Mandriva has issued an advisory today (July 23): http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:108 Mageia 1 and 2 are also affected. These can be fixed by upgrading to PHP 5.3.15 and 5.4.5. Mandriva also updated php-timezonedb, so it would be good to follow suit. Also, just as a reminder, the apache-mod_php requires on apache-mpm should be changed to apache in Mageia 2.
CC: (none) => thomas
Whiteboard: (none) => MGA2TOO, MGA1TOO
I have fixed this in Mageia 1 and Mageia 2. Thomas, can you take care of updating to 5.4.5 in Cauldron?
Note to self: I haven't updated php-timezonedb in Mageia 1 and 2 yet :o)
Additional note to self: rebuild php-eaccelerator and php-gd-bundled.
Packages uploaded so far: php-ini-5.3.15-1.mga1 php-cli-5.3.15-1.mga1 php-cgi-5.3.15-1.mga1 php-fpm-5.3.15-1.mga1 apache-mod_php-5.3.15-1.mga1 libphp5_common5-5.3.15-1.mga1 php-devel-5.3.15-1.mga1 php-openssl-5.3.15-1.mga1 php-zlib-5.3.15-1.mga1 php-doc-5.3.15-1.mga1 php-bcmath-5.3.15-1.mga1 php-bz2-5.3.15-1.mga1 php-calendar-5.3.15-1.mga1 php-ctype-5.3.15-1.mga1 php-curl-5.3.15-1.mga1 php-dba-5.3.15-1.mga1 php-dom-5.3.15-1.mga1 php-enchant-5.3.15-1.mga1 php-exif-5.3.15-1.mga1 php-fileinfo-5.3.15-1.mga1 php-filter-5.3.15-1.mga1 php-ftp-5.3.15-1.mga1 php-gd-5.3.15-1.mga1 php-gettext-5.3.15-1.mga1 php-gmp-5.3.15-1.mga1 php-hash-5.3.15-1.mga1 php-iconv-5.3.15-1.mga1 php-imap-5.3.15-1.mga1 php-intl-5.3.15-1.mga1 php-json-5.3.15-1.mga1 php-ldap-5.3.15-1.mga1 php-mbstring-5.3.15-1.mga1 php-mcrypt-5.3.15-1.mga1 php-mssql-5.3.15-1.mga1 php-mysql-5.3.15-1.mga1 php-mysqli-5.3.15-1.mga1 php-mysqlnd-5.3.15-1.mga1 php-odbc-5.3.15-1.mga1 php-pcntl-5.3.15-1.mga1 php-pdo-5.3.15-1.mga1 php-pdo_dblib-5.3.15-1.mga1 php-pdo_mysql-5.3.15-1.mga1 php-pdo_odbc-5.3.15-1.mga1 php-pdo_pgsql-5.3.15-1.mga1 php-pdo_sqlite-5.3.15-1.mga1 php-pgsql-5.3.15-1.mga1 php-phar-5.3.15-1.mga1 php-posix-5.3.15-1.mga1 php-pspell-5.3.15-1.mga1 php-readline-5.3.15-1.mga1 php-recode-5.3.15-1.mga1 php-session-5.3.15-1.mga1 php-shmop-5.3.15-1.mga1 php-snmp-5.3.15-1.mga1 php-soap-5.3.15-1.mga1 php-sockets-5.3.15-1.mga1 php-sqlite3-5.3.15-1.mga1 php-sqlite-5.3.15-1.mga1 php-sybase_ct-5.3.15-1.mga1 php-sysvmsg-5.3.15-1.mga1 php-sysvsem-5.3.15-1.mga1 php-sysvshm-5.3.15-1.mga1 php-tidy-5.3.15-1.mga1 php-tokenizer-5.3.15-1.mga1 php-xml-5.3.15-1.mga1 php-xmlreader-5.3.15-1.mga1 php-xmlrpc-5.3.15-1.mga1 php-xmlwriter-5.3.15-1.mga1 php-xsl-5.3.15-1.mga1 php-wddx-5.3.15-1.mga1 php-zip-5.3.15-1.mga1 php-ini-5.3.15-1.mga2 php-cli-5.3.15-1.mga2 php-cgi-5.3.15-1.mga2 php-fpm-5.3.15-1.mga2 apache-mod_php-5.3.15-1.mga2 libphp5_common5-5.3.15-1.mga2 php-devel-5.3.15-1.mga2 php-openssl-5.3.15-1.mga2 php-zlib-5.3.15-1.mga2 php-bcmath-5.3.15-1.mga2 php-bz2-5.3.15-1.mga2 php-calendar-5.3.15-1.mga2 php-ctype-5.3.15-1.mga2 php-curl-5.3.15-1.mga2 php-dba-5.3.15-1.mga2 php-dom-5.3.15-1.mga2 php-enchant-5.3.15-1.mga2 php-exif-5.3.15-1.mga2 php-fileinfo-5.3.15-1.mga2 php-filter-5.3.15-1.mga2 php-ftp-5.3.15-1.mga2 php-gd-5.3.15-1.mga2 php-gettext-5.3.15-1.mga2 php-gmp-5.3.15-1.mga2 php-hash-5.3.15-1.mga2 php-iconv-5.3.15-1.mga2 php-imap-5.3.15-1.mga2 php-intl-5.3.15-1.mga2 php-json-5.3.15-1.mga2 php-ldap-5.3.15-1.mga2 php-mbstring-5.3.15-1.mga2 php-mcrypt-5.3.15-1.mga2 php-mssql-5.3.15-1.mga2 php-mysql-5.3.15-1.mga2 php-mysqli-5.3.15-1.mga2 php-mysqlnd-5.3.15-1.mga2 php-odbc-5.3.15-1.mga2 php-pcntl-5.3.15-1.mga2 php-pdo-5.3.15-1.mga2 php-pdo_dblib-5.3.15-1.mga2 php-pdo_mysql-5.3.15-1.mga2 php-pdo_odbc-5.3.15-1.mga2 php-pdo_pgsql-5.3.15-1.mga2 php-pdo_sqlite-5.3.15-1.mga2 php-pgsql-5.3.15-1.mga2 php-phar-5.3.15-1.mga2 php-posix-5.3.15-1.mga2 php-readline-5.3.15-1.mga2 php-recode-5.3.15-1.mga2 php-session-5.3.15-1.mga2 php-shmop-5.3.15-1.mga2 php-snmp-5.3.15-1.mga2 php-soap-5.3.15-1.mga2 php-sockets-5.3.15-1.mga2 php-sqlite3-5.3.15-1.mga2 php-sqlite-5.3.15-1.mga2 php-sybase_ct-5.3.15-1.mga2 php-sysvmsg-5.3.15-1.mga2 php-sysvsem-5.3.15-1.mga2 php-sysvshm-5.3.15-1.mga2 php-tidy-5.3.15-1.mga2 php-tokenizer-5.3.15-1.mga2 php-xml-5.3.15-1.mga2 php-xmlreader-5.3.15-1.mga2 php-xmlrpc-5.3.15-1.mga2 php-xmlwriter-5.3.15-1.mga2 php-xsl-5.3.15-1.mga2 php-wddx-5.3.15-1.mga2 php-zip-5.3.15-1.mga2 from SRPMS: php-ini-5.3.15-1.mga1.src.rpm php-5.3.15-1.mga1.src.rpm php-5.3.15-1.mga2.src.rpm
php-timezonedb is updated in Cauldron. php-timezonedb, php-eaccelerator, and php-gd-bundled are done in SVN for Mageia 1 and 2 and ready to be pushed to the build system. I forgot to fix the requires in Mageia 2, so I'll need to rebuild that.
Thomas, thanks for building PHP 5.4.5. I tried rebuilding eaccelerator against it, but it didn't build because it doesn't support PHP 5.4. I checked upstream and as of today the project has moved to github and the current git branch supports PHP 5.4. Could you update it?
I was waiting for 5.4.5 to rebuild the others. I need to upgrade quite a few packages and will do so but it will take some time.
All packages are now available for testing. Note to QA: there was a requires change for apache-mod_php in Mageia 2 (changed from apache-mpm to apache). Not sure if that affects 2317 or not. This was done to fix an issue reported in Bug 6534. Another note to QA: I have already tested these myself on Mageia 1 and Mageia 2 i586 with my normal testcases from https://bugs.mageia.org/show_bug.cgi?id=3895#c35 and can confirm they work fine. Advisory: ======================== Updated php packages fix security vulnerabilities: Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown impact and remote attack vectors, related to an overflow (CVE-2012-2688). The SQLite functionality in PHP before 5.3.15 allows remote attackers to bypass the open_basedir protection mechanism via unspecified vectors (CVE-2012-3365). The updated packages have been upgraded to the 5.3.15 version which is not vulnerable to these issues. Additionally, the php-timezonedb package has been upgraded to the latest version as well. Finally, apache-mod_php in Mageia 2 now requires apache, so that it will provide a fully functioning web server. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2688 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3365 http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:108 ======================== Updated packages in core/updates_testing: ======================== php-ini-5.3.15-1.mga1 php-cli-5.3.15-1.mga1 php-cgi-5.3.15-1.mga1 php-fpm-5.3.15-1.mga1 apache-mod_php-5.3.15-1.mga1 libphp5_common5-5.3.15-1.mga1 php-devel-5.3.15-1.mga1 php-openssl-5.3.15-1.mga1 php-zlib-5.3.15-1.mga1 php-doc-5.3.15-1.mga1 php-bcmath-5.3.15-1.mga1 php-bz2-5.3.15-1.mga1 php-calendar-5.3.15-1.mga1 php-ctype-5.3.15-1.mga1 php-curl-5.3.15-1.mga1 php-dba-5.3.15-1.mga1 php-dom-5.3.15-1.mga1 php-enchant-5.3.15-1.mga1 php-exif-5.3.15-1.mga1 php-fileinfo-5.3.15-1.mga1 php-filter-5.3.15-1.mga1 php-ftp-5.3.15-1.mga1 php-gd-5.3.15-1.mga1 php-gettext-5.3.15-1.mga1 php-gmp-5.3.15-1.mga1 php-hash-5.3.15-1.mga1 php-iconv-5.3.15-1.mga1 php-imap-5.3.15-1.mga1 php-intl-5.3.15-1.mga1 php-json-5.3.15-1.mga1 php-ldap-5.3.15-1.mga1 php-mbstring-5.3.15-1.mga1 php-mcrypt-5.3.15-1.mga1 php-mssql-5.3.15-1.mga1 php-mysql-5.3.15-1.mga1 php-mysqli-5.3.15-1.mga1 php-mysqlnd-5.3.15-1.mga1 php-odbc-5.3.15-1.mga1 php-pcntl-5.3.15-1.mga1 php-pdo-5.3.15-1.mga1 php-pdo_dblib-5.3.15-1.mga1 php-pdo_mysql-5.3.15-1.mga1 php-pdo_odbc-5.3.15-1.mga1 php-pdo_pgsql-5.3.15-1.mga1 php-pdo_sqlite-5.3.15-1.mga1 php-pgsql-5.3.15-1.mga1 php-phar-5.3.15-1.mga1 php-posix-5.3.15-1.mga1 php-pspell-5.3.15-1.mga1 php-readline-5.3.15-1.mga1 php-recode-5.3.15-1.mga1 php-session-5.3.15-1.mga1 php-shmop-5.3.15-1.mga1 php-snmp-5.3.15-1.mga1 php-soap-5.3.15-1.mga1 php-sockets-5.3.15-1.mga1 php-sqlite3-5.3.15-1.mga1 php-sqlite-5.3.15-1.mga1 php-sybase_ct-5.3.15-1.mga1 php-sysvmsg-5.3.15-1.mga1 php-sysvsem-5.3.15-1.mga1 php-sysvshm-5.3.15-1.mga1 php-tidy-5.3.15-1.mga1 php-tokenizer-5.3.15-1.mga1 php-xml-5.3.15-1.mga1 php-xmlreader-5.3.15-1.mga1 php-xmlrpc-5.3.15-1.mga1 php-xmlwriter-5.3.15-1.mga1 php-xsl-5.3.15-1.mga1 php-wddx-5.3.15-1.mga1 php-zip-5.3.15-1.mga1 php-gd-bundled-5.3.15-1.mga1 php-eaccelerator-0.9.6.1-6.7.mga1 php-eaccelerator-admin-0.9.6.1-6.7.mga1 php-timezonedb-2012.4-1.mga1 php-ini-5.3.15-1.mga2 php-cli-5.3.15-1.mga2 php-cgi-5.3.15-1.mga2 php-fpm-5.3.15-1.mga2 apache-mod_php-5.3.15-1.mga2 libphp5_common5-5.3.15-1.mga2 php-devel-5.3.15-1.mga2 php-openssl-5.3.15-1.mga2 php-zlib-5.3.15-1.mga2 php-bcmath-5.3.15-1.mga2 php-bz2-5.3.15-1.mga2 php-calendar-5.3.15-1.mga2 php-ctype-5.3.15-1.mga2 php-curl-5.3.15-1.mga2 php-dba-5.3.15-1.mga2 php-dom-5.3.15-1.mga2 php-enchant-5.3.15-1.mga2 php-exif-5.3.15-1.mga2 php-fileinfo-5.3.15-1.mga2 php-filter-5.3.15-1.mga2 php-ftp-5.3.15-1.mga2 php-gd-5.3.15-1.mga2 php-gettext-5.3.15-1.mga2 php-gmp-5.3.15-1.mga2 php-hash-5.3.15-1.mga2 php-iconv-5.3.15-1.mga2 php-imap-5.3.15-1.mga2 php-intl-5.3.15-1.mga2 php-json-5.3.15-1.mga2 php-ldap-5.3.15-1.mga2 php-mbstring-5.3.15-1.mga2 php-mcrypt-5.3.15-1.mga2 php-mssql-5.3.15-1.mga2 php-mysql-5.3.15-1.mga2 php-mysqli-5.3.15-1.mga2 php-mysqlnd-5.3.15-1.mga2 php-odbc-5.3.15-1.mga2 php-pcntl-5.3.15-1.mga2 php-pdo-5.3.15-1.mga2 php-pdo_dblib-5.3.15-1.mga2 php-pdo_mysql-5.3.15-1.mga2 php-pdo_odbc-5.3.15-1.mga2 php-pdo_pgsql-5.3.15-1.mga2 php-pdo_sqlite-5.3.15-1.mga2 php-pgsql-5.3.15-1.mga2 php-phar-5.3.15-1.mga2 php-posix-5.3.15-1.mga2 php-readline-5.3.15-1.mga2 php-recode-5.3.15-1.mga2 php-session-5.3.15-1.mga2 php-shmop-5.3.15-1.mga2 php-snmp-5.3.15-1.mga2 php-soap-5.3.15-1.mga2 php-sockets-5.3.15-1.mga2 php-sqlite3-5.3.15-1.mga2 php-sqlite-5.3.15-1.mga2 php-sybase_ct-5.3.15-1.mga2 php-sysvmsg-5.3.15-1.mga2 php-sysvsem-5.3.15-1.mga2 php-sysvshm-5.3.15-1.mga2 php-tidy-5.3.15-1.mga2 php-tokenizer-5.3.15-1.mga2 php-xml-5.3.15-1.mga2 php-xmlreader-5.3.15-1.mga2 php-xmlrpc-5.3.15-1.mga2 php-xmlwriter-5.3.15-1.mga2 php-xsl-5.3.15-1.mga2 php-wddx-5.3.15-1.mga2 php-zip-5.3.15-1.mga2 php-gd-bundled-5.3.15-1.mga2 php-eaccelerator-0.9.6.1-10.2.mga2 php-eaccelerator-admin-0.9.6.1-10.2.mga2 php-timezonedb-2012.4-1.mga2 from SRPMS: php-ini-5.3.15-1.mga1.src.rpm php-5.3.15-1.mga1.src.rpm php-gd-bundled-5.3.15-1.mga1.src.rpm php-eaccelerator-0.9.6.1-6.7.mga1.src.rpm php-5.3.15-1.mga2.src.rpm php-timezonedb-2012.4-1.mga1.src.rpm php-gd-bundled-5.3.15-1.mga2.src.rpm php-eaccelerator-0.9.6.1-10.2.mga2.src.rpm php-timezonedb-2012.4-1.mga2.src.rpm
Version: Cauldron => 2Assignee: bugsquad => qa-bugsWhiteboard: MGA2TOO, MGA1TOO => MGA1TOO
Testing on Mageia 1 i586, Mageia 1 x86_64, Mageia 2 i586 and Mageia 2 x86_64. Following David's normal testcases from https://bugs.mageia.org/show_bug.cgi?id=3895#c35, the cgi counters worked before and after updates for all releases. The survey.html page sent an email response to the user account for each release as well, then redirected to counter. Update validated. See comment #8 (above) for advisory and package listing.
Keywords: (none) => validated_updateCC: (none) => fcs, sysadmin-bugsWhiteboard: MGA1TOO => MGA1TOO, mga2-32-OK, mga1-32-OK, mga1-64-OK, mga2-64-OK
William, would you accept to extract from previous PHP updates a testing procedure for PHP updates, for addition to the wiki? https://wiki.mageia.org/en/QA_testing_procedures
CC: (none) => stormi
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0186
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED