Alerts This Week
Warning Icon 1 714
Alerts This Week
Warning Icon 1 714

Fedora 21 Critical Advisory: PHP Code Fixes and Vulnerability Mitigation

fedora
Calendar Grey April 23, 2015
Dist Fedora Esm H88
Dive into the Fedora 21 PHP security enhancement aimed at bolstering system reliability and addressing vulnerabilities that could lead to remote code execution through various bug remedies.
16 Apr 2015, **PHP 5.6.8** Core: * Fixed bug #66609 (php crashes with __get() and ++ operator in some cases)

Summary

PHP is an HTML-embedded scripting language. PHP attempts to make it

easy for developers to write dynamically generated web pages. PHP also

offers built-in database integration for several commercial and

non-commercial database management systems, so writing a

database-enabled webpage with PHP is fairly simple. The most common

use of PHP coding is probably as a replacement for CGI scripts.

The php package contains the module (often referred to as mod_php)

which adds support for the PHP language to Apache HTTP Server.

Update Information:

16 Apr 2015, **PHP 5.6.8**

Core: * Fixed bug #66609 (php crashes with __get() and ++ operator in some cases). (Dmitry, Laruence) * Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8 characters). (Tjerk) * Fixed bug #68917 (parse_url fails on some partial urls). (Wei Dai) * Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). (Anatol Belski) * Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString). (Stas) * Fixed bug #69210 (serialize function return corrupted data when sleep has non-string values). (Juan Basso) * Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in __call/... arg passing). (Nikita) * Fixed bug #69221 (Segmentation fault when using a generator in combination with an Iterator). (Nikita) * Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability). (Stas) * Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions)....

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory fedora critical php remote code execution bug fixes core fixes

Change Log

* Thu Apr 16 2015 Remi Collet 5.6.8-1 - Update to 5.6.8 https://www.php.net/releases/5_6_8.php * Fri Mar 20 2015 Remi Collet 5.6.7-1 - Update to 5.6.7 https://www.php.net/releases/5_6_7.php * Thu Feb 19 2015 Remi Collet 5.6.6-1 - Update to 5.6.6 https://www.php.net/releases/5_6_6.php * Thu Jan 22 2015 Remi Collet 5.6.5-1 - Update to 5.6.5 https://www.php.net/releases/5_6_5.php - FPM: enable ACL support for Unix Domain Socket * Wed Dec 17 2014 Remi Collet 5.6.4-2 - Update to 5.6.4 (real) https://www.php.net/releases/5_6_4.php - php-xmlrpc requires php-xml * Wed Dec 10 2014 Remi Collet 5.6.4-1 - Update to 5.6.4 https://www.php.net/releases/5_6_4.php * Fri Nov 28 2014 Remi Collet 5.6.4-0.1.RC1 - php 5.6.4RC1 * Mon Nov 17 2014 Remi Collet 5.6.3-4 - FPM: add upstream patch for https://bugs.php.net/index.php listen.allowed_clients is IPv4 only * Mon Nov 17 2014 Remi Collet 5.6.3-3 - sync php-fpm configuration with upstream - refresh upstream patch for 68421 * Sun Nov 16 2014 Remi Collet 5.6.3-2 - FPM: add upstream patch for https://bugs.php.net/index.php access.format=R doesn't log ipv6 address - FPM: add upstream patch for https://bugs.php.net/index.php listen=9000 listens to ipv6 localhost instead of all addresses - FPM: add upstream patch for https://bugs.php.net/index.php will no longer load all pools * Thu Nov 13 2014 Remi Collet 5.6.3-1 - Update to PHP 5.6.3 https://www.php.net/releases/5_6_3.php * Fri Oct 31 2014 Remi Collet 5.6.3-0.2.RC1 - php 5.6.3RC1 (refreshed, phpdbg changes reverted) - new version of systzdata patch, fix case sensitivity - ignore Factory in date tests * Wed Oct 29 2014 Remi Collet 5.6.3-0.1.RC1 - php 5.6.3RC1 - disable opcache.fast_shutdown in default config - enable phpdbg_webhelper new extension (in php-dbg)

References


[ 1 ] Bug #1185900 - CVE-2015-1351 php: use after free in opcache extension https://bugzilla.redhat.com/show_bug.cgi?id=1185900 [ 2 ] Bug #1213407 - php: missing null byte checks for paths in various PHP extensions https://bugzilla.redhat.com/show_bug.cgi?id=1213407 [ 3 ] Bug #1213411 - php: use-after-free vulnerability in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER https://bugzilla.redhat.com/show_bug.cgi?id=1213411 [ 4 ] Bug #1185904 - CVE-2015-1352 php: NULL pointer dereference in pgsql extension https://bugzilla.redhat.com/show_bug.cgi?id=1185904 [ 5 ] Bug #1213416 - php: NULL pointer dereference at ext/ereg/regex/regcomp.c https://bugzilla.redhat.com/show_bug.cgi?id=1213416 [ 6 ] Bug #1213442 - php: denial of service when processing a crafted file with Fileinfo https://bugzilla.redhat.com/show_bug.cgi?id=1213442 [ 7 ] Bug #1213446 - CVE-2015-2783 php: Buffer Over-read in unserialize when parsing Phar ...

Read the Full Advisory

Update Instructions

This update can be installed with the "yum" update program. Use su -c 'yum update php' at the command line. For more information, refer to "Managing Software with yum", available at .

Severity
critical
Lowest
Low
Medium
High
Critical

Name: php
Product: Fedora 21
Version: 5.6.8
Release: 1.fc21
URL: https://www.php.net/
Summary: PHP scripting language for creating dynamic web sites

Topics%20covered

Topics Covered

security advisory fedora critical php remote code execution bug fixes core fixes

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here