Bug 6354 - php new security issues CVE-2012-2386 and CVE-2012-2143
: php new security issues CVE-2012-2386 and CVE-2012-2143
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/500330/
: mga2-64-OK, mga2-32-OK
: validated_update
:
: 6353
  Show dependency treegraph
 
Reported: 2012-06-06 18:22 CEST by David Walser
Modified: 2012-06-19 19:40 CEST (History)
3 users (show)

See Also:
Source RPM: php-5.3.13-1.mga2.src.rpm
CVE:
Status comment:


Attachments
Testcase for CVE-2012-2386 (400 bytes, application/zip)
2012-06-14 22:40 CEST, William Murphy
Details
PoC test against CVE-2012-2143 (1.05 KB, text/plain)
2012-06-18 12:10 CEST, William Murphy
Details

Description David Walser 2012-06-06 18:22:29 CEST
SuSE has issued an advisory on June 5:
http://lists.opensuse.org/opensuse-updates/2012-06/msg00002.html

Cauldron was affected, but I have fixed it there.

Mageia 1 is affected, and I filed a separate bug for that to help QA.

Patched package for Mageia 2 uploaded.

Note to QA: The patch only affects the php-phar subpackage, so you can focus testing there if you can find a test case.  Some of the documentation here may be helpful:
http://php.net/manual/en/book.phar.php

I believe there is also a PoC out there.  See the references below.

Advisory:
========================

Updated php packages fix security vulnerability:

An integer overflow, leading to heap-based buffer overflow was
found in the way Phar extension of the PHP scripting language
processed certain fields by manipulating TAR files. A remote
attacker could provide a specially-crafted TAR archive file,
which once processed in an PHP application using the Phar extension
could lead to denial of service (application crash), or,
potentially arbitary code execution with the privileges of the
user running the application (CVE-2012-2386).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2386
https://bugzilla.redhat.com/show_bug.cgi?id=823594
http://lists.opensuse.org/opensuse-updates/2012-06/msg00002.html
========================

Updated packages in core/updates_testing:
========================
php-ini-5.3.13-1.1.mga2
php-cli-5.3.13-1.1.mga2
php-cgi-5.3.13-1.1.mga2
php-fpm-5.3.13-1.1.mga2
apache-mod_php-5.3.13-1.1.mga2
libphp5_common5-5.3.13-1.1.mga2
php-devel-5.3.13-1.1.mga2
php-openssl-5.3.13-1.1.mga2
php-zlib-5.3.13-1.1.mga2
php-bcmath-5.3.13-1.1.mga2
php-bz2-5.3.13-1.1.mga2
php-calendar-5.3.13-1.1.mga2
php-ctype-5.3.13-1.1.mga2
php-curl-5.3.13-1.1.mga2
php-dba-5.3.13-1.1.mga2
php-dom-5.3.13-1.1.mga2
php-enchant-5.3.13-1.1.mga2
php-exif-5.3.13-1.1.mga2
php-fileinfo-5.3.13-1.1.mga2
php-filter-5.3.13-1.1.mga2
php-ftp-5.3.13-1.1.mga2
php-gd-5.3.13-1.1.mga2
php-gettext-5.3.13-1.1.mga2
php-gmp-5.3.13-1.1.mga2
php-hash-5.3.13-1.1.mga2
php-iconv-5.3.13-1.1.mga2
php-imap-5.3.13-1.1.mga2
php-intl-5.3.13-1.1.mga2
php-json-5.3.13-1.1.mga2
php-ldap-5.3.13-1.1.mga2
php-mbstring-5.3.13-1.1.mga2
php-mcrypt-5.3.13-1.1.mga2
php-mssql-5.3.13-1.1.mga2
php-mysql-5.3.13-1.1.mga2
php-mysqli-5.3.13-1.1.mga2
php-mysqlnd-5.3.13-1.1.mga2
php-odbc-5.3.13-1.1.mga2
php-pcntl-5.3.13-1.1.mga2
php-pdo-5.3.13-1.1.mga2
php-pdo_dblib-5.3.13-1.1.mga2
php-pdo_mysql-5.3.13-1.1.mga2
php-pdo_odbc-5.3.13-1.1.mga2
php-pdo_pgsql-5.3.13-1.1.mga2
php-pdo_sqlite-5.3.13-1.1.mga2
php-pgsql-5.3.13-1.1.mga2
php-phar-5.3.13-1.1.mga2
php-posix-5.3.13-1.1.mga2
php-readline-5.3.13-1.1.mga2
php-recode-5.3.13-1.1.mga2
php-session-5.3.13-1.1.mga2
php-shmop-5.3.13-1.1.mga2
php-snmp-5.3.13-1.1.mga2
php-soap-5.3.13-1.1.mga2
php-sockets-5.3.13-1.1.mga2
php-sqlite3-5.3.13-1.1.mga2
php-sqlite-5.3.13-1.1.mga2
php-sybase_ct-5.3.13-1.1.mga2
php-sysvmsg-5.3.13-1.1.mga2
php-sysvsem-5.3.13-1.1.mga2
php-sysvshm-5.3.13-1.1.mga2
php-tidy-5.3.13-1.1.mga2
php-tokenizer-5.3.13-1.1.mga2
php-xml-5.3.13-1.1.mga2
php-xmlreader-5.3.13-1.1.mga2
php-xmlrpc-5.3.13-1.1.mga2
php-xmlwriter-5.3.13-1.1.mga2
php-xsl-5.3.13-1.1.mga2
php-wddx-5.3.13-1.1.mga2
php-zip-5.3.13-1.1.mga2

from php-5.3.13-1.1.mga2.src.rpm
Comment 1 David Walser 2012-06-11 22:36:10 CEST
Debian issued an advisory for this yesterday (June 10):
http://www.debian.org/security/2012/dsa-2492

Their update includes an additional patch (from upstream) to the php-phar tar handling code for a similar issue.  I've included that patch and rebuilt this update.

Advisory:
========================

Updated php packages fix security vulnerability:

An integer overflow, leading to heap-based buffer overflow was
found in the way Phar extension of the PHP scripting language
processed certain fields by manipulating TAR files. A remote
attacker could provide a specially-crafted TAR archive file,
which once processed in an PHP application using the Phar extension
could lead to denial of service (application crash), or,
potentially arbitary code execution with the privileges of the
user running the application (CVE-2012-2386).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2386
https://bugzilla.redhat.com/show_bug.cgi?id=823594
http://lists.opensuse.org/opensuse-updates/2012-06/msg00002.html
http://www.debian.org/security/2012/dsa-2492
========================

Updated packages in core/updates_testing:
========================
php-ini-5.3.13-1.1.mga2
php-cli-5.3.13-1.1.mga2
php-cgi-5.3.13-1.1.mga2
php-fpm-5.3.13-1.1.mga2
apache-mod_php-5.3.13-1.1.mga2
libphp5_common5-5.3.13-1.1.mga2
php-devel-5.3.13-1.1.mga2
php-openssl-5.3.13-1.1.mga2
php-zlib-5.3.13-1.1.mga2
php-bcmath-5.3.13-1.1.mga2
php-bz2-5.3.13-1.1.mga2
php-calendar-5.3.13-1.1.mga2
php-ctype-5.3.13-1.1.mga2
php-curl-5.3.13-1.1.mga2
php-dba-5.3.13-1.1.mga2
php-dom-5.3.13-1.1.mga2
php-enchant-5.3.13-1.1.mga2
php-exif-5.3.13-1.1.mga2
php-fileinfo-5.3.13-1.1.mga2
php-filter-5.3.13-1.1.mga2
php-ftp-5.3.13-1.1.mga2
php-gd-5.3.13-1.1.mga2
php-gettext-5.3.13-1.1.mga2
php-gmp-5.3.13-1.1.mga2
php-hash-5.3.13-1.1.mga2
php-iconv-5.3.13-1.1.mga2
php-imap-5.3.13-1.1.mga2
php-intl-5.3.13-1.1.mga2
php-json-5.3.13-1.1.mga2
php-ldap-5.3.13-1.1.mga2
php-mbstring-5.3.13-1.1.mga2
php-mcrypt-5.3.13-1.1.mga2
php-mssql-5.3.13-1.1.mga2
php-mysql-5.3.13-1.1.mga2
php-mysqli-5.3.13-1.1.mga2
php-mysqlnd-5.3.13-1.1.mga2
php-odbc-5.3.13-1.1.mga2
php-pcntl-5.3.13-1.1.mga2
php-pdo-5.3.13-1.1.mga2
php-pdo_dblib-5.3.13-1.1.mga2
php-pdo_mysql-5.3.13-1.1.mga2
php-pdo_odbc-5.3.13-1.1.mga2
php-pdo_pgsql-5.3.13-1.1.mga2
php-pdo_sqlite-5.3.13-1.1.mga2
php-pgsql-5.3.13-1.1.mga2
php-phar-5.3.13-1.1.mga2
php-posix-5.3.13-1.1.mga2
php-readline-5.3.13-1.1.mga2
php-recode-5.3.13-1.1.mga2
php-session-5.3.13-1.1.mga2
php-shmop-5.3.13-1.1.mga2
php-snmp-5.3.13-1.1.mga2
php-soap-5.3.13-1.1.mga2
php-sockets-5.3.13-1.1.mga2
php-sqlite3-5.3.13-1.1.mga2
php-sqlite-5.3.13-1.1.mga2
php-sybase_ct-5.3.13-1.1.mga2
php-sysvmsg-5.3.13-1.1.mga2
php-sysvsem-5.3.13-1.1.mga2
php-sysvshm-5.3.13-1.1.mga2
php-tidy-5.3.13-1.1.mga2
php-tokenizer-5.3.13-1.1.mga2
php-xml-5.3.13-1.1.mga2
php-xmlreader-5.3.13-1.1.mga2
php-xmlrpc-5.3.13-1.1.mga2
php-xmlwriter-5.3.13-1.1.mga2
php-xsl-5.3.13-1.1.mga2
php-wddx-5.3.13-1.1.mga2
php-zip-5.3.13-1.1.mga2

from php-5.3.13-1.1.mga2.src.rpm
Comment 2 William Murphy 2012-06-14 22:34:08 CEST
Testing on mag2 x86_64.

A PoC testcase for CVE-2012-2386 is at:
http://0x1byte.blogspot.com/2011/04/php-phar-extension-heap-overflow.html

Using the files in php_phar.zip, loading phar.php (which uses poc.phar.tar) before updating from testing recorded a segfault in the httpd error log:

[Thu Jun 14 12:12:18 2012] [notice] child pid 28849 exit signal Segmentation fault (11), possible coredump in /tmp

After updating from Updates Testing and reloading phar.php, php caught the error:

[Thu Jun 14 12:51:16 2012] [error] [client 192.168.0.1] PHP Fatal error:  Uncaught exception 'UnexpectedValueException' with message 'phar error: "/pub/sites/phar/poc.phar.tar" is a corrupted tar file (invalid entry size)' in /pub/sites/phar/phar.php:3\nStack trace:\n#0 /pub/sites/phar/phar.php(3): Phar->__construct('/pub/sites/phar...')\n#1 {main}\n  thrown in /pub/sites/phar/phar.php on line 3

The php-phar patch tests Ok. 2 packages failed to update:

- php-pgsql-5.3.13-1.2.mga2.x86_64 (due to unsatisfied libpq.so.5()(64bit))
- php-pdo_pgsql-5.3.13-1.2.mga2.x86_64 (due to conflicts with libpq9.1_5-9.1.4-1.mga2.i586, trying to promote libpq.so.5()(64bit))

libpq.so.5 is in lib64pq9.1_5, which is installed. Seems like a version conflict. There is an upgrade available for postgresql i586, but not for x86_64.
Do these modules expect an upgraded postgresql?
Comment 3 William Murphy 2012-06-14 22:40:57 CEST
Created attachment 2458 [details]
Testcase for CVE-2012-2386

Decoded archive from http://0x1byte.blogspot.com/2011/04/php-phar-extension-heap-overflow.html
Comment 4 David Walser 2012-06-14 22:54:04 CEST
(In reply to comment #2)
> The php-phar patch tests Ok. 2 packages failed to update:
> 
> - php-pgsql-5.3.13-1.2.mga2.x86_64 (due to unsatisfied libpq.so.5()(64bit))
> - php-pdo_pgsql-5.3.13-1.2.mga2.x86_64 (due to conflicts with
> libpq9.1_5-9.1.4-1.mga2.i586, trying to promote libpq.so.5()(64bit))
> 
> libpq.so.5 is in lib64pq9.1_5, which is installed. Seems like a version
> conflict. There is an upgrade available for postgresql i586, but not for
> x86_64.
> Do these modules expect an upgraded postgresql?

From that error message it looks like you have the i586 libpg9.1_5 package installed on your system instead of the x86_64 one and they are in conflict.
Comment 5 William Murphy 2012-06-15 05:23:38 CEST
The installed library on the system is the 64 bit version (lib64pq9.1_5-9.1.3-1.mga2). 

The error message suggests that urpmi tried to promote libpq9 from the 64 bit to newer 32 bit version and failed. I checked the installed /usr/lib64libpq.so.5 to make sure it wasn't a 32 bit lib:

/usr/lib64/libpq.so.5 -> libpq.so.5.4*

$ file /usr/lib64/libpq.so.5.4
/usr/lib64/libpq.so.5.4: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0xaa561f82b2885f99f25dcb82a0fd8955abca4e57, stripped

Both php-pqsql and php-pdo_pqsql require libpq.so.5()(64bit), which is installed. That didn't make much sense, so made note of it here.
Comment 6 David Walser 2012-06-15 05:32:54 CEST
William, I just read your original message again.  Is something wrong with the mirror you're using?  I see the update libpq9.1_5 on both i586 and x86_64 on the mirror I just checked.  I guess the error you saw could make sense if your mirror was indeed missing the x86_64 update.
Comment 7 William Murphy 2012-06-15 06:13:26 CEST
They are there. My fault, unckecked box in update media. 

All updated and working Ok on mga2 64.
Comment 8 David Walser 2012-06-15 15:27:33 CEST
Thanks for testing William.  I was worried this might happen, but upstream has issued a new version, Mandriva has updated it (including for 2010.2), and another CVE has been fixed.  So, I'll have to build a new update.

Mandriva has issued an advisory today (June 15):
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:093

This updates to 5.3.14 and adds an additional CVE, CVE-2012-2143.
Comment 9 David Walser 2012-06-15 22:28:56 CEST
Updated packages uploaded.  php-eaccelerator and php-gd-bundled were rebuilt.

Advisory:
========================

Updated php packages fix security vulnerabilities:

There is a programming error in the DES implementation used in crypt()
in ext/standard/crypt_freesec.c when handling input which contains
characters that can not be represented with 7-bit ASCII. When the input
contains characters with only the most significant bit set (0x80), that
character and all characters after it will be ignored (CVE-2012-2143).

An integer overflow, leading to heap-based buffer overflow was found in
the way Phar extension of the PHP scripting language processed certain
fields by manipulating TAR files. A remote attacker could provide a
specially-crafted TAR archive file, which once processed in an PHP
application using the Phar extension could lead to denial of service
(application crash), or, potentially arbitary code execution with
the privileges of the user running the application (CVE-2012-2386).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2386
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2143
https://bugzilla.redhat.com/show_bug.cgi?id=823594
http://www.php.net/ChangeLog-5.php#5.3.14
http://secunia.com/advisories/44335
http://lists.opensuse.org/opensuse-updates/2012-06/msg00002.html
http://www.debian.org/security/2012/dsa-2492
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:093
========================

Updated packages in core/updates_testing:
========================
php-eaccelerator-0.9.6.1-10.1.mga2
php-gd-bundled-5.3.14-1.mga2
php-ini-5.3.14-1.mga2
php-cli-5.3.14-1.mga2
php-cgi-5.3.14-1.mga2
php-fpm-5.3.14-1.mga2
apache-mod_php-5.3.14-1.mga2
libphp5_common5-5.3.14-1.mga2
php-devel-5.3.14-1.mga2
php-openssl-5.3.14-1.mga2
php-zlib-5.3.14-1.mga2
php-bcmath-5.3.14-1.mga2
php-bz2-5.3.14-1.mga2
php-calendar-5.3.14-1.mga2
php-ctype-5.3.14-1.mga2
php-curl-5.3.14-1.mga2
php-dba-5.3.14-1.mga2
php-dom-5.3.14-1.mga2
php-enchant-5.3.14-1.mga2
php-exif-5.3.14-1.mga2
php-fileinfo-5.3.14-1.mga2
php-filter-5.3.14-1.mga2
php-ftp-5.3.14-1.mga2
php-gd-5.3.14-1.mga2
php-gettext-5.3.14-1.mga2
php-gmp-5.3.14-1.mga2
php-hash-5.3.14-1.mga2
php-iconv-5.3.14-1.mga2
php-imap-5.3.14-1.mga2
php-intl-5.3.14-1.mga2
php-json-5.3.14-1.mga2
php-ldap-5.3.14-1.mga2
php-mbstring-5.3.14-1.mga2
php-mcrypt-5.3.14-1.mga2
php-mssql-5.3.14-1.mga2
php-mysql-5.3.14-1.mga2
php-mysqli-5.3.14-1.mga2
php-mysqlnd-5.3.14-1.mga2
php-odbc-5.3.14-1.mga2
php-pcntl-5.3.14-1.mga2
php-pdo-5.3.14-1.mga2
php-pdo_dblib-5.3.14-1.mga2
php-pdo_mysql-5.3.14-1.mga2
php-pdo_odbc-5.3.14-1.mga2
php-pdo_pgsql-5.3.14-1.mga2
php-pdo_sqlite-5.3.14-1.mga2
php-pgsql-5.3.14-1.mga2
php-phar-5.3.14-1.mga2
php-posix-5.3.14-1.mga2
php-readline-5.3.14-1.mga2
php-recode-5.3.14-1.mga2
php-session-5.3.14-1.mga2
php-shmop-5.3.14-1.mga2
php-snmp-5.3.14-1.mga2
php-soap-5.3.14-1.mga2
php-sockets-5.3.14-1.mga2
php-sqlite3-5.3.14-1.mga2
php-sqlite-5.3.14-1.mga2
php-sybase_ct-5.3.14-1.mga2
php-sysvmsg-5.3.14-1.mga2
php-sysvsem-5.3.14-1.mga2
php-sysvshm-5.3.14-1.mga2
php-tidy-5.3.14-1.mga2
php-tokenizer-5.3.14-1.mga2
php-xml-5.3.14-1.mga2
php-xmlreader-5.3.14-1.mga2
php-xmlrpc-5.3.14-1.mga2
php-xmlwriter-5.3.14-1.mga2
php-xsl-5.3.14-1.mga2
php-wddx-5.3.14-1.mga2
php-zip-5.3.14-1.mga2

from SRPMS:
php-eaccelerator-0.9.6.1-10.1.mga2.src.rpm
php-gd-bundled-5.3.14-1.mga2.src.rpm
php-5.3.14-1.mga2.src.rpm
Comment 10 William Murphy 2012-06-18 12:10:24 CEST
Created attachment 2469 [details]
PoC test against CVE-2012-2143

Upstream patch provided PoC test code. Extracted code from patch at:

http://git.php.net/?p=php-src.git;a=commitdiff;h=aab49e934de1fff046e659cbec46e3d053b41c34

Tested on mga2 i586 & x86_64 with same results.
Comment 11 William Murphy 2012-06-18 12:18:01 CEST
Update validated.
Thank you.

Advisory:
========================

Updated php packages fix security vulnerabilities:

There is a programming error in the DES implementation used in crypt()
in ext/standard/crypt_freesec.c when handling input which contains
characters that can not be represented with 7-bit ASCII. When the input
contains characters with only the most significant bit set (0x80), that
character and all characters after it will be ignored (CVE-2012-2143).

An integer overflow, leading to heap-based buffer overflow was found in
the way Phar extension of the PHP scripting language processed certain
fields by manipulating TAR files. A remote attacker could provide a
specially-crafted TAR archive file, which once processed in an PHP
application using the Phar extension could lead to denial of service
(application crash), or, potentially arbitary code execution with
the privileges of the user running the application (CVE-2012-2386).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2386
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2143
https://bugzilla.redhat.com/show_bug.cgi?id=823594
http://www.php.net/ChangeLog-5.php#5.3.14
http://secunia.com/advisories/44335
http://lists.opensuse.org/opensuse-updates/2012-06/msg00002.html
http://www.debian.org/security/2012/dsa-2492
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:093
========================
Updated packages in core/updates_testing:
========================
php-ini-5.3.13-1.1.mga2
php-cli-5.3.13-1.1.mga2
php-cgi-5.3.13-1.1.mga2
php-fpm-5.3.13-1.1.mga2
apache-mod_php-5.3.13-1.1.mga2
libphp5_common5-5.3.13-1.1.mga2
php-devel-5.3.13-1.1.mga2
php-openssl-5.3.13-1.1.mga2
php-zlib-5.3.13-1.1.mga2
php-bcmath-5.3.13-1.1.mga2
php-bz2-5.3.13-1.1.mga2
php-calendar-5.3.13-1.1.mga2
php-ctype-5.3.13-1.1.mga2
php-curl-5.3.13-1.1.mga2
php-dba-5.3.13-1.1.mga2
php-dom-5.3.13-1.1.mga2
php-enchant-5.3.13-1.1.mga2
php-exif-5.3.13-1.1.mga2
php-fileinfo-5.3.13-1.1.mga2
php-filter-5.3.13-1.1.mga2
php-ftp-5.3.13-1.1.mga2
php-gd-5.3.13-1.1.mga2
php-gettext-5.3.13-1.1.mga2
php-gmp-5.3.13-1.1.mga2
php-hash-5.3.13-1.1.mga2
php-iconv-5.3.13-1.1.mga2
php-imap-5.3.13-1.1.mga2
php-intl-5.3.13-1.1.mga2
php-json-5.3.13-1.1.mga2
php-ldap-5.3.13-1.1.mga2
php-mbstring-5.3.13-1.1.mga2
php-mcrypt-5.3.13-1.1.mga2
php-mssql-5.3.13-1.1.mga2
php-mysql-5.3.13-1.1.mga2
php-mysqli-5.3.13-1.1.mga2
php-mysqlnd-5.3.13-1.1.mga2
php-odbc-5.3.13-1.1.mga2
php-pcntl-5.3.13-1.1.mga2
php-pdo-5.3.13-1.1.mga2
php-pdo_dblib-5.3.13-1.1.mga2
php-pdo_mysql-5.3.13-1.1.mga2
php-pdo_odbc-5.3.13-1.1.mga2
php-pdo_pgsql-5.3.13-1.1.mga2
php-pdo_sqlite-5.3.13-1.1.mga2
php-pgsql-5.3.13-1.1.mga2
php-phar-5.3.13-1.1.mga2
php-posix-5.3.13-1.1.mga2
php-readline-5.3.13-1.1.mga2
php-recode-5.3.13-1.1.mga2
php-session-5.3.13-1.1.mga2
php-shmop-5.3.13-1.1.mga2
php-snmp-5.3.13-1.1.mga2
php-soap-5.3.13-1.1.mga2
php-sockets-5.3.13-1.1.mga2
php-sqlite3-5.3.13-1.1.mga2
php-sqlite-5.3.13-1.1.mga2
php-sybase_ct-5.3.13-1.1.mga2
php-sysvmsg-5.3.13-1.1.mga2
php-sysvsem-5.3.13-1.1.mga2
php-sysvshm-5.3.13-1.1.mga2
php-tidy-5.3.13-1.1.mga2
php-tokenizer-5.3.13-1.1.mga2
php-xml-5.3.13-1.1.mga2
php-xmlreader-5.3.13-1.1.mga2
php-xmlrpc-5.3.13-1.1.mga2
php-xmlwriter-5.3.13-1.1.mga2
php-xsl-5.3.13-1.1.mga2
php-wddx-5.3.13-1.1.mga2
php-zip-5.3.13-1.1.mga2

from php-5.3.13-1.1.mga2.src.rpm

----------------

Could sysadmin please push from core/updates_testing to core/updates.

Thank you!
------------------------------------------------------------------------------------------
Comment 12 Thomas Backlund 2012-06-19 19:40:00 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0118


Note:

comment 11 listed wrong rpms and missed some srpms, so I used list from comment 9

Note You need to log in before you can comment on or make changes to this bug.