Fedora 20: php Security Update

    Date31 Mar 2015
    CategoryFedora
    207
    Posted ByLinuxSecurity Advisories
    **19 Mar 2015, PHP 5.5.23** Core: * Fixed bug #69174 (leaks when unused inner class use traits precedence). (Laruence) * Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize). (Laruence) * Fixed bug #69121 (Segfault in get_current_user when script owner is not in passwd with ZTS build). (dan at syneto dot net)
    --------------------------------------------------------------------------------
    Fedora Update Notification
    FEDORA-2015-4216
    2015-03-21 00:08:19
    --------------------------------------------------------------------------------
    
    Name        : php
    Product     : Fedora 20
    Version     : 5.5.23
    Release     : 1.fc20
    URL         : http://www.php.net/
    Summary     : PHP scripting language for creating dynamic web sites
    Description :
    PHP is an HTML-embedded scripting language. PHP attempts to make it
    easy for developers to write dynamically generated web pages. PHP also
    offers built-in database integration for several commercial and
    non-commercial database management systems, so writing a
    database-enabled webpage with PHP is fairly simple. The most common
    use of PHP coding is probably as a replacement for CGI scripts.
    
    The php package contains the module (often referred to as mod_php)
    which adds support for the PHP language to Apache HTTP Server.
    
    --------------------------------------------------------------------------------
    Update Information:
    
    **19 Mar 2015, PHP 5.5.23**
    
    Core:
    * Fixed bug #69174 (leaks when unused inner class use traits precedence). (Laruence)
    * Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize). (Laruence)
    * Fixed bug #69121 (Segfault in get_current_user when script owner is not in passwd with ZTS build). (dan at syneto dot net)
    * Fixed bug #65593 (Segfault when calling ob_start from output buffering callback). (Mike)
    * Fixed bug #69017 (Fail to push to the empty array with the constant value defined in class scope). (Laruence)
    * Fixed bug #68986 (pointer returned by php_stream_fopen_temporary_file not validated in memory.c). (nayana at ddproperty dot com)
    * Fixed bug #68166 (Exception with invalid character causes segv). (Rasmus)
    * Fixed bug #69141 (Missing arguments in reflection info for some builtin functions). (kostyantyn dot lysyy at oracle dot com)
    * Fixed bug #68976 (Use After Free Vulnerability in unserialize()). (Stas)
    * Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). (Anatol Belski)
    * Fixed bug #69207 (move_uploaded_file allows nulls in path). (Stas)
    
    CGI:
    * Fixed bug #69015 (php-cgi's getopt does not see $argv). (Laruence)
    
    CLI:
    * Fixed bug #67741 (auto_prepend_file messes up __LINE__). (Reeze Xia)
    
    cURL:
    * Fixed bug #69088 (PHP_MINIT_FUNCTION does not fully initialize cURL on Win32). (Grant Pannell)
    * Add CURLPROXY_SOCKS4A and CURLPROXY_SOCKS5_HOSTNAME constants if supported by libcurl. (Linus Unneback)
    
    Ereg:
    * Fixed bug #69248 (heap overflow vulnerability in regcomp.c). (Stas)
    
    FPM:
    * Fixed bug #68822 (request time is reset too early). (honghu069 at 163 dot com)
    
    ODBC:
    * Fixed bug #68964 (Allowed memory size exhausted with odbc_exec). (Anatol)
    
    Opcache:
    * Fixed bug #69125 (Array numeric string as key). (Laruence)
    * Fixed bug #69038 (switch(SOMECONSTANT) misbehaves). (Laruence)
    
    OpenSSL:
    * Fixed bugs #61285, #68329, #68046, #41631 (encrypted streams don't observe socket timeouts). (Brad Broerman)
    
    pgsql:
    * Fixed bug #68638 (pg_update() fails to store infinite values). (william dot welter at 4linux dot com dot br, Laruence)
    
    Readline:
    * Fixed bug #69054 (Null dereference in readline_(read|write)_history() without parameters). (Laruence)
    
    SOAP:
    * Fixed bug #69085 (SoapClient's __call() type confusion through unserialize()). (andrea dot palazzo at truel dot it, Laruence)
    
    SPL:
    * Fixed bug #69108 ("Segmentation fault" when (de)serializing SplObjectStorage). (Laruence)
    * Fixed bug #68557 (RecursiveDirectoryIterator::seek(0) broken after calling getChildren()). (Julien)
    
    ZIP:
    * Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap boundary) (CVE-2015-2331). (Stas)
    
    --------------------------------------------------------------------------------
    ChangeLog:
    
    * Fri Mar 20 2015 Remi Collet  5.5.23-1
    - Update to 5.5.23
      http://www.php.net/releases/5_5_23.php
    * Thu Feb 19 2015 Remi Collet  5.5.22-1
    - Update to 5.5.22
      http://www.php.net/releases/5_5_22.php
    * Thu Jan 22 2015 Remi Collet  5.5.21-1
    - Update to 5.5.21
      http://www.php.net/releases/5_5_21.php
    * Thu Dec 18 2014 Remi Collet  5.5.20-2
    - Update to 5.5.20 (real)
      http://www.php.net/releases/5_5_20.php
    - php-xmlrpc requires php-xml
    * Wed Dec 10 2014 Remi Collet  5.5.20-1
    - Update to 5.5.20
      http://www.php.net/releases/5_5_20.php
    * Fri Nov 21 2014 Remi Collet  5.5.19-3
    - FPM: add upstream patch for https://bugs.php.net/68428
      listen.allowed_clients is IPv4 only
    - refresh upstream patch for 68421
    * Sun Nov 16 2014 Remi Collet  5.5.19-2
    - FPM: add upstream patch for https://bugs.php.net/68421
      access.format=R doesn't log ipv6 address
    - FPM: add upstream patch for https://bugs.php.net/68420
      listen=9000 listens to ipv6 localhost instead of all addresses
    - FPM: add upstream patch for https://bugs.php.net/68423
      will no longer load all pools
    * Thu Nov 13 2014 Remi Collet  5.5.19-1
    - Update to 5.5.19
      http://www.php.net/releases/5_5_19.php
    - new version of systzdata patch, fix case sensitivity
    * Thu Oct 16 2014 Remi Collet  5.5.18-1
    - Update to 5.5.18
      http://www.php.net/releases/5_5_18.php
    * Sat Sep 20 2014 Remi Collet  5.5.17-2
    - openssl: fix regression introduce in changes for upstream
      bug #65137 and #41631, revert to 5.5.16 behavior
    * Thu Sep 18 2014 Remi Collet  5.5.17-1
    - Update to 5.5.17
      http://www.php.net/releases/5_5_17.php
    - fpm: fix script_name with mod_proxy_fcgi / proxypass
      add upstream patch for https://bugs.php.net/65641
    * Thu Aug 21 2014 Remi Collet  5.5.16-1
    - Update to 5.5.16
      http://www.php.net/releases/5_5_16.php
    - fix zts-php-config --php-binary output #1124605
    - move zts-php from php-devel to php-cli
    - revert fix for 67724 because of 67865
    * Thu Jul 24 2014 Remi Collet  5.5.15-1
    - Update to 5.5.15
      http://www.php.net/releases/5_5_15.php
    * Wed Jul 16 2014 Remi Collet  5.5.14-2
    - add upstream patch for #67605
    * Thu Jun 26 2014 Remi Collet  5.5.14-1
    - Update to 5.5.14
      http://www.php.net/releases/5_5_14.php
    - fix test for rhbz #971416
    * Thu Jun  5 2014 Remi Collet  5.5.13-3
    - fix regression introduce in fix for #67118
    * Tue Jun  3 2014 Remi Collet  5.5.13-2
    - fileinfo: fix insufficient boundary check
    - workaround regression introduce in fix for 67072 in
      serialize/unzerialize functions
    * Fri May 30 2014 Remi Collet  5.5.13-1
    - Update to 5.5.13
      http://www.php.net/releases/5_5_13.php
    * Sat May  3 2014 Remi Collet  5.5.12-1
    - Update to 5.5.12
      http://www.php.net/releases/5_5_12.php
    - php-fpm: change default unix socket permission CVE-2014-0185
    * Thu Apr  3 2014 Remi Collet  5.5.11-1
    - Update to 5.5.11
      http://www.php.net/ChangeLog-5.php#5.5.11
    * Thu Mar  6 2014 Remi Collet  5.5.10-1
    - Update to 5.5.10
      http://www.php.net/ChangeLog-5.php#5.5.10
    - php-fpm should own /var/lib/php/session and wsdlcache
    - fix pcre test results with libpcre < 8.34
    * Tue Feb 18 2014 Remi Collet  5.5.9-2
    - upstream patch for https://bugs.php.net/66731
    * Tue Feb 11 2014 Remi Collet  5.5.9-1
    - Update to 5.5.9
      http://www.php.net/ChangeLog-5.php#5.5.9
    - Install macros to /usr/lib/rpm/macros.d
    * Thu Jan 23 2014 Joe Orton  - 5.5.8-2
    - fix _httpd_mmn expansion in absence of httpd-devel
    * Wed Jan  8 2014 Remi Collet  5.5.8-1
    - update to 5.5.8
    - drop conflicts with other opcode caches as both can
      be used only for user data cache
    * Wed Dec 11 2013 Remi Collet  5.5.7-1
    - update to 5.5.7, fix for CVE-2013-6420
    - fix zend_register_functions breaks reflection, php bug 66218
    - fix Heap buffer over-read in DateInterval, php bug 66060
    - fix fix overflow handling bug in non-x86
    --------------------------------------------------------------------------------
    References:
    
      [ 1 ] Bug #1204868 - php: SoapClient's __call() type confusion through unserialize()
            https://bugzilla.redhat.com/show_bug.cgi?id=1204868
    --------------------------------------------------------------------------------
    
    This update can be installed with the "yum" update program.  Use
    su -c 'yum update php' at the command line.
    For more information, refer to "Managing Software with yum",
    available at http://docs.fedoraproject.org/yum/.
    
    All packages are signed with the Fedora Project GPG key.  More details on the
    GPG keys used by the Fedora Project can be found at
    https://fedoraproject.org/keys
    --------------------------------------------------------------------------------
    _______________________________________________
    package-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://admin.fedoraproject.org/mailman/listinfo/package-announce
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"5","type":"x","order":"1","pct":55.56,"resources":[]},{"id":"88","title":"Should be more technical","votes":"3","type":"x","order":"2","pct":33.33,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"1","type":"x","order":"3","pct":11.11,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    Advisories

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.