-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:075 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : php Date : April 10, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: A vulnerability has been discovered and corrected in php: The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters (CVE-2013-7345). The updated php packages have been upgraded to the 5.5.11 version which is not vulnerable to this issue. Also, the timezonedb PHP PECL module has been updated to the latest 2014.2 version. Additionally, the PECL packages which requires so has been rebuilt for php-5.5.11. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345 http://www.php.net/ChangeLog-5.php#5.5.11 https://bugs.php.net/bug.php?id=66946 http://pecl.php.net/package-info.php?package=timezonedb&version=2014.2 _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: 16ed2fc09e90bc53fb06ed816c0fa140 mbs1/x86_64/apache-mod_php-5.5.11-1.mbs1.x86_64.rpm 36102c1cf2dd9869991e297ad0de02d7 mbs1/x86_64/lib64php5_common5-5.5.11-1.mbs1.x86_64.rpm 939f614b9ff6253542f9951aa503df73 mbs1/x86_64/php-apc-3.1.15-1.5.mbs1.x86_64.rpm 4f12b8911a81d72c0d00af50dd8d764a mbs1/x86_64/php-apc-admin-3.1.15-1.5.mbs1.x86_64.rpm d643d3ba3067aa3ce7502b409b887283 mbs1/x86_64/php-bcmath-5.5.11-1.mbs1.x86_64.rpm b65cfcc605007fb8fa524e958f4f7646 mbs1/x86_64/php-bz2-5.5.11-1.mbs1.x86_64.rpm f6c8aa5157487d7cafc752bcde0ac390 mbs1/x86_64/php-calendar-5.5.11-1.mbs1.x86_64.rpm 86895019ad8f973e2d760557e5cd4986 mbs1/x86_64/php-cgi-5.5.11-1.mbs1.x86_64.rpm 92bf2522d78186cdfa57409c4b8aacdd mbs1/x86_64/php-cli-5.5.11-1.mbs1.x86_64.rpm bb8389d66cec38bf60a5d9e8a83a5c89 mbs1/x86_64/php-ctype-5.5.11-1.mbs1.x86_64.rpm 91612ba52d438038fb2efc780e8fc918 mbs1/x86_64/php-curl-5.5.11-1.mbs1.x86_64.rpm 7d7add6de1cbfc494a958250a8f97e52 mbs1/x86_64/php-dba-5.5.11-1.mbs1.x86_64.rpm 641b990d90ce503aa4421ad30adc54b5 mbs1/x86_64/php-devel-5.5.11-1.mbs1.x86_64.rpm b2ecf1be2db26609a6cd55235a7b8ccd mbs1/x86_64/php-doc-5.5.11-1.mbs1.noarch.rpm a975c4eef72a1845ba97a949714e6762 mbs1/x86_64/php-dom-5.5.11-1.mbs1.x86_64.rpm 10f18783c79266ee5568094a28a2ba5a mbs1/x86_64/php-enchant-5.5.11-1.mbs1.x86_64.rpm 0332e38cb7cec951b6981fcb999fd70e mbs1/x86_64/php-exif-5.5.11-1.mbs1.x86_64.rpm 1b283db4e724dab5df823d167fb83d9a mbs1/x86_64/php-fileinfo-5.5.11-1.mbs1.x86_64.rpm 14035bdf19fb27800279594087f1d02b mbs1/x86_64/php-filter-5.5.11-1.mbs1.x86_64.rpm 13e40d627ca8a411fd5bf9660ce13a33 mbs1/x86_64/php-fpm-5.5.11-1.mbs1.x86_64.rpm 98178363d0318ce1c4e2ad9cde1e7761 mbs1/x86_64/php-ftp-5.5.11-1.mbs1.x86_64.rpm 85c5fc107153728574c3e1e7e7726ce8 mbs1/x86_64/php-gd-5.5.11-1.mbs1.x86_64.rpm 2fc95f9e20d873fbcc2fcee97b0c143c mbs1/x86_64/php-gettext-5.5.11-1.mbs1.x86_64.rpm 8b92121cb100980154b6a48590b0b2c2 mbs1/x86_64/php-gmp-5.5.11-1.mbs1.x86_64.rpm c340d4520fe9deca52b294dcb029d639 mbs1/x86_64/php-hash-5.5.11-1.mbs1.x86_64.rpm b2a90062d1fefcf84bea47442b918afc mbs1/x86_64/php-iconv-5.5.11-1.mbs1.x86_64.rpm 1d31d383ada26918566594bcf5c52ddd mbs1/x86_64/php-imap-5.5.11-1.mbs1.x86_64.rpm 6f26ab38a5462345486d35e27feb5461 mbs1/x86_64/php-ini-5.5.11-1.mbs1.x86_64.rpm fa6416fd0615364928175e9bd14ea79f mbs1/x86_64/php-intl-5.5.11-1.mbs1.x86_64.rpm fbbd41fb923f5cdcfd83138d84e29307 mbs1/x86_64/php-json-5.5.11-1.mbs1.x86_64.rpm 3200e7a1703d9951d77a8324ecac9789 mbs1/x86_64/php-ldap-5.5.11-1.mbs1.x86_64.rpm 7e771159e8c0037c56e847cb6364af5e mbs1/x86_64/php-mbstring-5.5.11-1.mbs1.x86_64.rpm ecfd924b6385be14f469e0bc73b63504 mbs1/x86_64/php-mcrypt-5.5.11-1.mbs1.x86_64.rpm c254ebda44d66c09ddeafc466b2b9d2d mbs1/x86_64/php-mssql-5.5.11-1.mbs1.x86_64.rpm b62000cea2d5c1a9407661e0d6a89082 mbs1/x86_64/php-mysql-5.5.11-1.mbs1.x86_64.rpm dc6fc6ac7403500826b32e39deb734de mbs1/x86_64/php-mysqli-5.5.11-1.mbs1.x86_64.rpm 222a101e0a866ecb377a8e98240c626e mbs1/x86_64/php-mysqlnd-5.5.11-1.mbs1.x86_64.rpm a6855f7058d020e0826a944a5eb4701b mbs1/x86_64/php-odbc-5.5.11-1.mbs1.x86_64.rpm 16ecefb5d132629203b3cae6e1ad0365 mbs1/x86_64/php-opcache-5.5.11-1.mbs1.x86_64.rpm 2e7843d9f5de5476d78631daf48f7b91 mbs1/x86_64/php-openssl-5.5.11-1.mbs1.x86_64.rpm 5e3bfc19b707bbcc0ec8a4b73b4bf5e0 mbs1/x86_64/php-pcntl-5.5.11-1.mbs1.x86_64.rpm 63c7e9dd81e251c0e33cd8125ceccc01 mbs1/x86_64/php-pdo-5.5.11-1.mbs1.x86_64.rpm 34eb4f845e55596dc306628b3305365a mbs1/x86_64/php-pdo_dblib-5.5.11-1.mbs1.x86_64.rpm 45a5868c8fdc4c8686dc3a37b287f680 mbs1/x86_64/php-pdo_mysql-5.5.11-1.mbs1.x86_64.rpm 3aa84d78c33d3f0ade5cc336f4ddc54f mbs1/x86_64/php-pdo_odbc-5.5.11-1.mbs1.x86_64.rpm 8105e546c9a5dcfbbc77a6539d958656 mbs1/x86_64/php-pdo_pgsql-5.5.11-1.mbs1.x86_64.rpm 0bf676b14fb71998bbd4ae736d44e427 mbs1/x86_64/php-pdo_sqlite-5.5.11-1.mbs1.x86_64.rpm ec5fffcd317ef6dad72d5a8eb228a781 mbs1/x86_64/php-pgsql-5.5.11-1.mbs1.x86_64.rpm 8418411e94dba011bc9ae65abc451c9f mbs1/x86_64/php-phar-5.5.11-1.mbs1.x86_64.rpm ea9fe59ef772a6f5ae0c4cdc3d925df3 mbs1/x86_64/php-posix-5.5.11-1.mbs1.x86_64.rpm 4e87b9158cc327ec8584c5f1f18ea5bd mbs1/x86_64/php-readline-5.5.11-1.mbs1.x86_64.rpm bf67065b17dc90aec02101e1f6a1fe12 mbs1/x86_64/php-recode-5.5.11-1.mbs1.x86_64.rpm b3d295b2cee95e6db981bf69cebdcf8d mbs1/x86_64/php-session-5.5.11-1.mbs1.x86_64.rpm e4ed6b201e8555c69ec79bb6fef7b737 mbs1/x86_64/php-shmop-5.5.11-1.mbs1.x86_64.rpm 2dc01d80b4bcc79268b817dec4f1ac7f mbs1/x86_64/php-snmp-5.5.11-1.mbs1.x86_64.rpm 0c5d69ac26d2ecd66c344c0b07931adf mbs1/x86_64/php-soap-5.5.11-1.mbs1.x86_64.rpm 9736bb0582d98950b8354e930cdc0057 mbs1/x86_64/php-sockets-5.5.11-1.mbs1.x86_64.rpm 1e654a8e206ac84e90c687070e260720 mbs1/x86_64/php-sqlite3-5.5.11-1.mbs1.x86_64.rpm 2e5d8704d2f502983fa688f5d92dd2a4 mbs1/x86_64/php-sybase_ct-5.5.11-1.mbs1.x86_64.rpm 1801cb584c4d2f141fd054fb255a4307 mbs1/x86_64/php-sysvmsg-5.5.11-1.mbs1.x86_64.rpm 01364f0dd27263317822171be37f1a7c mbs1/x86_64/php-sysvsem-5.5.11-1.mbs1.x86_64.rpm f27e00bf706fa407680c762cd8cf7788 mbs1/x86_64/php-sysvshm-5.5.11-1.mbs1.x86_64.rpm 4f3f79fa12958c1044a2514e04a23908 mbs1/x86_64/php-tidy-5.5.11-1.mbs1.x86_64.rpm d0b34a1aefd946b4b4b6a7d59ecefc8f mbs1/x86_64/php-timezonedb-2014.2-1.mbs1.x86_64.rpm db588b5b423d27875a50b6a92197d33d mbs1/x86_64/php-tokenizer-5.5.11-1.mbs1.x86_64.rpm 1a82dc5f4ddec40bbfd2b594d23e80d7 mbs1/x86_64/php-wddx-5.5.11-1.mbs1.x86_64.rpm 31eb0192e5b8c52f22e8a01622c87152 mbs1/x86_64/php-xml-5.5.11-1.mbs1.x86_64.rpm aebf69513f62f408b3bf7f4e54b28824 mbs1/x86_64/php-xmlreader-5.5.11-1.mbs1.x86_64.rpm baf3a06386cde133624e5d4352f853c2 mbs1/x86_64/php-xmlrpc-5.5.11-1.mbs1.x86_64.rpm d11f54ca7a2903792c154f093d389309 mbs1/x86_64/php-xmlwriter-5.5.11-1.mbs1.x86_64.rpm d066a70f2e583dd942cc8233f54a22b4 mbs1/x86_64/php-xsl-5.5.11-1.mbs1.x86_64.rpm 4f83d31b5c4c12224e71f18a6018c16e mbs1/x86_64/php-zip-5.5.11-1.mbs1.x86_64.rpm 96c42a96495277ae0a3b48a6f26c8f29 mbs1/x86_64/php-zlib-5.5.11-1.mbs1.x86_64.rpm 588931015052c626e59afe073a65e541 mbs1/SRPMS/php-5.5.11-1.mbs1.src.rpm 7f6426086bb10698b030fec57331e234 mbs1/SRPMS/php-apc-3.1.15-1.5.mbs1.src.rpm 966921bc3a9642e2056e79cd3db761c3 mbs1/SRPMS/php-timezonedb-2014.2-1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTRnFtmqjQ0CJFipgRAl55AKC/6hbtpY8KcAFw/dVpytpAX2NTZACeKyJS A5+PL+7Tbndun3dSFZDkzvk= =X5lW -----END PGP SIGNATURE-----