Advisories ยป MGASA-2014-0324

Updated php packages fix security vulnerabilities

Publication date: 08 Aug 2014
Modification date: 08 Aug 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-3538 , CVE-2014-4670 , CVE-2014-4698

Description

Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in
PHP through 5.5.14 allows context-dependent attackers to cause a denial of
service or possibly have unspecified other impact via crafted ArrayIterator
usage within applications in certain web-hosting environments (CVE-2014-4698).

Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL component in
PHP through 5.5.14 allows context-dependent attackers to cause a denial of
service or possibly have unspecified other impact via crafted iterator usage
within applications in certain web-hosting environments (CVE-2014-4670).

file before 5.19 does not properly restrict the amount of data read during
a regex search, which allows remote attackers to cause a denial of service
(CPU consumption) via a crafted file that triggers backtracking during
processing of an awk rule, due to an incomplete fix for CVE-2013-7345
(CVE-2014-3538).

The php packages have been updated to 5.4.31 for Mageia 3 and 5.5.14 for
Mageia 4, and additional patches have been added to fix these issues and
several other bugs.

Also, php-apc has been rebuilt against the updated PHP versions and the
php-timezonedb package has been updated to the latest version, 2014.5.

Additionally, the jsonc extension has been upgraded to the 1.3.6
version.

References

SRPMS

3/core

4/core