-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:087 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : php Date : May 15, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: A vulnerability has been discovered and corrected in php: PHP FPM in PHP versions before 5.4.28 and 5.5.12 uses a UNIX domain socket with world-writable permissions by default, which allows any local user to connect to it and execute PHP scripts as the apache user (CVE-2014-0185). The updated php packages have been upgraded to the 5.5.12 version which is not vulnerable to this issue. Additionally, the timezonedb packages has been upgraded to the latest 2014.3 version, the php-suhosin packages has been upgraded to the latest 0.9.35 version which has better support for php-5.5 and the PECL packages which requires so has been rebuilt for php-5.5.12. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0185 _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: df283b0fbf1a40933a09a0437306e077 mbs1/x86_64/apache-mod_php-5.5.12-1.mbs1.x86_64.rpm 1abe9798b925025ec94da9a485644258 mbs1/x86_64/lib64php5_common5-5.5.12-1.mbs1.x86_64.rpm 3fd588f458b56959797fb5d014eae48f mbs1/x86_64/php-apc-3.1.15-1.6.mbs1.x86_64.rpm 7e619dee2e92ff3c380f6c4ef501d0df mbs1/x86_64/php-apc-admin-3.1.15-1.6.mbs1.x86_64.rpm 11f54447e5427fbf752b4f71b9970ce5 mbs1/x86_64/php-bcmath-5.5.12-1.mbs1.x86_64.rpm c062cda26132b4ac6c4e148c6a68734e mbs1/x86_64/php-bz2-5.5.12-1.mbs1.x86_64.rpm 881589dad906c2fb85c3a33d7fea378c mbs1/x86_64/php-calendar-5.5.12-1.mbs1.x86_64.rpm ef0d051de99575d3c71b87800ee246e5 mbs1/x86_64/php-cgi-5.5.12-1.mbs1.x86_64.rpm 4c5204cac61750016c59580d6fe12f17 mbs1/x86_64/php-cli-5.5.12-1.mbs1.x86_64.rpm a0cff9488526e5c1ea6f9cde930bf5d8 mbs1/x86_64/php-ctype-5.5.12-1.mbs1.x86_64.rpm 5b79423cbb3649eedfaadee4b7773fe6 mbs1/x86_64/php-curl-5.5.12-1.mbs1.x86_64.rpm f009622fdfd3825dc76573bea38fd269 mbs1/x86_64/php-dba-5.5.12-1.mbs1.x86_64.rpm 24a229cfcf39dc8642678b5a3c7c3cc2 mbs1/x86_64/php-devel-5.5.12-1.mbs1.x86_64.rpm 32560ad8808014a67496e34398f68922 mbs1/x86_64/php-doc-5.5.12-1.mbs1.noarch.rpm e2c2566d0b502ad2c42de98a70820e42 mbs1/x86_64/php-dom-5.5.12-1.mbs1.x86_64.rpm 4c54ba0d5daa7ed0428e687fe2ee7e44 mbs1/x86_64/php-enchant-5.5.12-1.mbs1.x86_64.rpm c240f95cec3fdc7637bff950472dad68 mbs1/x86_64/php-exif-5.5.12-1.mbs1.x86_64.rpm e6aa382fd8013fb0c7f18b0f4158e414 mbs1/x86_64/php-fileinfo-5.5.12-1.mbs1.x86_64.rpm c57d83072dfcac793e712c673991f950 mbs1/x86_64/php-filter-5.5.12-1.mbs1.x86_64.rpm 5c66528ecfd9e43979cd30e5877f8a16 mbs1/x86_64/php-fpm-5.5.12-1.mbs1.x86_64.rpm 0b69a5b8f87f5d60f9277a930ae684f5 mbs1/x86_64/php-ftp-5.5.12-1.mbs1.x86_64.rpm bdcf28c0c14570960fa1ac3831e60d60 mbs1/x86_64/php-gd-5.5.12-1.mbs1.x86_64.rpm b292b8323de1bfa84f6343374ecd2cd6 mbs1/x86_64/php-gettext-5.5.12-1.mbs1.x86_64.rpm d398f4e3d479241d7965742c3fc998ef mbs1/x86_64/php-gmp-5.5.12-1.mbs1.x86_64.rpm 6ad902976dbb65029eaec9545090efba mbs1/x86_64/php-hash-5.5.12-1.mbs1.x86_64.rpm 1f70ab02036654143b0600ada836ae75 mbs1/x86_64/php-iconv-5.5.12-1.mbs1.x86_64.rpm 43b8d3119abaebe97cd131581ad0bce7 mbs1/x86_64/php-imap-5.5.12-1.mbs1.x86_64.rpm 8a036900183251f4533a7448bb31578e mbs1/x86_64/php-ini-5.5.12-1.mbs1.x86_64.rpm 6d955beac6cd6d100e1733c463f0ec1b mbs1/x86_64/php-intl-5.5.12-1.mbs1.x86_64.rpm 31da57129ac268f8b1ee761d00229c76 mbs1/x86_64/php-json-5.5.12-1.mbs1.x86_64.rpm 982f16d428b26491fa076144cd87f7cf mbs1/x86_64/php-ldap-5.5.12-1.mbs1.x86_64.rpm efbad629641d00c18a5694108d29dc1f mbs1/x86_64/php-mbstring-5.5.12-1.mbs1.x86_64.rpm 1297ae3e46bb0916c57be1623b0b5934 mbs1/x86_64/php-mcrypt-5.5.12-1.mbs1.x86_64.rpm 857fd2c635ccbe2864300f57c4e325e1 mbs1/x86_64/php-mssql-5.5.12-1.mbs1.x86_64.rpm 43a8813edf9337c2078180cb64f40b92 mbs1/x86_64/php-mysql-5.5.12-1.mbs1.x86_64.rpm 8483d8e011ecf13b20525632c6b0f7ec mbs1/x86_64/php-mysqli-5.5.12-1.mbs1.x86_64.rpm 49ba506cc6c659b6bafa5a8c60cd98d7 mbs1/x86_64/php-mysqlnd-5.5.12-1.mbs1.x86_64.rpm d4441bd727920f3bc2a813c205b07269 mbs1/x86_64/php-odbc-5.5.12-1.mbs1.x86_64.rpm 7078d869b8ac7c0f18e5e80d31133e9d mbs1/x86_64/php-opcache-5.5.12-1.mbs1.x86_64.rpm b5e4314436efa86f825d8bd3a05a1bb2 mbs1/x86_64/php-openssl-5.5.12-1.mbs1.x86_64.rpm 2bae715891c7cba2d0f5d89b341b6f8d mbs1/x86_64/php-pcntl-5.5.12-1.mbs1.x86_64.rpm e2867aee0bcc74c716906b95313874e9 mbs1/x86_64/php-pdo-5.5.12-1.mbs1.x86_64.rpm 2d2606c285e7b1143587dcea2e6bf684 mbs1/x86_64/php-pdo_dblib-5.5.12-1.mbs1.x86_64.rpm d9258f65a971bb39b2bb0cc48029ef15 mbs1/x86_64/php-pdo_mysql-5.5.12-1.mbs1.x86_64.rpm 58c336a04c095c2f80b6b5f5b324493b mbs1/x86_64/php-pdo_odbc-5.5.12-1.mbs1.x86_64.rpm 1958077abb09515aea71df8c9e4eb9a8 mbs1/x86_64/php-pdo_pgsql-5.5.12-1.mbs1.x86_64.rpm 34bae52fb02a338dbf92548ba8efb0b1 mbs1/x86_64/php-pdo_sqlite-5.5.12-1.mbs1.x86_64.rpm f0dabb11d738cfa10d5f0d01bde9fcac mbs1/x86_64/php-pgsql-5.5.12-1.mbs1.x86_64.rpm b6f47c1173da6eea7f9f6ab20b4a7c9a mbs1/x86_64/php-phar-5.5.12-1.mbs1.x86_64.rpm 1eb21c1d019a8f348454af89e16f78f2 mbs1/x86_64/php-posix-5.5.12-1.mbs1.x86_64.rpm 8ad4a51b9662004ff2ebad4f51b56117 mbs1/x86_64/php-readline-5.5.12-1.mbs1.x86_64.rpm a94de78681035b08063137cc5cf32437 mbs1/x86_64/php-recode-5.5.12-1.mbs1.x86_64.rpm 1dfac2b5345421cb192f0534681cf6af mbs1/x86_64/php-session-5.5.12-1.mbs1.x86_64.rpm 645fb72f38521f91b9dc1a1c7e575942 mbs1/x86_64/php-shmop-5.5.12-1.mbs1.x86_64.rpm c1fd2e2ad98402c7315a68b2717aac16 mbs1/x86_64/php-snmp-5.5.12-1.mbs1.x86_64.rpm 752a8cc39ce2d0f82bd2c07a2dbb4ba5 mbs1/x86_64/php-soap-5.5.12-1.mbs1.x86_64.rpm a6a62275ea481a0fbcd7737578f33455 mbs1/x86_64/php-sockets-5.5.12-1.mbs1.x86_64.rpm 22c717901d4212c67e87ed2174e6e845 mbs1/x86_64/php-sqlite3-5.5.12-1.mbs1.x86_64.rpm f7e6386efcd2a97a5490a3109bd70600 mbs1/x86_64/php-suhosin-0.9.35-1.mbs1.x86_64.rpm f9f6a9c19af8ecd5fe0ba8b7e2f526ee mbs1/x86_64/php-sybase_ct-5.5.12-1.mbs1.x86_64.rpm b60b2d77fa1e2b10644df9c86e3fdac1 mbs1/x86_64/php-sysvmsg-5.5.12-1.mbs1.x86_64.rpm fb7d815b81a40865cd54588f977a6827 mbs1/x86_64/php-sysvsem-5.5.12-1.mbs1.x86_64.rpm e3bb6a42b7062245009a3e64e9c3ab53 mbs1/x86_64/php-sysvshm-5.5.12-1.mbs1.x86_64.rpm 809dffd53a7653ea04958f6c6c86579a mbs1/x86_64/php-tidy-5.5.12-1.mbs1.x86_64.rpm d8e2ceee78d3b8b77011ff274fec13da mbs1/x86_64/php-timezonedb-2014.3-1.mbs1.x86_64.rpm 7462feb0b6b1c1027739300256811425 mbs1/x86_64/php-tokenizer-5.5.12-1.mbs1.x86_64.rpm b412ccbf40f642242ce946ab6dc5057d mbs1/x86_64/php-wddx-5.5.12-1.mbs1.x86_64.rpm 56aefd73ef297dd2752a94ca43b9368d mbs1/x86_64/php-xml-5.5.12-1.mbs1.x86_64.rpm 36728ade4afc041e4b4cdc8adae5b51c mbs1/x86_64/php-xmlreader-5.5.12-1.mbs1.x86_64.rpm 96928243c5bcb9b13df45ee473f2bba5 mbs1/x86_64/php-xmlrpc-5.5.12-1.mbs1.x86_64.rpm 03560a70d16bd0ab39192f286fca26ea mbs1/x86_64/php-xmlwriter-5.5.12-1.mbs1.x86_64.rpm f73bffd35d1e327a71949167deeb6fa4 mbs1/x86_64/php-xsl-5.5.12-1.mbs1.x86_64.rpm a69a5c5c8ff300e0ddaa5965462476cd mbs1/x86_64/php-zip-5.5.12-1.mbs1.x86_64.rpm 043104c0742e0b8d662ffdfe4863dfba mbs1/x86_64/php-zlib-5.5.12-1.mbs1.x86_64.rpm a7d10f16e1386c594f431001c48a0917 mbs1/SRPMS/php-5.5.12-1.mbs1.src.rpm 69977bb13b343ece8ee1fd6b6d82729f mbs1/SRPMS/php-apc-3.1.15-1.6.mbs1.src.rpm 49af4a438fa6eebf439741dd0575fb37 mbs1/SRPMS/php-suhosin-0.9.35-1.mbs1.src.rpm eecd1584f6cb9dba6c88c3b29ea692bc mbs1/SRPMS/php-timezonedb-2014.3-1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD4DBQFTdGLcmqjQ0CJFipgRAt/SAKD2bOJ+Od3npvQEop5sKD27dzqRyACYvP65 dJiEmD7K3fatPFHMJZnewQ== =nwr2 -----END PGP SIGNATURE-----