Hello, I have updated php for mga2 as an proposed update candidate. These are the source rpm packages involved: php-5.3.20-1.mga2.src.rpm php-eaccelerator-0.9.6.1-10.6.mga2.src.rpm php-firebird-5.3.20-1.mga2.src.rpm php-gd-bundled-5.3.20-1.mga2.src.rpm php-apc-3.1.13-1.1.mga2.src.rpm php-pdo_firebird-5.3.20-1.mga2.src.rpm I use this in production. I pushed the new version for Mandriva as of: http://www.mandriva.com/security/advisories?name=MDVA-2012:070 Cheers // Santa
Proposed advisory: This is a maintenance and bugfix release that upgrades php to the latest 5.3.20 version which resolves various upstream bugs in php. Additionally the php-eaccelerator, php-firebird, php-gd-bundled, php-apc and php-pdo_firebird packages has been rebuilt for the new php version. References: http://www.php.net/ChangeLog-5.php#5.3.20
if the update is ready feel free to reassign to the QA https://wiki.mageia.org/en/Updates_policy
qateam, please see comment 1+2
Assignee: bugsquad => qa-bugs
Oden could you list rpms aswell as srpm's please. We install the rpm's in QA but need to know the srpms too for sysadmin. Is the list below correct? SRPM: php-5.3.20-1.mga2.src.rpm ------------------------------- apache-mod_php lib64php5_common5 php-bcmath php-bz2 php-calendar php-cgi php-cli php-ctype php-curl php-dba php-devel php-dom php-enchant php-exif php-fileinfo php-filter php-fpm php-ftp php-gd php-gettext php-gmp php-hash php-iconv php-imap php-ini php-intl php-json php-ldap php-mbstring php-mcrypt php-mssql php-mysqli php-mysqlnd php-mysql php-odbc php-openssl php-pcntl php-pdo_dblib php-pdo_mysql php-pdo_odbc php-pdo_pgsql php-pdo php-pdo_sqlite php-pgsql php-phar php-posix php-readline php-recode php-session php-shmop php-snmp php-soap php-sockets php-sqlite3 php-sqlite php-sybase_ct php-sysvmsg php-sysvsem php-sysvshm php-tidy php-tokenizer php-wddx php-xml php-xmlreader php-xmlrpc php-xmlwriter php-xsl php-zip php-zlib SRPM: php-eaccelerator-0.9.6.1-10.6.mga2.src.rpm ------------------------------------------------ php-eaccelerator-admin php-eaccelerator SRPM: php-apc-3.1.13-1.1.mga2.src.rpm ------------------------------------- php-apc-admin php-apc SRPM: php-gd-bundled-5.3.20-1.mga2.src.rpm ------------------------------------------ php-gd-bundled SRPM: php-firebird-5.3.20-1.mga2.src.rpm ---------------------------------------- php-firebird SRPM: php-pdo_firebird-5.3.20-1.mga2.src.rpm -------------------------------------------- php-pdo_firebird
apache-mod_php-5.3.20-1.mga2.i586.rpm libphp5_common5-5.3.20-1.mga2.i586.rpm php-apc-3.1.13-1.1.mga2.i586.rpm php-apc-admin-3.1.13-1.1.mga2.i586.rpm php-bcmath-5.3.20-1.mga2.i586.rpm php-bz2-5.3.20-1.mga2.i586.rpm php-calendar-5.3.20-1.mga2.i586.rpm php-cgi-5.3.20-1.mga2.i586.rpm php-cli-5.3.20-1.mga2.i586.rpm php-ctype-5.3.20-1.mga2.i586.rpm php-curl-5.3.20-1.mga2.i586.rpm php-dba-5.3.20-1.mga2.i586.rpm php-devel-5.3.20-1.mga2.i586.rpm php-dom-5.3.20-1.mga2.i586.rpm php-eaccelerator-0.9.6.1-10.6.mga2.i586.rpm php-eaccelerator-admin-0.9.6.1-10.6.mga2.i586.rpm php-enchant-5.3.20-1.mga2.i586.rpm php-exif-5.3.20-1.mga2.i586.rpm php-fileinfo-5.3.20-1.mga2.i586.rpm php-filter-5.3.20-1.mga2.i586.rpm php-firebird-5.3.20-1.mga2.i586.rpm php-fpm-5.3.20-1.mga2.i586.rpm php-ftp-5.3.20-1.mga2.i586.rpm php-gd-5.3.20-1.mga2.i586.rpm php-gd-bundled-5.3.20-1.mga2.i586.rpm php-gettext-5.3.20-1.mga2.i586.rpm php-gmp-5.3.20-1.mga2.i586.rpm php-hash-5.3.20-1.mga2.i586.rpm php-iconv-5.3.20-1.mga2.i586.rpm php-imap-5.3.20-1.mga2.i586.rpm php-ini-5.3.20-1.mga2.i586.rpm php-intl-5.3.20-1.mga2.i586.rpm php-json-5.3.20-1.mga2.i586.rpm php-ldap-5.3.20-1.mga2.i586.rpm php-mbstring-5.3.20-1.mga2.i586.rpm php-mcrypt-5.3.20-1.mga2.i586.rpm php-mssql-5.3.20-1.mga2.i586.rpm php-mysql-5.3.20-1.mga2.i586.rpm php-mysqli-5.3.20-1.mga2.i586.rpm php-mysqlnd-5.3.20-1.mga2.i586.rpm php-odbc-5.3.20-1.mga2.i586.rpm php-openssl-5.3.20-1.mga2.i586.rpm php-pcntl-5.3.20-1.mga2.i586.rpm php-pdo-5.3.20-1.mga2.i586.rpm php-pdo_dblib-5.3.20-1.mga2.i586.rpm php-pdo_firebird-5.3.20-1.mga2.i586.rpm php-pdo_mysql-5.3.20-1.mga2.i586.rpm php-pdo_odbc-5.3.20-1.mga2.i586.rpm php-pdo_pgsql-5.3.20-1.mga2.i586.rpm php-pdo_sqlite-5.3.20-1.mga2.i586.rpm php-pgsql-5.3.20-1.mga2.i586.rpm php-phar-5.3.20-1.mga2.i586.rpm php-posix-5.3.20-1.mga2.i586.rpm php-readline-5.3.20-1.mga2.i586.rpm php-recode-5.3.20-1.mga2.i586.rpm php-session-5.3.20-1.mga2.i586.rpm php-shmop-5.3.20-1.mga2.i586.rpm php-snmp-5.3.20-1.mga2.i586.rpm php-soap-5.3.20-1.mga2.i586.rpm php-sockets-5.3.20-1.mga2.i586.rpm php-sqlite3-5.3.20-1.mga2.i586.rpm php-sqlite-5.3.20-1.mga2.i586.rpm php-sybase_ct-5.3.20-1.mga2.i586.rpm php-sysvmsg-5.3.20-1.mga2.i586.rpm php-sysvsem-5.3.20-1.mga2.i586.rpm php-sysvshm-5.3.20-1.mga2.i586.rpm php-tidy-5.3.20-1.mga2.i586.rpm php-tokenizer-5.3.20-1.mga2.i586.rpm php-wddx-5.3.20-1.mga2.i586.rpm php-xml-5.3.20-1.mga2.i586.rpm php-xmlreader-5.3.20-1.mga2.i586.rpm php-xmlrpc-5.3.20-1.mga2.i586.rpm php-xmlwriter-5.3.20-1.mga2.i586.rpm php-xsl-5.3.20-1.mga2.i586.rpm php-zip-5.3.20-1.mga2.i586.rpm php-zlib-5.3.20-1.mga2.i586.rpm apache-mod_php-5.3.20-1.mga2.x86_64.rpm lib64php5_common5-5.3.20-1.mga2.x86_64.rpm php-apc-3.1.13-1.1.mga2.x86_64.rpm php-apc-admin-3.1.13-1.1.mga2.x86_64.rpm php-bcmath-5.3.20-1.mga2.x86_64.rpm php-bz2-5.3.20-1.mga2.x86_64.rpm php-calendar-5.3.20-1.mga2.x86_64.rpm php-cgi-5.3.20-1.mga2.x86_64.rpm php-cli-5.3.20-1.mga2.x86_64.rpm php-ctype-5.3.20-1.mga2.x86_64.rpm php-curl-5.3.20-1.mga2.x86_64.rpm php-dba-5.3.20-1.mga2.x86_64.rpm php-devel-5.3.20-1.mga2.x86_64.rpm php-dom-5.3.20-1.mga2.x86_64.rpm php-eaccelerator-0.9.6.1-10.6.mga2.x86_64.rpm php-eaccelerator-admin-0.9.6.1-10.6.mga2.x86_64.rpm php-enchant-5.3.20-1.mga2.x86_64.rpm php-exif-5.3.20-1.mga2.x86_64.rpm php-fileinfo-5.3.20-1.mga2.x86_64.rpm php-filter-5.3.20-1.mga2.x86_64.rpm php-firebird-5.3.20-1.mga2.x86_64.rpm php-fpm-5.3.20-1.mga2.x86_64.rpm php-ftp-5.3.20-1.mga2.x86_64.rpm php-gd-5.3.20-1.mga2.x86_64.rpm php-gd-bundled-5.3.20-1.mga2.x86_64.rpm php-gettext-5.3.20-1.mga2.x86_64.rpm php-gmp-5.3.20-1.mga2.x86_64.rpm php-hash-5.3.20-1.mga2.x86_64.rpm php-iconv-5.3.20-1.mga2.x86_64.rpm php-imap-5.3.20-1.mga2.x86_64.rpm php-ini-5.3.20-1.mga2.x86_64.rpm php-intl-5.3.20-1.mga2.x86_64.rpm php-json-5.3.20-1.mga2.x86_64.rpm php-ldap-5.3.20-1.mga2.x86_64.rpm php-mbstring-5.3.20-1.mga2.x86_64.rpm php-mcrypt-5.3.20-1.mga2.x86_64.rpm php-mssql-5.3.20-1.mga2.x86_64.rpm php-mysql-5.3.20-1.mga2.x86_64.rpm php-mysqli-5.3.20-1.mga2.x86_64.rpm php-mysqlnd-5.3.20-1.mga2.x86_64.rpm php-odbc-5.3.20-1.mga2.x86_64.rpm php-openssl-5.3.20-1.mga2.x86_64.rpm php-pcntl-5.3.20-1.mga2.x86_64.rpm php-pdo-5.3.20-1.mga2.x86_64.rpm php-pdo_dblib-5.3.20-1.mga2.x86_64.rpm php-pdo_firebird-5.3.20-1.mga2.x86_64.rpm php-pdo_mysql-5.3.20-1.mga2.x86_64.rpm php-pdo_odbc-5.3.20-1.mga2.x86_64.rpm php-pdo_pgsql-5.3.20-1.mga2.x86_64.rpm php-pdo_sqlite-5.3.20-1.mga2.x86_64.rpm php-pgsql-5.3.20-1.mga2.x86_64.rpm php-phar-5.3.20-1.mga2.x86_64.rpm php-posix-5.3.20-1.mga2.x86_64.rpm php-readline-5.3.20-1.mga2.x86_64.rpm php-recode-5.3.20-1.mga2.x86_64.rpm php-session-5.3.20-1.mga2.x86_64.rpm php-shmop-5.3.20-1.mga2.x86_64.rpm php-snmp-5.3.20-1.mga2.x86_64.rpm php-soap-5.3.20-1.mga2.x86_64.rpm php-sockets-5.3.20-1.mga2.x86_64.rpm php-sqlite3-5.3.20-1.mga2.x86_64.rpm php-sqlite-5.3.20-1.mga2.x86_64.rpm php-sybase_ct-5.3.20-1.mga2.x86_64.rpm php-sysvmsg-5.3.20-1.mga2.x86_64.rpm php-sysvsem-5.3.20-1.mga2.x86_64.rpm php-sysvshm-5.3.20-1.mga2.x86_64.rpm php-tidy-5.3.20-1.mga2.x86_64.rpm php-tokenizer-5.3.20-1.mga2.x86_64.rpm php-wddx-5.3.20-1.mga2.x86_64.rpm php-xml-5.3.20-1.mga2.x86_64.rpm php-xmlreader-5.3.20-1.mga2.x86_64.rpm php-xmlrpc-5.3.20-1.mga2.x86_64.rpm php-xmlwriter-5.3.20-1.mga2.x86_64.rpm php-xsl-5.3.20-1.mga2.x86_64.rpm php-zip-5.3.20-1.mga2.x86_64.rpm php-zlib-5.3.20-1.mga2.x86_64.rpm
Additional update: php-apc-3.1.14-2.mga2: - fix mdvbz #64711 (Add an APC flavor providing mmap shared memory and pthread mutex locking) Proposed advisory: The php-apc extension has been upgraded to the latest version (3.1.14) that resolves various upstream bugs. The php-apc extension has been complemented with an additional flavour (apc-mmap+mutex.so) that resolves mdvbz #64711. Note: in Mageia you can easily switch between different flavours of APC, please have a look at the topmost lines in the /etc/php.d/99_apc.ini file. References: https://qa.mandriva.com/show_bug.cgi?id=64711 http://www.mandriva.com/en/support/security/advisories/?name=MDVA-2012:004 http://pecl.php.net/package-changelog.php?package=APC&release=3.1.14 Updated files: php-apc-3.1.14-2.mga2.src.rpm php-apc-3.1.14-2.mga2.x86_64.rpm php-apc-admin-3.1.14-2.mga2.x86_64.rpm php-apc-debug-3.1.14-2.mga2.x86_64.rpm php-apc-3.1.14-2.mga2.i586.rpm php-apc-admin-3.1.14-2.mga2.i586.rpm php-apc-debug-3.1.14-2.mga2.i586.rpm
Tested x86_64 with zoneminder, wordpress, phpmyadmin and drupal installed with each of sqlite3, mysql and postgresql databases. See bug 8442 for how. php-accelerator tested with the admin package by browsing to localhost/php-eaccelerator and loggin in with the default credentials admin/eAccelerator, then watching the scripts being parsed, ebabling and disabling the services and enabling/disabling the services with the buttons there. Still to test php-apc and php-firebird/php-pdo_firebird
php-apc-3.1.14 makes apache (with squirrelmail) segfault for me, will check this tomorrow.
php-apc has been rolled back to the previous version (php-apc-3.1.13-1.2.mga2) and should hit the mirrors soon'ish.
php-apc now tested mga2 64 Still to test php-firebird/php-pdo_firebird php-apc tested with php-apc-admin after changing the default password in /var/www/php-apc/index.php browsing to http://localhost/php-apc logging in and watching the cache working.
Forgot to update php-apc before testing d'oh! Works ok but the update clobbers the existing password. It should probably create an rpmnew or rpmold for /var/www/php-apc/index.php
Checked with urpmq --whatrequires-recursive php-firebird and php-pdo_firebird and nothing we have requires them. I can't find any specific way to test them so just checking they install and updates ok, which they do does. If we can prevent the clobbering of php-apc password then afaict everything else is ok mga2 64.
(In reply to comment #11) > Forgot to update php-apc before testing d'oh! > > Works ok but the update clobbers the existing password. > > It should probably create an rpmnew or rpmold for /var/www/php-apc/index.php Fixed in cauldron with r344747, but this is probably too invasive for an update.
(In reply to comment #13) > (In reply to comment #11) > > Forgot to update php-apc before testing d'oh! > > > > Works ok but the update clobbers the existing password. > > > > It should probably create an rpmnew or rpmold for /var/www/php-apc/index.php > > Fixed in cauldron with r344747, but this is probably too invasive for an > update. Humm, maybe not when i start to think about it. One could clear the cache by using clever xss or with shell access, so this is actually more of a security fix.
It just needs to create the /var/www/php-apc/index.php.rpmold when upgrading. Probably rpmold is better than rpmnew as sec fixes could be in the rpmnew.
Fixed, but differently in r344754 (mga2, updates_testing, php-apc-3.1.13-1.3.mga2)
Also, previousely, when you wanted to secure the /var/www/php-apc/index.php by using login, this was overwritten/reverted (to no restrictions) with the next release bump. Not good at all...
A few issues, following our conversation on IRC. The update still clobbers the existing login/password which was previously set in /var/www/php-apc/index.php. The graph size is now 500 (was 200) which looks huge. Also, I created the /etc/php-apc/config.php, which you said should get an rpmsave, before applying the update and it hasn't create rpmsave etc. I didn't alter it from the default contents though before updating. /etc/php-apc/config.php link so I don't lose it.. http://svnweb.mageia.org/packages/updates/2/php-apc/current/SOURCES/php-apc.config.php?revision=344754&view=co&pathrev=344754 chmod 640 /etc/php-apc/config.php chown root:apache /etc/php-apc/config.php
(In reply to comment #18) > A few issues, following our conversation on IRC. > > The update still clobbers the existing login/password which was previously set > in /var/www/php-apc/index.php. > > The graph size is now 500 (was 200) which looks huge. > > Also, I created the /etc/php-apc/config.php, which you said should get an > rpmsave, before applying the update and it hasn't create rpmsave etc. I didn't > alter it from the default contents though before updating. > > /etc/php-apc/config.php link so I don't lose it.. > http://svnweb.mageia.org/packages/updates/2/php-apc/current/SOURCES/php-apc.config.php?revision=344754&view=co&pathrev=344754 > > chmod 640 /etc/php-apc/config.php > chown root:apache /etc/php-apc/config.php We covered this as an nono issue on irc. I changed the graph size to 200 in php-apc-3.1.13-1.4.mga2
Could you summarise the changes you've made please Oden for the advisory. Thanks.
Proposed advisory for php-apc The authentication logic and how this was handled in the APC admin script in the php-apc-admin package was flawed. If you previousely enabled the authentication by setting a password in the /var/www/php-apc/index.php file the changes would be lost with a possible future update of the package. If the authentication mechanism was not used local users could access features they shouldn't have access to. This has been addressed by using a new /etc/php-apc/config.php configuration file containing the the authentication credentials and more, in a much more safe, secure and update-friendly way.
Additional text for the proposed advisory for php-apc The owner of the system (the root user or equal) has to examine the /etc/php-apc/config.php file for the login name and password. The strong password is automatically generated on new installs.
Having a problem with the php source. Trying to rebuild on Mageia 2 in a VM, which has always worked fine in the past. Now, twice in a row I got the following failure in make check: TEST 630/6835 [tests/output/bug63377.phpt] Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 130809857 bytes) in /home/<username>/php/BUILD/php-5.3.20/run-tests.php on line 1099
CC: (none) => luigiwalser
David do you consider that a reason not to validate?
Confirmed that if /etc/php-apc/config.php exists and the password is not default then it creates the new one as rpmnew, which will prevent clobbering the settings in future updates. Confirmed the graph size fix and clicked buttons in the admin page, no errors noticed. Testing complete mga2 64 unless David wants to look further into the test failure in comment 23.
Whiteboard: (none) => has_procedure mga2-64-OK
(In reply to comment #23) > Having a problem with the php source. Trying to rebuild on Mageia 2 in a VM, > which has always worked fine in the past. Now, twice in a row I got the > following failure in make check: > > TEST 630/6835 [tests/output/bug63377.phpt] > Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to > allocate 130809857 bytes) in > /home/<username>/php/BUILD/php-5.3.20/run-tests.php on line 1099 This is a new test that was added in 5.3.20, and it is buggy. It checks the system's available memory and wants to not try to run it if there isn't enough available, but that check doesn't work, and it tries to run the test anyway. So this test will fail on any system that doesn't have at least 2100MB of free memory. The fix is actually quite simple since it's a stupid error. They tried to convert kilobytes reported in /proc/meminfo to megabytes by *multiplying* by 1024, rather than dividing! Line 18 of php-5.3.20/tests/output/bug63377.phpt should be changed as follows: - $value = (int)ltrim($tmp[1], " ")*1024; + $value = (int)((int)ltrim($tmp[1], " ")/1024);
Could you please test this: --- php-5.3.20/tests/output/bug63377.phpt 2012-12-19 16:13:48.000000000 +0100 +++ php-5.3.21RC1/tests/output/bug63377.phpt 2013-01-03 22:47:29.000000000 +0100 @@ -1,7 +1,11 @@ --TEST-- Bug #63377 (Segfault on output buffer > 2GB) ---SKIPF-- +--SKIPIF-- <?php +if (PHP_INT_SIZE == 4) { + die('skip Not for 32-bits OS'); +} + $zend_mm_enabled = getenv("USE_ZEND_ALLOC"); if ($zend_mm_enabled === "0") { die("skip Zend MM disabled"); @@ -19,7 +23,7 @@ if (PHP_OS == 'Linux') { $infos[$index] = $value; } $freeMemory = $infos['memfree']+$infos['buffers']+$infos['cached']; - if ($freeMemory < 2100*1024*1024) { + if ($freeMemory < 3072*1024*1024) { die('skip Not enough memory.'); } } @@ -38,7 +42,7 @@ elseif (PHP_OS == 'FreeBSD') { $freeMemory = ($infos['vm.stats.vm.v_inactive_count']*$infos['hw.pagesize']) +($infos['vm.stats.vm.v_cache_count']*$infos['hw.pagesize']) +($infos['vm.stats.vm.v_free_count']*$infos['hw.pagesize']); - if ($freeMemory < 2100*1024*1024) { + if ($freeMemory < 3072*1024*1024) { die('skip Not enough memory.'); } }
Actually it later converts everything to bytes by multiplying, so I was wrong, and on second look that code doesn't appear wrong. For whatever reason, it's just not protecting it from running this test.
OK, using Oden's patch it does build. I also tested using my normal test cases from: https://bugs.mageia.org/show_bug.cgi?id=3895#c35 It's good for me on i586. Note that doesn't test things from the supplementary SRPMS, just the main php one.
No need to rebuild for this then by the sounds of it?
(In reply to comment #30) > No need to rebuild for this then by the sounds of it? I suppose not. The issue is documented in this bug, which will be linked in the advisory.
Previous testing stands then, just needs testing i586. Testing procedure is spread across comments but it is there :)
OK, I've tested all of the supplemental packages on i586. All are fine for me except for php-apc. With php-apc installed, all of my PHP testcases fail.
(In reply to comment #33) > All are fine for me except for php-apc. With php-apc installed, all of my PHP > testcases fail. The failures were http code 500, premature end of script headers, from the CGIs. /var/log/httpd/error_log had messages like this: [Thu Jan 17 20:15:25 2013] [error] [client 127.0.0.1] PHP Fatal error: PHP Startup: apc_mmap: mkstemp on /var/lib/php-apc/apc.nDRtTQ failed: in Unknown on line 0, referer: http://localhost/~<username>/survey.html [Thu Jan 17 20:15:25 2013] [error] [client 127.0.0.1] PHP Fatal error: PHP Startup: apc_fcntl_create: open(/var/lib/php-apc/.apc.X69zLB, O_RDWR|O_CREAT, 0666) failed: in Unknown on line 0, referer: http://localhost/~<username>/survey.html The CGIs are running through suexec, so the issue is my user doesn't have write access to /var/lib/php-apc. I did chmod 1777 /var/lib/php-apc, and now they work fine with it installed.
Do you consider that a problem with php-apc David or just a feature of your script? Did you test php-eaccelerator too?
(In reply to comment #35) > Do you consider that a problem with php-apc David or just a feature of your > script? It's not anything special about my tests. Anyone using CGIs through suexec (ones in ~/public_html/cgi-bin) will have this problem with php-apc. > Did you test php-eaccelerator too? Yes, that one worked fine.
PHP 5.3.21 is out and is being built for updates_testing now by Oden.
Testing complete on i586. Same results as before. php-5.3.21-1.mga2 php-apc-3.1.13-1.5.mga2 php-eaccelerator-0.9.6.1-10.7.mga2 php-firebird-5.3.21-1.mga2 php-gd-bundled-5.3.21-1.mga2 php-pdo_firebird-5.3.21-1.mga2
Oden, do you have any thoughts on the php-apc issue? Also, do you have anything to add to the advisory now that this is 5.3.21?
URL: http://www.php.net/ChangeLog-5.php#5.3.20 => http://www.php.net/ChangeLog-5.php#5.3.21Summary: [update candidate] php-5.3.20 => [update candidate] php-5.3.21Source RPM: php-5.3.20-1.mga2.src.rpm => php-5.3.19-1.mga2.src.rpmWhiteboard: has_procedure mga2-64-OK => has_procedure
Regarding suexec and apc. I haven't used it like that but I think you could pass something like '-d apc.mmap_file_mask="/path/to/userdir/tmp/apc.XXXXXX"' in your per-user suexec wrapper script (untested). Here's a writeup using fastcgi: http://www.brandonturner.net/blog/2009/07/fastcgi_with_php_opcode_cache/ Or, you could try some other combination of apc, there's a few of them: $ grep "\.so$" apc.ini extension = apc-mmap.so ;extension = apc-sem.so ;extension = apc-spinlocks.so ;extension = apc-pthread.so ;extension = apc-mmap+mutex.so
Proposed advisory: This is a maintenance and bugfix release that upgrades php to the latest 5.3.21 version which resolves various upstream bugs in php. Additionally the php-eaccelerator, php-firebird, php-gd-bundled, php-apc and php-pdo_firebird packages has been rebuilt for the new php version. The authentication logic and how this was handled in the APC admin script in the php-apc-admin package was flawed. If you previousely enabled the authentication by setting a password in the /var/www/php-apc/index.php file the changes would be lost with a possible future update of the package. If the authentication mechanism was not used local users could access features they shouldn't have access to. This has been addressed by using a new /etc/php-apc/config.php configuration file containing the the authentication credentials and more, in a much more safe, secure and update-friendly way. The owner of the system (the root user or equal) has to examine the /etc/php-apc/config.php file for the login name and password. The strong password is automatically generated on new installs. References: http://www.php.net/ChangeLog-5.php#5.3.20 http://www.php.net/ChangeLog-5.php#5.3.21
(In reply to comment #40) > Regarding suexec and apc. I haven't used it like that but I think you could > pass something like '-d apc.mmap_file_mask="/path/to/userdir/tmp/apc.XXXXXX"' > in your per-user suexec wrapper script (untested). Here's a writeup using > fastcgi: > > http://www.brandonturner.net/blog/2009/07/fastcgi_with_php_opcode_cache/ That's just craziness. > Or, you could try some other combination of apc, there's a few of them: > > $ grep "\.so$" apc.ini > extension = apc-mmap.so > ;extension = apc-sem.so > ;extension = apc-spinlocks.so > ;extension = apc-pthread.so > ;extension = apc-mmap+mutex.so Neither of the mmap ones work out of the box, but the other three do work.
Relaxing dir permissions on /var/lib/php-apc would not be an option. IMO apache 1.3.x was easier to use with multi-homing. These days people use apache2 + php differently using special MPMs, nginx, varnish, fpm and what have you. But, changing to something else than mod_php that fits all would be quite an undertakement.
So is anything going to be done about php-apc? BTW, Funda just rebuilt php to fix some issue with php-gd and libjpeg-turbo.
Hmm, should php-gd-bundled be rebuilt?
Adding feedback marker as we need some responses from Oden.
Whiteboard: has_procedure => has_procedure feedback
Anyway, we should wait for 5.3.22.
Assigning to Oden until 5.3.22 is ready.
CC: (none) => qa-bugsAssignee: qa-bugs => oeWhiteboard: has_procedure feedback => has_procedure
5.3.22RC2 has 2 sec fixes: - SOAP . Added check that soap.wsdl_cache_dir conforms to open_basedir (CVE-2013-1635). (Dmitry) . Disabled external entities loading (CVE-2013-1643). (Dmitry) This is now considered public info.
Summary: [update candidate] php-5.3.21 => [update candidate] php-5.3.22
Proposed advisory: Multiple vulnerabilities has been discovered and corrected in php: PHP does not validate the configration directive "soap.wsdl_cache_dir" before writing SOAP wsdl cache files to the filesystem. Thus an attacker is able to write remote wsdl files to arbitrary locations (CVE-2013-1635). PHP allows the use of external entities while parsing SOAP wsdl files which allows an attacker to read arbitrary files. If a web application unserializes user-supplied data and tries to execute any method of it, an attacker can send serialized SoapClient object initialized in non-wsdl mode which will make PHP to parse automatically remote XML-document specified in the "location" option parameter (CVE-2013-1643). The updated packages have been upgraded to the 5.3.22 version which is not vulnerable to these issues. Additionally, some packages which requires so has been rebuilt for php-5.3.22.
Proposed advisory: Multiple vulnerabilities has been discovered and corrected in php: PHP does not validate the configration directive "soap.wsdl_cache_dir" before writing SOAP wsdl cache files to the filesystem. Thus an attacker is able to write remote wsdl files to arbitrary locations (CVE-2013-1635). PHP allows the use of external entities while parsing SOAP wsdl files which allows an attacker to read arbitrary files. If a web application unserializes user-supplied data and tries to execute any method of it, an attacker can send serialized SoapClient object initialized in non-wsdl mode which will make PHP to parse automatically remote XML-document specified in the "location" option parameter (CVE-2013-1643). The authentication logic and how this was handled in the APC admin script in the php-apc-admin package was flawed. If you previousely enabled the authentication by setting a password in the /var/www/php-apc/index.php file the changes would be lost with a possible future update of the package. If the authentication mechanism was not used local users could access features they shouldn't have access to. This has been addressed by using a new /etc/php-apc/config.php configuration file containing the the authentication credentials and more, in a much more safe, secure and update-friendly way. The owner of the system (the root user or equal) has to examine the /etc/php-apc/config.php file for the login name and password. The strong password is automatically generated on new installs. The updated packages have been upgraded to the 5.3.22 version which is not vulnerable to these issues. Additionally, some packages which requires so has been rebuilt for php-5.3.22. References: http://www.php.net/ChangeLog-5.php#5.3.20 http://www.php.net/ChangeLog-5.php#5.3.21 http://www.php.net/ChangeLog-5.php#5.3.22
Assigning back to QA. php-5.3.22-3.mga2 php-apc-3.1.13-1.6.mga2 php-eaccelerator-0.9.6.1-10.8.mga2 php-firebird-5.3.22-1.mga2 php-gd-bundled-5.3.22-1.mga2 php-pdo_firebird-5.3.22-1.mga2
CC: qa-bugs => (none)Assignee: oe => qa-bugs
Could you list the new rpm's too please
I made a mistake and put php-5.3.22-3.mga2 in nonfree/updates_testing. Can someone move this to the correct repo, or how should it be done?
(In reply to Oden Eriksson from comment #63) > I made a mistake and put php-5.3.22-3.mga2 in nonfree/updates_testing. Can > someone move this to the correct repo, or how should it be done? Yes, it can be moved. We can CC the sysadmins here, and they might see it. For this sort of thing, I usually ask in #mageia-sysadm on IRC and if one of our sysadmins are there, they can move it. You could probably also just resubmit the build to core/updates_testing and ask them to remove the one in nonfree.
CC: (none) => sysadmin-bugs
Here's Mandriva's advisory: http://www.mandriva.com/en/support/security/advisories/2011/MDVSA-2013:016/
URL: http://www.php.net/ChangeLog-5.php#5.3.21 => http://lwn.net/Vulnerabilities/540472/
php nuked from nonfree/updates_testing so you can submit it again to core/updates_testing
CC: (none) => tmb
Thanks Thomas! I'll post the full package list at some point after it's built (building now).
Component: RPM Packages => SecurityQA Contact: (none) => security
Advisory in Comment 60. Packages built: apache-mod_php-5.3.22-3.mga2 libphp5_common5-5.3.22-3.mga2 php-bcmath-5.3.22-3.mga2 php-bz2-5.3.22-3.mga2 php-calendar-5.3.22-3.mga2 php-cgi-5.3.22-3.mga2 php-cli-5.3.22-3.mga2 php-ctype-5.3.22-3.mga2 php-curl-5.3.22-3.mga2 php-dba-5.3.22-3.mga2 php-devel-5.3.22-3.mga2 php-dom-5.3.22-3.mga2 php-enchant-5.3.22-3.mga2 php-exif-5.3.22-3.mga2 php-fileinfo-5.3.22-3.mga2 php-filter-5.3.22-3.mga2 php-fpm-5.3.22-3.mga2 php-ftp-5.3.22-3.mga2 php-gd-5.3.22-3.mga2 php-gettext-5.3.22-3.mga2 php-gmp-5.3.22-3.mga2 php-hash-5.3.22-3.mga2 php-iconv-5.3.22-3.mga2 php-imap-5.3.22-3.mga2 php-ini-5.3.22-3.mga2 php-intl-5.3.22-3.mga2 php-json-5.3.22-3.mga2 php-ldap-5.3.22-3.mga2 php-mbstring-5.3.22-3.mga2 php-mcrypt-5.3.22-3.mga2 php-mssql-5.3.22-3.mga2 php-mysql-5.3.22-3.mga2 php-mysqli-5.3.22-3.mga2 php-mysqlnd-5.3.22-3.mga2 php-odbc-5.3.22-3.mga2 php-openssl-5.3.22-3.mga2 php-pcntl-5.3.22-3.mga2 php-pdo-5.3.22-3.mga2 php-pdo_dblib-5.3.22-3.mga2 php-pdo_mysql-5.3.22-3.mga2 php-pdo_odbc-5.3.22-3.mga2 php-pdo_pgsql-5.3.22-3.mga2 php-pdo_sqlite-5.3.22-3.mga2 php-pgsql-5.3.22-3.mga2 php-phar-5.3.22-3.mga2 php-posix-5.3.22-3.mga2 php-readline-5.3.22-3.mga2 php-recode-5.3.22-3.mga2 php-session-5.3.22-3.mga2 php-shmop-5.3.22-3.mga2 php-snmp-5.3.22-3.mga2 php-soap-5.3.22-3.mga2 php-sockets-5.3.22-3.mga2 php-sqlite-5.3.22-3.mga2 php-sqlite3-5.3.22-3.mga2 php-sybase_ct-5.3.22-3.mga2 php-sysvmsg-5.3.22-3.mga2 php-sysvsem-5.3.22-3.mga2 php-sysvshm-5.3.22-3.mga2 php-tidy-5.3.22-3.mga2 php-tokenizer-5.3.22-3.mga2 php-wddx-5.3.22-3.mga2 php-xml-5.3.22-3.mga2 php-xmlreader-5.3.22-3.mga2 php-xmlrpc-5.3.22-3.mga2 php-xmlwriter-5.3.22-3.mga2 php-xsl-5.3.22-3.mga2 php-zip-5.3.22-3.mga2 php-zlib-5.3.22-3.mga2 php-apc-3.1.13-1.6.mga2 php-apc-admin-3.1.13-1.6.mga2 php-eaccelerator-0.9.6.1-10.8.mga2 php-eaccelerator-admin-0.9.6.1-10.8.mga2 php-gd-bundled-5.3.22-1.mga2 php-firebird-5.3.22-1.mga2 php-pdo_firebird-5.3.22-1.mga2 from SRPMS: php-5.3.22-3.mga2.src.rpm php-apc-3.1.13-1.6.mga2.src.rpm php-eaccelerator-0.9.6.1-10.8.mga2.src.rpm php-gd-bundled-5.3.22-1.mga2.src.rpm php-firebird-5.3.22-1.mga2.src.rpm php-pdo_firebird-5.3.22-1.mga2.src.rpm
NOTE: new packages: http://svnweb.mageia.org/packages?view=revision&revision=401486 php-5.3.22-4.mga2: - P303: added a new mageia logo by Rémi Verschelde
====================================================== Name: CVE-2013-1635 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1635 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130207 Category: Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702221 Reference: CONFIRM:http://git.php.net/?p=php-src.git;a=blob;f=NEWS;h=36f6f9a4396d3034cc903a4271e7fdeccc5d3ea6;hb=refs/heads/PHP-5.4 Reference: CONFIRM:http://git.php.net/?p=php-src.git;a=blob;f=NEWS;h=82afa3a040e639f3595121e45b850d5453906a00;hb=refs/heads/PHP-5.3 Reference: CONFIRM:http://git.php.net/?p=php-src.git;a=commitdiff;h=702b436ef470cc02f8e2cc21f2fadeee42103c74 Reference: CONFIRM:https://bugs.gentoo.org/show_bug.cgi?id=459904 Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=918196 ext/soap/soap.c in PHP before 5.3.22 and 5.4.x before 5.4.13 does not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which allows remote attackers to bypass intended access restrictions by triggering the creation of cached SOAP WSDL files in an arbitrary directory. ====================================================== Name: CVE-2013-1643 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1643 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130210 Category: Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702221 Reference: CONFIRM:http://git.php.net/?p=php-src.git;a=blob;f=NEWS;h=36f6f9a4396d3034cc903a4271e7fdeccc5d3ea6;hb=refs/heads/PHP-5.4 Reference: CONFIRM:http://git.php.net/?p=php-src.git;a=blob;f=NEWS;h=82afa3a040e639f3595121e45b850d5453906a00;hb=refs/heads/PHP-5.3 Reference: CONFIRM:http://git.php.net/?p=php-src.git;a=commitdiff;h=c737b89473df9dba6742b8fc8fbf6d009bf05c36 Reference: CONFIRM:https://bugs.gentoo.org/show_bug.cgi?id=459904 Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=918187 The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions.
Assigning Oden Please reassign when this is ready for QA. Thanks!
CC: (none) => qa-bugsAssignee: qa-bugs => oe
Now we have: php-5.3.23-1.mga2 php-apc-3.1.13-1.7.mga2 php-eaccelerator-0.9.6.1-10.9.mga2 php-gd-bundled-5.3.23-1.mga2 php-firebird-5.3.23-1.mga2 php-pdo_firebird-5.3.23-1.mga2 php-timezonedb-2013.2-1.mga2
Summary: [update candidate] php-5.3.22 => [update candidate] php-5.3.23
Packages: php-5.3.23-1.mga2.src.rpm php-firebird-5.3.23-1.mga2.src.rpm php-gd-bundled-5.3.23-1.mga2.src.rpm php-pdo_firebird-5.3.23-1.mga2.src.rpm php-apc-3.1.13-1.7.mga2.src.rpm php-eaccelerator-0.9.6.1-10.9.mga2.src.rpm php-timezonedb-2013.2-1.mga2.src.rpm php-pdo_firebird-5.3.23-1.mga2.i586.rpm php-snmp-5.3.23-1.mga2.i586.rpm php-soap-5.3.23-1.mga2.i586.rpm php-iconv-5.3.23-1.mga2.i586.rpm php-phar-5.3.23-1.mga2.i586.rpm php-ctype-5.3.23-1.mga2.i586.rpm php-readline-5.3.23-1.mga2.i586.rpm php-pdo_odbc-5.3.23-1.mga2.i586.rpm php-xmlrpc-5.3.23-1.mga2.i586.rpm php-sqlite3-5.3.23-1.mga2.i586.rpm php-imap-5.3.23-1.mga2.i586.rpm php-pdo_pgsql-5.3.23-1.mga2.i586.rpm php-cgi-5.3.23-1.mga2.i586.rpm php-dom-5.3.23-1.mga2.i586.rpm php-devel-5.3.23-1.mga2.i586.rpm php-xmlreader-5.3.23-1.mga2.i586.rpm php-ftp-5.3.23-1.mga2.i586.rpm libphp5_common5-5.3.23-1.mga2.i586.rpm php-zlib-5.3.23-1.mga2.i586.rpm php-xml-5.3.23-1.mga2.i586.rpm php-pdo_dblib-5.3.23-1.mga2.i586.rpm php-fpm-5.3.23-1.mga2.i586.rpm php-xmlwriter-5.3.23-1.mga2.i586.rpm php-hash-5.3.23-1.mga2.i586.rpm php-calendar-5.3.23-1.mga2.i586.rpm php-pgsql-5.3.23-1.mga2.i586.rpm php-cli-5.3.23-1.mga2.i586.rpm php-sockets-5.3.23-1.mga2.i586.rpm php-mysql-5.3.23-1.mga2.i586.rpm php-tokenizer-5.3.23-1.mga2.i586.rpm php-exif-5.3.23-1.mga2.i586.rpm php-bcmath-5.3.23-1.mga2.i586.rpm php-sqlite-5.3.23-1.mga2.i586.rpm php-zip-5.3.23-1.mga2.i586.rpm php-sysvsem-5.3.23-1.mga2.i586.rpm php-mcrypt-5.3.23-1.mga2.i586.rpm php-gd-5.3.23-1.mga2.i586.rpm php-posix-5.3.23-1.mga2.i586.rpm php-pdo_mysql-5.3.23-1.mga2.i586.rpm php-mbstring-5.3.23-1.mga2.i586.rpm php-dba-5.3.23-1.mga2.i586.rpm php-pdo-5.3.23-1.mga2.i586.rpm php-ini-5.3.23-1.mga2.i586.rpm php-shmop-5.3.23-1.mga2.i586.rpm php-intl-5.3.23-1.mga2.i586.rpm php-openssl-5.3.23-1.mga2.i586.rpm php-gd-bundled-5.3.23-1.mga2.i586.rpm php-sysvmsg-5.3.23-1.mga2.i586.rpm php-gmp-5.3.23-1.mga2.i586.rpm php-wddx-5.3.23-1.mga2.i586.rpm php-recode-5.3.23-1.mga2.i586.rpm php-sybase_ct-5.3.23-1.mga2.i586.rpm php-sysvshm-5.3.23-1.mga2.i586.rpm php-gettext-5.3.23-1.mga2.i586.rpm php-enchant-5.3.23-1.mga2.i586.rpm php-firebird-5.3.23-1.mga2.i586.rpm php-json-5.3.23-1.mga2.i586.rpm php-bz2-5.3.23-1.mga2.i586.rpm php-mssql-5.3.23-1.mga2.i586.rpm php-xsl-5.3.23-1.mga2.i586.rpm php-pdo_sqlite-5.3.23-1.mga2.i586.rpm php-fileinfo-5.3.23-1.mga2.i586.rpm php-odbc-5.3.23-1.mga2.i586.rpm php-pcntl-5.3.23-1.mga2.i586.rpm php-mysqli-5.3.23-1.mga2.i586.rpm php-filter-5.3.23-1.mga2.i586.rpm php-session-5.3.23-1.mga2.i586.rpm php-curl-5.3.23-1.mga2.i586.rpm php-tidy-5.3.23-1.mga2.i586.rpm apache-mod_php-5.3.23-1.mga2.i586.rpm php-ldap-5.3.23-1.mga2.i586.rpm php-mysqlnd-5.3.23-1.mga2.i586.rpm php-enchant-5.3.23-1.mga2.x86_64.rpm php-pdo_pgsql-5.3.23-1.mga2.x86_64.rpm php-zip-5.3.23-1.mga2.x86_64.rpm php-fpm-5.3.23-1.mga2.x86_64.rpm php-gd-5.3.23-1.mga2.x86_64.rpm php-ini-5.3.23-1.mga2.x86_64.rpm php-zlib-5.3.23-1.mga2.x86_64.rpm php-sysvshm-5.3.23-1.mga2.x86_64.rpm php-ftp-5.3.23-1.mga2.x86_64.rpm php-mbstring-5.3.23-1.mga2.x86_64.rpm php-tidy-5.3.23-1.mga2.x86_64.rpm php-gettext-5.3.23-1.mga2.x86_64.rpm php-pdo-5.3.23-1.mga2.x86_64.rpm php-ldap-5.3.23-1.mga2.x86_64.rpm php-mysqli-5.3.23-1.mga2.x86_64.rpm php-pdo_dblib-5.3.23-1.mga2.x86_64.rpm php-wddx-5.3.23-1.mga2.x86_64.rpm php-snmp-5.3.23-1.mga2.x86_64.rpm php-mssql-5.3.23-1.mga2.x86_64.rpm php-json-5.3.23-1.mga2.x86_64.rpm php-exif-5.3.23-1.mga2.x86_64.rpm php-readline-5.3.23-1.mga2.x86_64.rpm php-bz2-5.3.23-1.mga2.x86_64.rpm php-filter-5.3.23-1.mga2.x86_64.rpm php-pcntl-5.3.23-1.mga2.x86_64.rpm php-xmlrpc-5.3.23-1.mga2.x86_64.rpm php-cli-5.3.23-1.mga2.x86_64.rpm php-xml-5.3.23-1.mga2.x86_64.rpm php-mysqlnd-5.3.23-1.mga2.x86_64.rpm apache-mod_php-5.3.23-1.mga2.x86_64.rpm php-mysql-5.3.23-1.mga2.x86_64.rpm php-fileinfo-5.3.23-1.mga2.x86_64.rpm php-imap-5.3.23-1.mga2.x86_64.rpm php-pdo_firebird-5.3.23-1.mga2.x86_64.rpm php-phar-5.3.23-1.mga2.x86_64.rpm php-firebird-5.3.23-1.mga2.x86_64.rpm php-devel-5.3.23-1.mga2.x86_64.rpm php-sqlite-5.3.23-1.mga2.x86_64.rpm php-xsl-5.3.23-1.mga2.x86_64.rpm php-dba-5.3.23-1.mga2.x86_64.rpm php-cgi-5.3.23-1.mga2.x86_64.rpm php-iconv-5.3.23-1.mga2.x86_64.rpm php-intl-5.3.23-1.mga2.x86_64.rpm php-xmlwriter-5.3.23-1.mga2.x86_64.rpm php-pdo_mysql-5.3.23-1.mga2.x86_64.rpm php-sqlite3-5.3.23-1.mga2.x86_64.rpm php-soap-5.3.23-1.mga2.x86_64.rpm php-hash-5.3.23-1.mga2.x86_64.rpm lib64php5_common5-5.3.23-1.mga2.x86_64.rpm php-pgsql-5.3.23-1.mga2.x86_64.rpm php-openssl-5.3.23-1.mga2.x86_64.rpm php-dom-5.3.23-1.mga2.x86_64.rpm php-calendar-5.3.23-1.mga2.x86_64.rpm php-sockets-5.3.23-1.mga2.x86_64.rpm php-session-5.3.23-1.mga2.x86_64.rpm php-mcrypt-5.3.23-1.mga2.x86_64.rpm php-curl-5.3.23-1.mga2.x86_64.rpm php-odbc-5.3.23-1.mga2.x86_64.rpm php-posix-5.3.23-1.mga2.x86_64.rpm php-bcmath-5.3.23-1.mga2.x86_64.rpm php-xmlreader-5.3.23-1.mga2.x86_64.rpm php-sysvsem-5.3.23-1.mga2.x86_64.rpm php-sysvmsg-5.3.23-1.mga2.x86_64.rpm php-gmp-5.3.23-1.mga2.x86_64.rpm php-gd-bundled-5.3.23-1.mga2.x86_64.rpm php-shmop-5.3.23-1.mga2.x86_64.rpm php-recode-5.3.23-1.mga2.x86_64.rpm php-pdo_sqlite-5.3.23-1.mga2.x86_64.rpm php-tokenizer-5.3.23-1.mga2.x86_64.rpm php-ctype-5.3.23-1.mga2.x86_64.rpm php-sybase_ct-5.3.23-1.mga2.x86_64.rpm php-pdo_odbc-5.3.23-1.mga2.x86_64.rpm php-eaccelerator-0.9.6.1-10.9.mga2.i586.rpm php-eaccelerator-admin-0.9.6.1-10.9.mga2.i586.rpm php-eaccelerator-0.9.6.1-10.9.mga2.x86_64.rpm php-eaccelerator-admin-0.9.6.1-10.9.mga2.x86_64.rpm php-apc-admin-3.1.13-1.7.mga2.i586.rpm php-apc-3.1.13-1.7.mga2.i586.rpm php-apc-admin-3.1.13-1.7.mga2.x86_64.rpm php-apc-3.1.13-1.7.mga2.x86_64.rpm php-timezonedb-2013.2-1.mga2.i586.rpm php-timezonedb-2013.2-1.mga2.x86_64.rpm
Proposed advisory: Multiple vulnerabilities has been discovered and corrected in php: ext/soap/soap.c in PHP before 5.3.22 and 5.4.x before 5.4.13 does not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which allows remote attackers to bypass intended access restrictions by triggering the creation of cached SOAP WSDL files in an arbitrary directory (CVE-2013-1635). The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions (CVE-2013-1643). Backported upstream php bug #61930: "openssl corrupts ssl key resource when using openssl_get_publickey()" to php-5.3.x. The new "Powered by Mageia logo" has been added to php, this is only a cosmetic change. The authentication logic and how this was handled in the APC admin script in the php-apc-admin package was flawed. If you previousely enabled the authentication by setting a password in the /var/www/php-apc/index.php file the changes would be lost with a possible future update of the package. If the authentication mechanism was not used local users could access features they shouldn't have access to. This has been addressed by using a new /etc/php-apc/config.php configuration file containing the the authentication credentials and more, in a much more safe, secure and update-friendly way. The owner of the system (the root user or equal) has to examine the /etc/php-apc/config.php file for the login name and password. The strong password is automatically generated on new installs. The php-timezonedb package has been updated to the 2013.2 version. The updated packages have been upgraded to the 5.3.23 version which is not vulnerable to these issues. Additionally, some packages which requires so has been rebuilt for php-5.3.23. References: cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1635 cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1643 http://www.php.net/ChangeLog-5.php#5.3.20 http://www.php.net/ChangeLog-5.php#5.3.21 http://www.php.net/ChangeLog-5.php#5.3.22 http://www.php.net/ChangeLog-5.php#5.3.23 https://bugs.php.net/bug.php?id=61930
qateam: PoCs for CVE-2013-1635, CVE-2013-1643 and https://bugs.php.net/bug.php?id=61930 exists in the bundled test suite. Package list in Comment 75 Advisory text in Comment 76
Assignee: oe => qa-bugs
Testing everything on i586. Same results as before. Everything works. I still had to change the 99_apc.ini to change which extension is loaded, as the mmap ones don't work through suexec. The other ones work. One strange thing I noticed that I don't remember from before, when installing or uninstalling php-apc or php-eaccelerator and its associated admin package at the same time, at the end of the transaction apache is reloaded (because of the apache config file added by the admin package) and then immediately restarted (because of the added PHP module), which is expected, but what was strange this time was the restart took a really long time. It does complete and everything still works OK.
Whiteboard: has_procedure => has_procedure MGA2-32-OK
Testing complete on Mageia 2 x86-64. Could someone from the sysadmin team push the srpms php-5.3.23-1.mga2.src.rpm php-firebird-5.3.23-1.mga2.src.rpm php-gd-bundled-5.3.23-1.mga2.src.rpm php-pdo_firebird-5.3.23-1.mga2.src.rpm php-apc-3.1.13-1.7.mga2.src.rpm php-eaccelerator-0.9.6.1-10.9.mga2.src.rpm php-timezonedb-2013.2-1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Please see Comment 76 for the advisory.
Keywords: (none) => validated_updateCC: (none) => davidwhodginsWhiteboard: has_procedure MGA2-32-OK => has_procedure MGA2-32-OK MGA2-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0101
Status: NEW => RESOLVEDResolution: (none) => FIXED