Updated php packages fix security vulnerabilities
Publication date: 08 Aug 2014Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-3538 , CVE-2014-4670 , CVE-2014-4698
Description
Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted ArrayIterator usage within applications in certain web-hosting environments (CVE-2014-4698). Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted iterator usage within applications in certain web-hosting environments (CVE-2014-4670). file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule, due to an incomplete fix for CVE-2013-7345 (CVE-2014-3538). The php packages have been updated to 5.4.31 for Mageia 3 and 5.5.14 for Mageia 4, and additional patches have been added to fix these issues and several other bugs. Also, php-apc has been rebuilt against the updated PHP versions and the php-timezonedb package has been updated to the latest version, 2014.5. Additionally, the jsonc extension has been upgraded to the 1.3.6 version.
References
- https://bugs.mageia.org/show_bug.cgi?id=13796
- http://php.net/ChangeLog-5.php#5.4.31
- http://php.net/ChangeLog-5.php#5.5.15
- http://pecl.php.net/package-changelog.php?package=jsonc&release=1.3.6
- http://lists.opensuse.org/opensuse-updates/2014-07/msg00035.html
- http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014:149/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3538
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4670
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4698
SRPMS
4/core
- php-5.5.15-1.1.mga4
- php-apc-3.1.15-4.6.mga4
- php-timezonedb-2014.5-1.mga4
3/core
- php-5.4.31-1.2.mga3
- php-apc-3.1.14-7.11.mga3
- php-gd-bundled-5.4.31-1.mga3
- php-timezonedb-2014.5-1.mga3