LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Multipath TCP: an overview

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Mageia alert MGASA-2013-0101 (php)



From:
    	      Mageia Updates <buildsystem-daemon@mageia.org> 


To:
    	      updates-announce@ml.mageia.org 


Subject:
    	      [updates-announce] MGASA-2013-0101: php-5.3.23-1.mga2 (2/core) 


Date:
    	      Tue, 2 Apr 2013 22:04:47 +0200


Message-ID:
    	      <20130402200447.GA5322@valstar.mageia.org>


Archive-link:
    	      Article, Thread
              


MGASA-2013-0101
Date: 	April 2nd, 2013
Affected releases: 	2
Media: 	Core


Description:
Multiple vulnerabilities has been discovered and corrected in php:

ext/soap/soap.c in PHP before 5.3.22 and 5.4.x before 5.4.13 does not
validate the relationship between the soap.wsdl_cache_dir directive and
the open_basedir directive, which allows remote attackers to bypass
intended access restrictions by triggering the creation of cached SOAP
WSDL files in an arbitrary directory (CVE-2013-1635).

The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.13 allows remote
attackers to read arbitrary files via a SOAP WSDL file containing an XML
external entity declaration in conjunction with an entity reference,
related to an XML External Entity (XXE) issue in the soap_xmlParseFile
and soap_xmlParseMemory functions (CVE-2013-1643).

Backported upstream php bug #61930: "openssl corrupts ssl key resource
when using openssl_get_publickey()" to php-5.3.x.

The new "Powered by Mageia logo" has been added to php, this is only a
cosmetic change.

The authentication logic and how this was handled in the APC admin script
in the php-apc-admin package was flawed. If you previousely enabled the
authentication by setting a password in the /var/www/php-apc/index.php file
the changes would be lost with a possible future update of the package.
If the authentication mechanism was not used local users could access features
they shouldn't have access to. This has been addressed by using a new
/etc/php-apc/config.php configuration file containing the the
authentication credentials and more, in a much more safe, secure and
update-friendly way.

The owner of the system (the root user or equal) has to examine the
/etc/php-apc/config.php file for the login name and password. The strong
password is automatically generated on new installs.

The php-timezonedb package has been updated to the 2013.2 version.

The updated packages have been upgraded to the 5.3.23 version which is
not vulnerable to these issues.

Additionally, some packages which requires so has been rebuilt for
php-5.3.23.


Updated Packages:
i586:
apache-mod_php-5.3.23-1.mga2.i586.rpm
libphp5_common5-5.3.23-1.mga2.i586.rpm
php-bcmath-5.3.23-1.mga2.i586.rpm
php-bz2-5.3.23-1.mga2.i586.rpm
php-calendar-5.3.23-1.mga2.i586.rpm
php-cgi-5.3.23-1.mga2.i586.rpm
php-cli-5.3.23-1.mga2.i586.rpm
php-ctype-5.3.23-1.mga2.i586.rpm
php-curl-5.3.23-1.mga2.i586.rpm
php-dba-5.3.23-1.mga2.i586.rpm
php-devel-5.3.23-1.mga2.i586.rpm
php-dom-5.3.23-1.mga2.i586.rpm
php-enchant-5.3.23-1.mga2.i586.rpm
php-exif-5.3.23-1.mga2.i586.rpm
php-fileinfo-5.3.23-1.mga2.i586.rpm
php-filter-5.3.23-1.mga2.i586.rpm
php-fpm-5.3.23-1.mga2.i586.rpm
php-ftp-5.3.23-1.mga2.i586.rpm
php-gd-5.3.23-1.mga2.i586.rpm
php-gettext-5.3.23-1.mga2.i586.rpm
php-gmp-5.3.23-1.mga2.i586.rpm
php-hash-5.3.23-1.mga2.i586.rpm
php-iconv-5.3.23-1.mga2.i586.rpm
php-imap-5.3.23-1.mga2.i586.rpm
php-ini-5.3.23-1.mga2.i586.rpm
php-intl-5.3.23-1.mga2.i586.rpm
php-json-5.3.23-1.mga2.i586.rpm
php-ldap-5.3.23-1.mga2.i586.rpm
php-mbstring-5.3.23-1.mga2.i586.rpm
php-mcrypt-5.3.23-1.mga2.i586.rpm
php-mssql-5.3.23-1.mga2.i586.rpm
php-mysql-5.3.23-1.mga2.i586.rpm
php-mysqli-5.3.23-1.mga2.i586.rpm
php-mysqlnd-5.3.23-1.mga2.i586.rpm
php-odbc-5.3.23-1.mga2.i586.rpm
php-openssl-5.3.23-1.mga2.i586.rpm
php-pcntl-5.3.23-1.mga2.i586.rpm
php-pdo-5.3.23-1.mga2.i586.rpm
php-pdo_dblib-5.3.23-1.mga2.i586.rpm
php-pdo_mysql-5.3.23-1.mga2.i586.rpm
php-pdo_odbc-5.3.23-1.mga2.i586.rpm
php-pdo_pgsql-5.3.23-1.mga2.i586.rpm
php-pdo_sqlite-5.3.23-1.mga2.i586.rpm
php-pgsql-5.3.23-1.mga2.i586.rpm
php-phar-5.3.23-1.mga2.i586.rpm
php-posix-5.3.23-1.mga2.i586.rpm
php-readline-5.3.23-1.mga2.i586.rpm
php-recode-5.3.23-1.mga2.i586.rpm
php-session-5.3.23-1.mga2.i586.rpm
php-shmop-5.3.23-1.mga2.i586.rpm
php-snmp-5.3.23-1.mga2.i586.rpm
php-soap-5.3.23-1.mga2.i586.rpm
php-sockets-5.3.23-1.mga2.i586.rpm
php-sqlite3-5.3.23-1.mga2.i586.rpm
php-sqlite-5.3.23-1.mga2.i586.rpm
php-sybase_ct-5.3.23-1.mga2.i586.rpm
php-sysvmsg-5.3.23-1.mga2.i586.rpm
php-sysvsem-5.3.23-1.mga2.i586.rpm
php-sysvshm-5.3.23-1.mga2.i586.rpm
php-tidy-5.3.23-1.mga2.i586.rpm
php-tokenizer-5.3.23-1.mga2.i586.rpm
php-wddx-5.3.23-1.mga2.i586.rpm
php-xml-5.3.23-1.mga2.i586.rpm
php-xmlreader-5.3.23-1.mga2.i586.rpm
php-xmlrpc-5.3.23-1.mga2.i586.rpm
php-xmlwriter-5.3.23-1.mga2.i586.rpm
php-xsl-5.3.23-1.mga2.i586.rpm
php-zip-5.3.23-1.mga2.i586.rpm
php-zlib-5.3.23-1.mga2.i586.rpm
php-debug-5.3.23-1.mga2.i586.rpm
php-firebird-5.3.23-1.mga2.i586.rpm
php-firebird-debug-5.3.23-1.mga2.i586.rpm
php-gd-bundled-5.3.23-1.mga2.i586.rpm
php-gd-bundled-debug-5.3.23-1.mga2.i586.rpm
php-pdo_firebird-5.3.23-1.mga2.i586.rpm
php-pdo_firebird-debug-5.3.23-1.mga2.i586.rpm
php-apc-3.1.13-1.7.mga2.i586.rpm
php-apc-admin-3.1.13-1.7.mga2.i586.rpm
php-apc-debug-3.1.13-1.7.mga2.i586.rpm
php-eaccelerator-0.9.6.1-10.9.mga2.i586.rpm
php-eaccelerator-admin-0.9.6.1-10.9.mga2.i586.rpm
php-eaccelerator-debug-0.9.6.1-10.9.mga2.i586.rpm
php-timezonedb-2013.2-1.mga2.i586.rpm
php-timezonedb-debug-2013.2-1.mga2.i586.rpm

x86_64:
apache-mod_php-5.3.23-1.mga2.x86_64.rpm
lib64php5_common5-5.3.23-1.mga2.x86_64.rpm
php-bcmath-5.3.23-1.mga2.x86_64.rpm
php-bz2-5.3.23-1.mga2.x86_64.rpm
php-calendar-5.3.23-1.mga2.x86_64.rpm
php-cgi-5.3.23-1.mga2.x86_64.rpm
php-cli-5.3.23-1.mga2.x86_64.rpm
php-ctype-5.3.23-1.mga2.x86_64.rpm
php-curl-5.3.23-1.mga2.x86_64.rpm
php-dba-5.3.23-1.mga2.x86_64.rpm
php-devel-5.3.23-1.mga2.x86_64.rpm
php-dom-5.3.23-1.mga2.x86_64.rpm
php-enchant-5.3.23-1.mga2.x86_64.rpm
php-exif-5.3.23-1.mga2.x86_64.rpm
php-fileinfo-5.3.23-1.mga2.x86_64.rpm
php-filter-5.3.23-1.mga2.x86_64.rpm
php-fpm-5.3.23-1.mga2.x86_64.rpm
php-ftp-5.3.23-1.mga2.x86_64.rpm
php-gd-5.3.23-1.mga2.x86_64.rpm
php-gettext-5.3.23-1.mga2.x86_64.rpm
php-gmp-5.3.23-1.mga2.x86_64.rpm
php-hash-5.3.23-1.mga2.x86_64.rpm
php-iconv-5.3.23-1.mga2.x86_64.rpm
php-imap-5.3.23-1.mga2.x86_64.rpm
php-ini-5.3.23-1.mga2.x86_64.rpm
php-intl-5.3.23-1.mga2.x86_64.rpm
php-json-5.3.23-1.mga2.x86_64.rpm
php-ldap-5.3.23-1.mga2.x86_64.rpm
php-mbstring-5.3.23-1.mga2.x86_64.rpm
php-mcrypt-5.3.23-1.mga2.x86_64.rpm
php-mssql-5.3.23-1.mga2.x86_64.rpm
php-mysql-5.3.23-1.mga2.x86_64.rpm
php-mysqli-5.3.23-1.mga2.x86_64.rpm
php-mysqlnd-5.3.23-1.mga2.x86_64.rpm
php-odbc-5.3.23-1.mga2.x86_64.rpm
php-openssl-5.3.23-1.mga2.x86_64.rpm
php-pcntl-5.3.23-1.mga2.x86_64.rpm
php-pdo-5.3.23-1.mga2.x86_64.rpm
php-pdo_dblib-5.3.23-1.mga2.x86_64.rpm
php-pdo_mysql-5.3.23-1.mga2.x86_64.rpm
php-pdo_odbc-5.3.23-1.mga2.x86_64.rpm
php-pdo_pgsql-5.3.23-1.mga2.x86_64.rpm
php-pdo_sqlite-5.3.23-1.mga2.x86_64.rpm
php-pgsql-5.3.23-1.mga2.x86_64.rpm
php-phar-5.3.23-1.mga2.x86_64.rpm
php-posix-5.3.23-1.mga2.x86_64.rpm
php-readline-5.3.23-1.mga2.x86_64.rpm
php-recode-5.3.23-1.mga2.x86_64.rpm
php-session-5.3.23-1.mga2.x86_64.rpm
php-shmop-5.3.23-1.mga2.x86_64.rpm
php-snmp-5.3.23-1.mga2.x86_64.rpm
php-soap-5.3.23-1.mga2.x86_64.rpm
php-sockets-5.3.23-1.mga2.x86_64.rpm
php-sqlite3-5.3.23-1.mga2.x86_64.rpm
php-sqlite-5.3.23-1.mga2.x86_64.rpm
php-sybase_ct-5.3.23-1.mga2.x86_64.rpm
php-sysvmsg-5.3.23-1.mga2.x86_64.rpm
php-sysvsem-5.3.23-1.mga2.x86_64.rpm
php-sysvshm-5.3.23-1.mga2.x86_64.rpm
php-tidy-5.3.23-1.mga2.x86_64.rpm
php-tokenizer-5.3.23-1.mga2.x86_64.rpm
php-wddx-5.3.23-1.mga2.x86_64.rpm
php-xml-5.3.23-1.mga2.x86_64.rpm
php-xmlreader-5.3.23-1.mga2.x86_64.rpm
php-xmlrpc-5.3.23-1.mga2.x86_64.rpm
php-xmlwriter-5.3.23-1.mga2.x86_64.rpm
php-xsl-5.3.23-1.mga2.x86_64.rpm
php-zip-5.3.23-1.mga2.x86_64.rpm
php-zlib-5.3.23-1.mga2.x86_64.rpm
php-debug-5.3.23-1.mga2.x86_64.rpm
php-firebird-5.3.23-1.mga2.x86_64.rpm
php-firebird-debug-5.3.23-1.mga2.x86_64.rpm
php-gd-bundled-5.3.23-1.mga2.x86_64.rpm
php-gd-bundled-debug-5.3.23-1.mga2.x86_64.rpm
php-pdo_firebird-5.3.23-1.mga2.x86_64.rpm
php-pdo_firebird-debug-5.3.23-1.mga2.x86_64.rpm
php-apc-3.1.13-1.7.mga2.x86_64.rpm
php-apc-admin-3.1.13-1.7.mga2.x86_64.rpm
php-apc-debug-3.1.13-1.7.mga2.x86_64.rpm
php-eaccelerator-0.9.6.1-10.9.mga2.x86_64.rpm
php-eaccelerator-admin-0.9.6.1-10.9.mga2.x86_64.rpm
php-eaccelerator-debug-0.9.6.1-10.9.mga2.x86_64.rpm
php-timezonedb-2013.2-1.mga2.x86_64.rpm
php-timezonedb-debug-2013.2-1.mga2.x86_64.rpm

SRPMS:
php-5.3.23-1.mga2.src.rpm
php-firebird-5.3.23-1.mga2.src.rpm
php-gd-bundled-5.3.23-1.mga2.src.rpm
php-pdo_firebird-5.3.23-1.mga2.src.rpm
php-apc-3.1.13-1.7.mga2.src.rpm
php-eaccelerator-0.9.6.1-10.9.mga2.src.rpm
php-timezonedb-2013.2-1.mga2.src.rpm


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1635
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1643
http://www.php.net/ChangeLog-5.php#5.3.20
http://www.php.net/ChangeLog-5.php#5.3.21
http://www.php.net/ChangeLog-5.php#5.3.22
http://www.php.net/ChangeLog-5.php#5.3.23
https://bugs.php.net/bug.php?id=61930
https://bugs.mageia.org/show_bug.cgi?id=8489
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-...
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds