-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:149 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : php Date : August 6, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been discovered and corrected in php: Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted ArrayIterator usage within applications in certain web-hosting environments (CVE-2014-4698). Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted iterator usage within applications in certain web-hosting environments (CVE-2014-4670). file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7345 (CVE-2014-3538). The updated php packages have been upgraded to the 5.5.15 version and patched to resolve these security flaws. Additionally, the jsonc extension has been upgraded to the 1.3.6 version and the PECL packages which requires so has been rebuilt for php-5.5.15. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4698 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4670 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3538 http://php.net/ChangeLog-5.php#5.5.15 http://pecl.php.net/package-changelog.php?package=jsonc&release=1.3.6 _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: a8f1a14a82942bc714d6a099be8e5185 mbs1/x86_64/apache-mod_php-5.5.15-1.2.mbs1.x86_64.rpm b985fbddf2bc3242ca7a2b9fa59d435a mbs1/x86_64/lib64php5_common5-5.5.15-1.2.mbs1.x86_64.rpm 4096874876026f741813d42aabc7fc77 mbs1/x86_64/php-apc-3.1.15-1.9.mbs1.x86_64.rpm 8fa4bca573ff32baa586e21900c990bd mbs1/x86_64/php-apc-admin-3.1.15-1.9.mbs1.x86_64.rpm 1e1e9b04d4e864b89c6ee72401d19f07 mbs1/x86_64/php-bcmath-5.5.15-1.2.mbs1.x86_64.rpm 33bf033aaa30e10913a577c7bf056edb mbs1/x86_64/php-bz2-5.5.15-1.2.mbs1.x86_64.rpm 30d344da1d8d979376b9ffed01ac756d mbs1/x86_64/php-calendar-5.5.15-1.2.mbs1.x86_64.rpm 119e13214a525f356965aab9a5e87819 mbs1/x86_64/php-cgi-5.5.15-1.2.mbs1.x86_64.rpm d77ce1bb2c2a73774c5ea8a8a94322bd mbs1/x86_64/php-cli-5.5.15-1.2.mbs1.x86_64.rpm b6fa475c440644e4844644fd2d0f4bd4 mbs1/x86_64/php-ctype-5.5.15-1.2.mbs1.x86_64.rpm 0941ee03a5e9a7378b4b01432ca99007 mbs1/x86_64/php-curl-5.5.15-1.2.mbs1.x86_64.rpm c0e67e0418764df9c0124aecc6d27c71 mbs1/x86_64/php-dba-5.5.15-1.2.mbs1.x86_64.rpm b4df22a9a0ec0e276e09dd30b63934ee mbs1/x86_64/php-devel-5.5.15-1.2.mbs1.x86_64.rpm 574920252543de382a55387b2446f9f4 mbs1/x86_64/php-doc-5.5.15-1.2.mbs1.noarch.rpm e6ea55d91a757b2a9bd7115ee3caafb0 mbs1/x86_64/php-dom-5.5.15-1.2.mbs1.x86_64.rpm 7059a143838f8b38ec0847de3530cc7d mbs1/x86_64/php-enchant-5.5.15-1.2.mbs1.x86_64.rpm 1b83052b9a3360afe0ce7d9d8c0516d1 mbs1/x86_64/php-exif-5.5.15-1.2.mbs1.x86_64.rpm 851123d71e3de3194ecc030f37fb31b7 mbs1/x86_64/php-fileinfo-5.5.15-1.2.mbs1.x86_64.rpm 2ad566bd050fb268e9e0c13354b24b07 mbs1/x86_64/php-filter-5.5.15-1.2.mbs1.x86_64.rpm 6607d2b46f3c32340fd6fa15471c75ee mbs1/x86_64/php-fpm-5.5.15-1.2.mbs1.x86_64.rpm 800d0e33e959b44e3705a081eac37707 mbs1/x86_64/php-ftp-5.5.15-1.2.mbs1.x86_64.rpm c5efe218dee0a5f8f685fe4887121df6 mbs1/x86_64/php-gd-5.5.15-1.2.mbs1.x86_64.rpm c0a2ff63842df51a013346920cd85633 mbs1/x86_64/php-gettext-5.5.15-1.2.mbs1.x86_64.rpm 6a8a00249372f1822a1028ea003badda mbs1/x86_64/php-gmp-5.5.15-1.2.mbs1.x86_64.rpm 3d782e96ec768e2fbfdcb4966c17e4c5 mbs1/x86_64/php-hash-5.5.15-1.2.mbs1.x86_64.rpm 03302374100cbef6b17b36040b97df46 mbs1/x86_64/php-iconv-5.5.15-1.2.mbs1.x86_64.rpm 67ef91b4144597a8eee105d8d9e39785 mbs1/x86_64/php-imap-5.5.15-1.2.mbs1.x86_64.rpm 9d79601ac46b53eb93848bbdb91ae588 mbs1/x86_64/php-ini-5.5.15-1.2.mbs1.x86_64.rpm 9d36114cf05a452aa807a7e546e9f0d2 mbs1/x86_64/php-intl-5.5.15-1.2.mbs1.x86_64.rpm fe3164ded9c067c86da9abba22c179c7 mbs1/x86_64/php-json-5.5.15-1.2.mbs1.x86_64.rpm 3514239c38af0dc7d9365e8b174903f4 mbs1/x86_64/php-ldap-5.5.15-1.2.mbs1.x86_64.rpm 3a9080553c9d0389c4b209c7a66136d6 mbs1/x86_64/php-mbstring-5.5.15-1.2.mbs1.x86_64.rpm 2e28885f866774b3a314839dc30cb753 mbs1/x86_64/php-mcrypt-5.5.15-1.2.mbs1.x86_64.rpm 4960ddc660751ade994774117d09350a mbs1/x86_64/php-mssql-5.5.15-1.2.mbs1.x86_64.rpm 002346daef828dc391ca3c9f9abb9202 mbs1/x86_64/php-mysql-5.5.15-1.2.mbs1.x86_64.rpm e8b7bdb3428d132287751dbb2864a6cb mbs1/x86_64/php-mysqli-5.5.15-1.2.mbs1.x86_64.rpm b9374638ca9b9cdcf5945e5a51fe3998 mbs1/x86_64/php-mysqlnd-5.5.15-1.2.mbs1.x86_64.rpm 2c5dcdb7c6dd6c380cdb3378c0ffa798 mbs1/x86_64/php-odbc-5.5.15-1.2.mbs1.x86_64.rpm 842b7243df7c44bc7ded4cc8dbf6bc0f mbs1/x86_64/php-opcache-5.5.15-1.2.mbs1.x86_64.rpm 29c7721a8124a6850f3797ebe65fd1ab mbs1/x86_64/php-openssl-5.5.15-1.2.mbs1.x86_64.rpm 8c189b29533a3607a255857be721d061 mbs1/x86_64/php-pcntl-5.5.15-1.2.mbs1.x86_64.rpm e8ae5b17760d973411a9638ed8b67142 mbs1/x86_64/php-pdo-5.5.15-1.2.mbs1.x86_64.rpm ffff28eafa9f41e4e045577b111e091d mbs1/x86_64/php-pdo_dblib-5.5.15-1.2.mbs1.x86_64.rpm b5a90904dc3df3671df1937927181e47 mbs1/x86_64/php-pdo_mysql-5.5.15-1.2.mbs1.x86_64.rpm 0eebd25c2cbe39bc9ed1b6c84ea4e636 mbs1/x86_64/php-pdo_odbc-5.5.15-1.2.mbs1.x86_64.rpm e8273d4181167213145e7a7682227274 mbs1/x86_64/php-pdo_pgsql-5.5.15-1.2.mbs1.x86_64.rpm 44dec8ad4b772d9c89944c3c4424c5a4 mbs1/x86_64/php-pdo_sqlite-5.5.15-1.2.mbs1.x86_64.rpm 943ed26187a3a5073014263018251eee mbs1/x86_64/php-pgsql-5.5.15-1.2.mbs1.x86_64.rpm 2789e51cc768ea3ac5184cca3ddea2eb mbs1/x86_64/php-phar-5.5.15-1.2.mbs1.x86_64.rpm 501fac63e7ec95c8dd2c6af9dec94bd6 mbs1/x86_64/php-posix-5.5.15-1.2.mbs1.x86_64.rpm 9fa10c1aa3db7a2c3529480b9a6615e7 mbs1/x86_64/php-readline-5.5.15-1.2.mbs1.x86_64.rpm 228da7b34f95e5a5de65d55dd3a83ef9 mbs1/x86_64/php-recode-5.5.15-1.2.mbs1.x86_64.rpm 1c463d4247e08f9b543e0cccae4e998f mbs1/x86_64/php-session-5.5.15-1.2.mbs1.x86_64.rpm 14d63fcafd6c7de0ee19f93e83067975 mbs1/x86_64/php-shmop-5.5.15-1.2.mbs1.x86_64.rpm ad069c46d67274dec72c65eaa37770ae mbs1/x86_64/php-snmp-5.5.15-1.2.mbs1.x86_64.rpm bd542c561fcacee6d1536044418b712d mbs1/x86_64/php-soap-5.5.15-1.2.mbs1.x86_64.rpm 52a6c80fb00752f4642b0376c76651fb mbs1/x86_64/php-sockets-5.5.15-1.2.mbs1.x86_64.rpm d548586123a66ac3d4dc2f4db3c67427 mbs1/x86_64/php-sqlite3-5.5.15-1.2.mbs1.x86_64.rpm 0ff1e1b38f3c9a4e28ff13b91bcaa374 mbs1/x86_64/php-sybase_ct-5.5.15-1.2.mbs1.x86_64.rpm 4693d5e0aef85ab23390bb671788857d mbs1/x86_64/php-sysvmsg-5.5.15-1.2.mbs1.x86_64.rpm ba9fd1a164298a79b4013380200f1eba mbs1/x86_64/php-sysvsem-5.5.15-1.2.mbs1.x86_64.rpm 7ee3e362aa88cfebbccbeef4dc8e8426 mbs1/x86_64/php-sysvshm-5.5.15-1.2.mbs1.x86_64.rpm b9b6ead8e979a87f501a2b7302860db4 mbs1/x86_64/php-tidy-5.5.15-1.2.mbs1.x86_64.rpm 25de207b2d6ef7b4ac127874d80060fa mbs1/x86_64/php-tokenizer-5.5.15-1.2.mbs1.x86_64.rpm 7143d2b5bb4731d78f474788b4872930 mbs1/x86_64/php-wddx-5.5.15-1.2.mbs1.x86_64.rpm b365a335827c42c7f9df6f425dfc4ec0 mbs1/x86_64/php-xml-5.5.15-1.2.mbs1.x86_64.rpm daf5a2a4f62d0a2627b965ce22bd5361 mbs1/x86_64/php-xmlreader-5.5.15-1.2.mbs1.x86_64.rpm dc127c9e655876584af86975b59e228d mbs1/x86_64/php-xmlrpc-5.5.15-1.2.mbs1.x86_64.rpm 3f6300aa39367c97305fb28f03db82e0 mbs1/x86_64/php-xmlwriter-5.5.15-1.2.mbs1.x86_64.rpm bc940bf9eb010e3b400442a7f2ea1082 mbs1/x86_64/php-xsl-5.5.15-1.2.mbs1.x86_64.rpm 0182998fa478cacac8e6e036f6e910a4 mbs1/x86_64/php-zip-5.5.15-1.2.mbs1.x86_64.rpm c3af540e3596b126a0b9ba4c4dccafe6 mbs1/x86_64/php-zlib-5.5.15-1.2.mbs1.x86_64.rpm 7619610a141a2d051dccf3a5ad05be04 mbs1/SRPMS/php-5.5.15-1.2.mbs1.src.rpm 19c9a0c5a6cf7f42d26989bab0a826d5 mbs1/SRPMS/php-apc-3.1.15-1.9.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFT4dwGmqjQ0CJFipgRAhHrAKCvRKwurJLUDoDK1bEA53EN56UazgCfU+Fy 8J3pIbBMt4OgLcC9mR1U9pM= =wN9t -----END PGP SIGNATURE-----