-mbstring-7.3.27-1.mga7 php-mysqli-7.3.27-1.mga7 php-mysqlnd-7.3.27-1.mga7 php-openssl-7.3.27-1.mga7 php-pdo-7.3.27-1.mga7 php-pdo_mysql-7.3.27-1.mga7 php-pdo_sqlite-7.3.27-1.mga7 php-pear-PHPUnit-3.7.34-4.mga7 php-posix-7.3.27-1.mga7 php-session-7.3.27-1.mga7 php-sockets-7.3.27-1.mga7 php-sysvsem-7.3.27-1.mga7 php-sysvshm-7.3.27-1.mga7 php-tokenizer-7.3.27-1.mga7 php-xml-7.3.27-1.mga7 php-xmlreader-7.3.27-1.mga7 php-xmlwriter-7.3.27-1.mga7 php-zip-7.3.27-1.mga7 php-zlib-7.3.27-1.mga7 $ systemctl status httpd.socket php-fpm.socket httpd.service php-fpm.service ● httpd.socket - httpd server activation socket Loaded: loaded (/usr/local/lib/systemd/system/httpd.socket; enabled; vendor preset: disabled) Active: active (running) since Fri 2021-02-05 10:37:19 WET; 2h 33min ago Listen: [::]:80 (Stream) [::]:443 (Stream) Tasks: 0 (limit: 4668) Memory: 8.0K CGroup: /system.slice/httpd.socket fev 05 10:37:19 marte systemd[1]: Listening on httpd server activation socket. ● php-fpm.socket - php-fpm Server Socket Loaded: loaded (/usr/local/lib/systemd/system/php-fpm.socket; enabled; vendor preset: disabled) Active: inactive (dead) since Fri 2021-02-05 11:45:56 WET; 1h 24min ago Listen: /var/lib/php-fpm/php-fpm.sock (Stream) fev 05 10:37:19 marte systemd[1]: Listening on php-fpm Server Socket. fev 05 11:45:56 marte systemd[1]: php-fpm.socket: Succeeded. fev 05 11:45:56 marte systemd[1]: Closed php-fpm Server Socket. ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2021-02-05 11:24:21 WET; 1h 46min ago Main PID: 20538 (httpd) Status: "Total requests: 837; Idle/Busy workers 100/0;Requests/sec: 0.131; Bytes served/sec: 1.6KB/sec" Tasks: 66 (limit: 4668) Memory: 38.5M CGroup: /system.slice/httpd.service ├─20538 /usr/sbin/httpd -DFOREGROUND ├─20540 /usr/sbin/httpd -DFOREGROUND └─20541 /usr/sbin/httpd -DFOREGROUND fev 05 11:24:21 marte systemd[1]: Starting The Apache HTTP Server... fev 05 11:24:21 marte systemd[1]: Started The Apache HTTP Server. ● php-fpm.service - The PHP FastCGI Process Manager Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2021-02-05 11:45:56 WET; 1h 24min ago Main PID: 22363 (php-fpm) Status: "Processes active: 0, idle: 2, Requests: 115, slow: 0, Traffic: 0req/sec" Tasks: 3 (limit: 4668) Memory: 90.5M CGroup: /system.slice/php-fpm.service ├─12992 php-fpm: pool www ├─13001 php-fpm: pool www └─22363 php-fpm: master process (/etc/php-fpm.conf) fev 05 11:45:56 marte systemd[1]: Starting The PHP FastCGI Process Manager... fev 05 11:45:56 marte php-fpm[22363]: [NOTICE] fpm is running, pid 22363 fev 05 11:45:56 marte php-fpm[22363]: [NOTICE] ready to handle connections fev 05 11:45:56 marte php-fpm[22363]: [NOTICE] systemd monitor interval set to 10000ms fev 05 11:45:56 marte systemd[1]: Started The PHP FastCGI Process Manager.
CC: (none) => mageia
Selecting a 7.3.27 package calls for dependencies of 7.4.12 ????
CC: (none) => herman.viaene
Disable backports Herman.
I cannt't see any backports enabled.
(In reply to Herman Viaene from comment #8) > I cannt't see any backports enabled. I'm seeing the same issue but only when using rpmdrake GUI. When using urpmi CLI the issue is not present. The following are the repositories I have enabled. No backports are enabled. $ LANGUAGE=C urpmi.update -a medium "Core Release" is up-to-date medium "Core Updates" is up-to-date medium "Core Updates Testing" is up-to-date medium "Nonfree Release" is up-to-date medium "Nonfree Updates" is up-to-date medium "Nonfree Updates Testing" is up-to-date medium "Tainted Release" is up-to-date medium "Tainted Updates" is up-to-date medium "Tainted Updates Testing" is up-to-date medium "Core 32bit Release" is up-to-date medium "Core 32bit Updates" is up-to-date medium "Core 32bit Updates Testing" is up-to-date medium "Nonfree 32bit Release" is up-to-date medium "Nonfree 32bit Updates" is up-to-date medium "Nonfree 32bit Updates Testing" is up-to-date medium "Tainted 32bit Release" is up-to-date medium "Tainted 32bit Updates" is up-to-date medium "Tainted 32bit Updates Testing" is up-to-date But in rpmdrake the backport packages are shown for update (see attached screen shot). Any way, I'm planing to post a bug report for this. For now, using urpmi CLI works around this issue and the php 7.3.* can be updated and tested.
Created attachment 12311 [details] rpmdrake screen shot showing backport issue.
Bug 27436 - rpmdrake selects backports rpms although only updates_testing is selected
CC: (none) => fri
So can we send this one on, or does bug 27436 have to be addressed first? If this one can go, it might solve the issue Brian ran into in Bug 27905.
CC: (none) => andrewsfarm
This one should be pushed ASAP.
(In reply to Marc Krämer from comment #4) > @David: it is a bit annoying to file 2 bugs. Having backports with regular > updates often hangs until the next one is ready :( Well, backports have lower priority than updates. It's the simple fact of limited resources...
Herman, PC LX, is it possible that you installed the backported php 7.4.12 in an earlier test? I took a look on one of my test installs where I had done that, and I see that drakrpm shows the 7.4.12 packages, even though backports is disabled. If you removed them, perhaps you didn't get them all, or all of their dependencies, so 7.4.12 packages are being called up now as dependencies because of it. How about a leftover orphan?
Sending it on. Validating. Closest thing I see to an advisory is in Comment 1. Now, if someone could check out the backport in Bug 28297?
CC: (none) => sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA7-64-OK
(In reply to Thomas Andrews from comment #15) > Herman, PC LX, is it possible that you installed the backported php 7.4.12 > in an earlier test? I took a look on one of my test installs where I had > done that, and I see that drakrpm shows the 7.4.12 packages, even though > backports is disabled. > > If you removed them, perhaps you didn't get them all, or all of their > dependencies, so 7.4.12 packages are being called up now as dependencies > because of it. How about a leftover orphan? This system has been following 7.3.* and never had any 7.4.* on it.
Advisory pushed to SVN.
Keywords: (none) => advisoryCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0076.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED