--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2015-8370
2015-05-17 02:53:26
--------------------------------------------------------------------------------

Name        : php
Product     : Fedora 20
Version     : 5.5.25
Release     : 1.fc20
URL         : https://www.php.net/
Summary     : PHP scripting language for creating dynamic web sites
Description :
PHP is an HTML-embedded scripting language. PHP attempts to make it
easy for developers to write dynamically generated web pages. PHP also
offers built-in database integration for several commercial and
non-commercial database management systems, so writing a
database-enabled webpage with PHP is fairly simple. The most common
use of PHP coding is probably as a replacement for CGI scripts.

The php package contains the module (often referred to as mod_php)
which adds support for the PHP language to Apache HTTP Server.

--------------------------------------------------------------------------------
Update Information:

14 May 2015, **PHP 5.5.25**

**Core:**
* Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). (Stas)
* Fixed bug #69403 (str_repeat() sign mismatch based memory corruption). (Stas)
* Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). (Stas)
* Fixed bug #69522 (heap buffer overflow in unpack()). (Stas)
* Fixed bug #69467 (Wrong checked for the interface by using Trait). (Laruence)
* Fixed bug #69420 (Invalid read in zend_std_get_method). (Laruence)
* Fixed bug #60022 ("use statement [...] has no effect" depends on leading backslash). (Nikita)
* Fixed bug #67314 (Segmentation fault in gc_remove_zval_from_buffer). (Dmitry)
* Fixed bug #68652 (segmentation fault in destructor). (Dmitry)
* Fixed bug #69419 (Returning compatible sub generator produces a warning). (Nikita)
* Fixed bug #69472 (php_sys_readlink ignores misc errors from GetFinalPathNameByHandleA). (Jan Starke)

**FTP:**
* Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (Stas)

**ODBC:**
* Fixed bug #69474 (ODBC: Query with same field name from two tables returns incorrect result). (Anatol)
* Fixed bug #69381 (out of memory with sage odbc driver). (Frederic Marchall, Anatol Belski)

**OpenSSL:**
* Fixed bug #69402 (Reading empty SSL stream hangs until timeout). (Daniel Lowrey)

**PCNTL:**
* Fixed bug #68598 (pcntl_exec() should not allow null char). (Stas)

**Phar:**
* Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry filename starts with null). (Stas)

--------------------------------------------------------------------------------
ChangeLog:

* Sat May 16 2015 Remi Collet  5.5.25-1
- Update to 5.5.25
  https://www.php.net/releases/5_5_25.php
- adapt systzdata patch for upstream changes for new zic
* Wed Apr 15 2015 Remi Collet  5.5.24-1
- Update to 5.5.24
  https://www.php.net/releases/5_5_24.php
* Fri Mar 20 2015 Remi Collet  5.5.23-1
- Update to 5.5.23
  https://www.php.net/releases/5_5_23.php
* Thu Feb 19 2015 Remi Collet  5.5.22-1
- Update to 5.5.22
  https://www.php.net/releases/5_5_22.php
* Thu Jan 22 2015 Remi Collet  5.5.21-1
- Update to 5.5.21
  https://www.php.net/releases/5_5_21.php
* Thu Dec 18 2014 Remi Collet  5.5.20-2
- Update to 5.5.20 (real)
  https://www.php.net/releases/5_5_20.php
- php-xmlrpc requires php-xml
* Wed Dec 10 2014 Remi Collet  5.5.20-1
- Update to 5.5.20
  https://www.php.net/releases/5_5_20.php
* Fri Nov 21 2014 Remi Collet  5.5.19-3
- FPM: add upstream patch for https://bugs.php.net/index.php
  listen.allowed_clients is IPv4 only
- refresh upstream patch for 68421
* Sun Nov 16 2014 Remi Collet  5.5.19-2
- FPM: add upstream patch for https://bugs.php.net/index.php
  access.format=R doesn't log ipv6 address
- FPM: add upstream patch for https://bugs.php.net/index.php
  listen=9000 listens to ipv6 localhost instead of all addresses
- FPM: add upstream patch for https://bugs.php.net/index.php
  will no longer load all pools
* Thu Nov 13 2014 Remi Collet  5.5.19-1
- Update to 5.5.19
  https://www.php.net/releases/5_5_19.php
- new version of systzdata patch, fix case sensitivity
* Thu Oct 16 2014 Remi Collet  5.5.18-1
- Update to 5.5.18
  https://www.php.net/releases/5_5_18.php
* Sat Sep 20 2014 Remi Collet  5.5.17-2
- openssl: fix regression introduce in changes for upstream
  bug #65137 and #41631, revert to 5.5.16 behavior
* Thu Sep 18 2014 Remi Collet  5.5.17-1
- Update to 5.5.17
  https://www.php.net/releases/5_5_17.php
- fpm: fix script_name with mod_proxy_fcgi / proxypass
  add upstream patch for https://bugs.php.net/index.php
* Thu Aug 21 2014 Remi Collet  5.5.16-1
- Update to 5.5.16
  https://www.php.net/releases/5_5_16.php
- fix zts-php-config --php-binary output #1124605
- move zts-php from php-devel to php-cli
- revert fix for 67724 because of 67865
* Thu Jul 24 2014 Remi Collet  5.5.15-1
- Update to 5.5.15
  https://www.php.net/releases/5_5_15.php
* Wed Jul 16 2014 Remi Collet  5.5.14-2
- add upstream patch for #67605
* Thu Jun 26 2014 Remi Collet  5.5.14-1
- Update to 5.5.14
  https://www.php.net/releases/5_5_14.php
- fix test for rhbz #971416
* Thu Jun  5 2014 Remi Collet  5.5.13-3
- fix regression introduce in fix for #67118
* Tue Jun  3 2014 Remi Collet  5.5.13-2
- fileinfo: fix insufficient boundary check
- workaround regression introduce in fix for 67072 in
  serialize/unzerialize functions
* Fri May 30 2014 Remi Collet  5.5.13-1
- Update to 5.5.13
  https://www.php.net/releases/5_5_13.php
* Sat May  3 2014 Remi Collet  5.5.12-1
- Update to 5.5.12
  https://www.php.net/releases/5_5_12.php
- php-fpm: change default unix socket permission CVE-2014-0185
* Thu Apr  3 2014 Remi Collet  5.5.11-1
- Update to 5.5.11
  https://www.php.net/ChangeLog-5.php
* Thu Mar  6 2014 Remi Collet  5.5.10-1
- Update to 5.5.10
  https://www.php.net/ChangeLog-5.php#5.5.10
- php-fpm should own /var/lib/php/session and wsdlcache
- fix pcre test results with libpcre < 8.34
* Tue Feb 18 2014 Remi Collet  5.5.9-2
- upstream patch for https://bugs.php.net/index.php
* Tue Feb 11 2014 Remi Collet  5.5.9-1
- Update to 5.5.9
  https://www.php.net/ChangeLog-5.php
- Install macros to /usr/lib/rpm/macros.d
* Thu Jan 23 2014 Joe Orton  - 5.5.8-2
- fix _httpd_mmn expansion in absence of httpd-devel
* Wed Jan  8 2014 Remi Collet  5.5.8-1
- update to 5.5.8
- drop conflicts with other opcode caches as both can
  be used only for user data cache
* Wed Dec 11 2013 Remi Collet  5.5.7-1
- update to 5.5.7, fix for CVE-2013-6420
- fix zend_register_functions breaks reflection, php bug 66218
- fix Heap buffer over-read in DateInterval, php bug 66060
- fix fix overflow handling bug in non-x86
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1223408 - CVE-2015-4025 php: CVE-2006-7243 regressions in 5.4+
        https://bugzilla.redhat.com/show_bug.cgi?id=1223408
  [ 2 ] Bug #1223425 - CVE-2015-4021 php: memory corruption in phar_parse_tarfile when entry filename starts with NULL
        https://bugzilla.redhat.com/show_bug.cgi?id=1223425
  [ 3 ] Bug #1223422 - CVE-2015-4026 php: pcntl_exec() does not check path validity
        https://bugzilla.redhat.com/show_bug.cgi?id=1223422
  [ 4 ] Bug #1222485 - CVE-2015-4024 PHP Multipart/form-data remote dos Vulnerability
        https://bugzilla.redhat.com/show_bug.cgi?id=1222485
  [ 5 ] Bug #1223412 - CVE-2015-4022 php: integer overflow on reading FTP server data leading to heap overflow
        https://bugzilla.redhat.com/show_bug.cgi?id=1223412
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use
su -c 'yum update php' at the command line.
For more information, refer to "Managing Software with yum",
available at .

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/security/
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/package-announce.lists.fedoraproject.org/

Fedora 20: php Security Update 2015-8370

May 27, 2015
14 May 2015, **PHP 5.5.25** **Core:** * Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability)

Summary

PHP is an HTML-embedded scripting language. PHP attempts to make it

easy for developers to write dynamically generated web pages. PHP also

offers built-in database integration for several commercial and

non-commercial database management systems, so writing a

database-enabled webpage with PHP is fairly simple. The most common

use of PHP coding is probably as a replacement for CGI scripts.

The php package contains the module (often referred to as mod_php)

which adds support for the PHP language to Apache HTTP Server.

Update Information:

14 May 2015, **PHP 5.5.25**

**Core:** * Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). (Stas) * Fixed bug #69403 (str_repeat() sign mismatch based memory corruption). (Stas) * Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). (Stas) * Fixed bug #69522 (heap buffer overflow in unpack()). (Stas) * Fixed bug #69467 (Wrong checked for the interface by using Trait). (Laruence) * Fixed bug #69420 (Invalid read in zend_std_get_method). (Laruence) * Fixed bug #60022 ("use statement [...] has no effect" depends on leading backslash). (Nikita) * Fixed bug #67314 (Segmentation fault in gc_remove_zval_from_buffer). (Dmitry) * Fixed bug #68652 (segmentation fault in destructor). (Dmitry) * Fixed bug #69419 (Returning compatible sub generator produces a warning). (Nikita) * Fixed bug #69472 (php_sys_readlink ignores misc errors from GetFinalPathNameByHandleA). (Jan Starke)

**FTP:** * Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (Stas)

**ODBC:** * Fixed bug #69474 (ODBC: Query with same field name from two tables returns incorrect result). (Anatol) * Fixed bug #69381 (out of memory with sage odbc driver). (Frederic Marchall, Anatol Belski)

**OpenSSL:** * Fixed bug #69402 (Reading empty SSL stream hangs until timeout). (Daniel Lowrey)

**PCNTL:** * Fixed bug #68598 (pcntl_exec() should not allow null char). (Stas)

**Phar:** * Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry filename starts with null). (Stas)

Change Log

* Sat May 16 2015 Remi Collet 5.5.25-1 - Update to 5.5.25 https://www.php.net/releases/5_5_25.php - adapt systzdata patch for upstream changes for new zic * Wed Apr 15 2015 Remi Collet 5.5.24-1 - Update to 5.5.24 https://www.php.net/releases/5_5_24.php * Fri Mar 20 2015 Remi Collet 5.5.23-1 - Update to 5.5.23 https://www.php.net/releases/5_5_23.php * Thu Feb 19 2015 Remi Collet 5.5.22-1 - Update to 5.5.22 https://www.php.net/releases/5_5_22.php * Thu Jan 22 2015 Remi Collet 5.5.21-1 - Update to 5.5.21 https://www.php.net/releases/5_5_21.php * Thu Dec 18 2014 Remi Collet 5.5.20-2 - Update to 5.5.20 (real) https://www.php.net/releases/5_5_20.php - php-xmlrpc requires php-xml * Wed Dec 10 2014 Remi Collet 5.5.20-1 - Update to 5.5.20 https://www.php.net/releases/5_5_20.php * Fri Nov 21 2014 Remi Collet 5.5.19-3 - FPM: add upstream patch for https://bugs.php.net/index.php listen.allowed_clients is IPv4 only - refresh upstream patch for 68421 * Sun Nov 16 2014 Remi Collet 5.5.19-2 - FPM: add upstream patch for https://bugs.php.net/index.php access.format=R doesn't log ipv6 address - FPM: add upstream patch for https://bugs.php.net/index.php listen=9000 listens to ipv6 localhost instead of all addresses - FPM: add upstream patch for https://bugs.php.net/index.php will no longer load all pools * Thu Nov 13 2014 Remi Collet 5.5.19-1 - Update to 5.5.19 https://www.php.net/releases/5_5_19.php - new version of systzdata patch, fix case sensitivity * Thu Oct 16 2014 Remi Collet 5.5.18-1 - Update to 5.5.18 https://www.php.net/releases/5_5_18.php * Sat Sep 20 2014 Remi Collet 5.5.17-2 - openssl: fix regression introduce in changes for upstream bug #65137 and #41631, revert to 5.5.16 behavior * Thu Sep 18 2014 Remi Collet 5.5.17-1 - Update to 5.5.17 https://www.php.net/releases/5_5_17.php - fpm: fix script_name with mod_proxy_fcgi / proxypass add upstream patch for https://bugs.php.net/index.php * Thu Aug 21 2014 Remi Collet 5.5.16-1 - Update to 5.5.16 https://www.php.net/releases/5_5_16.php - fix zts-php-config --php-binary output #1124605 - move zts-php from php-devel to php-cli - revert fix for 67724 because of 67865 * Thu Jul 24 2014 Remi Collet 5.5.15-1 - Update to 5.5.15 https://www.php.net/releases/5_5_15.php * Wed Jul 16 2014 Remi Collet 5.5.14-2 - add upstream patch for #67605 * Thu Jun 26 2014 Remi Collet 5.5.14-1 - Update to 5.5.14 https://www.php.net/releases/5_5_14.php - fix test for rhbz #971416 * Thu Jun 5 2014 Remi Collet 5.5.13-3 - fix regression introduce in fix for #67118 * Tue Jun 3 2014 Remi Collet 5.5.13-2 - fileinfo: fix insufficient boundary check - workaround regression introduce in fix for 67072 in serialize/unzerialize functions * Fri May 30 2014 Remi Collet 5.5.13-1 - Update to 5.5.13 https://www.php.net/releases/5_5_13.php * Sat May 3 2014 Remi Collet 5.5.12-1 - Update to 5.5.12 https://www.php.net/releases/5_5_12.php - php-fpm: change default unix socket permission CVE-2014-0185 * Thu Apr 3 2014 Remi Collet 5.5.11-1 - Update to 5.5.11 https://www.php.net/ChangeLog-5.php * Thu Mar 6 2014 Remi Collet 5.5.10-1 - Update to 5.5.10 https://www.php.net/ChangeLog-5.php#5.5.10 - php-fpm should own /var/lib/php/session and wsdlcache - fix pcre test results with libpcre < 8.34 * Tue Feb 18 2014 Remi Collet 5.5.9-2 - upstream patch for https://bugs.php.net/index.php * Tue Feb 11 2014 Remi Collet 5.5.9-1 - Update to 5.5.9 https://www.php.net/ChangeLog-5.php - Install macros to /usr/lib/rpm/macros.d * Thu Jan 23 2014 Joe Orton - 5.5.8-2 - fix _httpd_mmn expansion in absence of httpd-devel * Wed Jan 8 2014 Remi Collet 5.5.8-1 - update to 5.5.8 - drop conflicts with other opcode caches as both can be used only for user data cache * Wed Dec 11 2013 Remi Collet 5.5.7-1 - update to 5.5.7, fix for CVE-2013-6420 - fix zend_register_functions breaks reflection, php bug 66218 - fix Heap buffer over-read in DateInterval, php bug 66060 - fix fix overflow handling bug in non-x86

References

[ 1 ] Bug #1223408 - CVE-2015-4025 php: CVE-2006-7243 regressions in 5.4+ https://bugzilla.redhat.com/show_bug.cgi?id=1223408 [ 2 ] Bug #1223425 - CVE-2015-4021 php: memory corruption in phar_parse_tarfile when entry filename starts with NULL https://bugzilla.redhat.com/show_bug.cgi?id=1223425 [ 3 ] Bug #1223422 - CVE-2015-4026 php: pcntl_exec() does not check path validity https://bugzilla.redhat.com/show_bug.cgi?id=1223422 [ 4 ] Bug #1222485 - CVE-2015-4024 PHP Multipart/form-data remote dos Vulnerability https://bugzilla.redhat.com/show_bug.cgi?id=1222485 [ 5 ] Bug #1223412 - CVE-2015-4022 php: integer overflow on reading FTP server data leading to heap overflow https://bugzilla.redhat.com/show_bug.cgi?id=1223412

Update Instructions

This update can be installed with the "yum" update program. Use su -c 'yum update php' at the command line. For more information, refer to "Managing Software with yum", available at .

Severity
Name : php
Product : Fedora 20
Version : 5.5.25
Release : 1.fc20
URL : https://www.php.net/
Summary : PHP scripting language for creating dynamic web sites

Related News

Google Chrome 129: Addressing Crucial Vulnerabilities and Enhancing Security
2 - 4 min read
Google Chrome remains the crown jewel in the browser market, with an impressive user base of approximately 3.45 billion. However, this immense
Fighting Back Against Hadooken Malware by Strengthening WebLogic Security
2 - 4 min read
Cybercriminals have been relentlessly attacking the digital landscape, aiming to exploit vulnerabilities in well-known systems. One such exploit is
CISA Sounds Alarm on Newly Exploited Vulnerabilities: Is Your System at Risk?
3 - 5 min read
CISA regularly publishes updates regarding vulnerabilities that present severe threats to global cybersecurity. Recently, CISA added three
Defending Against Remote Code Execution in Google Chrome: A Critical Update
2 - 3 min read
Google Chrome, a widely used web browser, serves millions of internet users by connecting them to the online world. Unfortunately, severe
Navigating the Linux Kernel
2 - 4 min read
The Linux operating system, widely acclaimed for its robustness and security , recently received widespread media attention due to a significant
Staying a Step Ahead of Adversaries: Mitigating Chromium
2 - 4 min read
Google Chrome, one of the world's most widely used web browsers, has recently been scrutinized due to the discovery of multiple Chromium
Unmasking Cicada3301: Examining the Threat of the New Rust-Based Ransomware
2 - 4 min read
Ransomware has long been a severe threat to organizations and admins alike. Recently, cybersecurity researchers discovered a new variant called
Buffer Overflow Exploits in Linux: Origins, Impact, and Countermeasures
3 - 6 min read
Buffer overflow vulnerabilities have long been one of the biggest headaches in computer security, especially on Linux operating systems that power

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved