Advisories » MGASA-2015-0276

Updated php package fixes security vulnerabilities

Publication date: 23 Jul 2015
Modification date: 23 Jul 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2015-5589 , CVE-2015-5590

Description

Segfault in Phar::convertToData on invalid file (CVE-2015-5589).

Buffer overflow and stack smashing error in phar_fix_filepath
(CVE-2015-5590).

The php package has been updated to version 5.5.27, which fixes these
issues, as well as other possible bugs and security issues, including the
BACKRONYM flaw, which allows php-mysqlnd client connections that were
supposed to use  SSL/TLS to be downgraded to not use it.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=16349
• http://php.net/ChangeLog-5.php#5.5.27
• http://openwall.com/lists/oss-security/2015/07/18/1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5589
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5590

SRPMS

4/core

• php-5.5.27-1.mga4
• php-apc-3.1.15-4.17.mga4