Updated php packages fix CVE-2014-0185
Publication date: 14 May 2014Modification date: 14 May 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-0185
Description
Updated php packages fix security vulnerability:
PHP FPM in PHP versions before 5.4.28 and 5.5.12 uses a UNIX domain socket
with world-writable permissions by default, which allows any local user to
connect to it and execute PHP scripts as the apache user (CVE-2014-0185).
Additionally updated php-suhosin package corrects an issue which could
cause a segfault in apache. Also updated is php-timezonedb.
References
- http://openwall.com/lists/oss-security/2014/04/29/5
- http://www.php.net/ChangeLog-5.php#5.4.28
- http://www.php.net/ChangeLog-5.php#5.5.12
- https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132546.html
- https://bugs.mageia.org/show_bug.cgi?id=13290
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0185
SRPMS
4/core
- php-5.5.12-1.mga4
- php-apc-3.1.15-4.3.mga4
- php-suhosin-0.9.35-1.mga4
- php-timezonedb-2014.3-1.mga4
3/core
- php-5.4.28-1.mga3
- php-gd-bundled-5.4.28-1.mga3
- php-apc-3.1.14-7.8.mga3
- php-suhosin-0.9.35-1.mga3
- php-timezonedb-2014.3-1.mga3