-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:115 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : php Date : June 10, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated php packages fix security vulnerabilities: A flaw was found in the way file's Composite Document Files (CDF) format parser handle CDF files with many summary info entries. The cdf_unpack_summary_info() function unnecessarily repeatedly read the info from the same offset. This led to many file_printf() calls in cdf_file_property_info(), which caused file to use an excessive amount of CPU time when parsing a specially-crafted CDF file (CVE-2014-0237). A flaw was found in the way file parsed property information from Composite Document Files (CDF) files. A property entry with 0 elements triggers an infinite loop (CVE-2014-0238). PHP contains a bundled copy of the file utility's libmagic library, so it was vulnerable to this issue. It has been updated to the 5.5.13 version, which fixes this issue and several other bugs. Additionally, php-apc has been rebuilt against the updated php packages. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0237 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0238 http://advisories.mageia.org/MGASA-2014-0258.html http://www.php.net/ChangeLog-5.php#5.5.13 _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: 8711779e81a50a4904aa865b48524e29 mbs1/x86_64/apache-mod_php-5.5.13-1.mbs1.x86_64.rpm 5b6fa6fe481a7599d5c4e597c1d9bc66 mbs1/x86_64/lib64php5_common5-5.5.13-1.mbs1.x86_64.rpm d7595fc5c03fcda523a6b55ab356a208 mbs1/x86_64/php-apc-3.1.15-1.7.mbs1.x86_64.rpm 7d2e903f283e23fc24dc3a1ff4f74806 mbs1/x86_64/php-apc-admin-3.1.15-1.7.mbs1.x86_64.rpm e684cb737d10d699ac3ee8300158fb20 mbs1/x86_64/php-bcmath-5.5.13-1.mbs1.x86_64.rpm 0896588cd4d217382fe7edce11936b80 mbs1/x86_64/php-bz2-5.5.13-1.mbs1.x86_64.rpm 14e6355367c688176676f53e62981d12 mbs1/x86_64/php-calendar-5.5.13-1.mbs1.x86_64.rpm 19a4cc762f8b05ff9e0f9a489d630859 mbs1/x86_64/php-cgi-5.5.13-1.mbs1.x86_64.rpm 9f548d3786c32b85fff6bb51f25968df mbs1/x86_64/php-cli-5.5.13-1.mbs1.x86_64.rpm b8db5525d09f49a55b8e2b65d5de5769 mbs1/x86_64/php-ctype-5.5.13-1.mbs1.x86_64.rpm c17a7e419e090c6e87f6042e0a0d4df1 mbs1/x86_64/php-curl-5.5.13-1.mbs1.x86_64.rpm e298564d779b0ec06b1ebfed4afa4e8d mbs1/x86_64/php-dba-5.5.13-1.mbs1.x86_64.rpm 2b3e212dd4dd34bc7c018e43f3d8b2f7 mbs1/x86_64/php-devel-5.5.13-1.mbs1.x86_64.rpm ee061099f739a00b9b614c9c36893020 mbs1/x86_64/php-doc-5.5.13-1.mbs1.noarch.rpm b212b1fecde3a01d3cf9e428e5b94c22 mbs1/x86_64/php-dom-5.5.13-1.mbs1.x86_64.rpm eaec7f6df84daecc5e5f76b3d068b5e4 mbs1/x86_64/php-enchant-5.5.13-1.mbs1.x86_64.rpm 026b7278237e38d979f6cca904cedeaa mbs1/x86_64/php-exif-5.5.13-1.mbs1.x86_64.rpm 8c3bab218b68f119e81e4b32a88a3cf9 mbs1/x86_64/php-fileinfo-5.5.13-1.mbs1.x86_64.rpm bfba6c5ecb0ad7fca62d698e16bc591e mbs1/x86_64/php-filter-5.5.13-1.mbs1.x86_64.rpm ef0ad0dce52f6032ab818f8f116bb63c mbs1/x86_64/php-fpm-5.5.13-1.mbs1.x86_64.rpm 7fba1e0c6fd5966917a0ef29308320f6 mbs1/x86_64/php-ftp-5.5.13-1.mbs1.x86_64.rpm 9c5d684587774f46288190ebcb667a83 mbs1/x86_64/php-gd-5.5.13-1.mbs1.x86_64.rpm 3e50a38dc3647e63ca9f569043ddee4c mbs1/x86_64/php-gettext-5.5.13-1.mbs1.x86_64.rpm 7160d5a371b1d10938896b3a349bbbe7 mbs1/x86_64/php-gmp-5.5.13-1.mbs1.x86_64.rpm 6cdbb890f3bd4e79f294b93e01f056e3 mbs1/x86_64/php-hash-5.5.13-1.mbs1.x86_64.rpm aadfb4c1e93043956ac535756deeb484 mbs1/x86_64/php-iconv-5.5.13-1.mbs1.x86_64.rpm 55c55ab806e72434bb51f440af6e670a mbs1/x86_64/php-imap-5.5.13-1.mbs1.x86_64.rpm 6d8171c9e50dc93ffb96086888e18df6 mbs1/x86_64/php-ini-5.5.13-1.mbs1.x86_64.rpm 0ae0ae0fd51b352ded35e67d98945a21 mbs1/x86_64/php-intl-5.5.13-1.mbs1.x86_64.rpm d2a501a6fe260527dfcf9b7a1a10bf4a mbs1/x86_64/php-json-5.5.13-1.mbs1.x86_64.rpm b289596cfbff32fa727d1a6f1e4f91bc mbs1/x86_64/php-ldap-5.5.13-1.mbs1.x86_64.rpm ff980b8a060fee4f0b7f5cdbc1186487 mbs1/x86_64/php-mbstring-5.5.13-1.mbs1.x86_64.rpm 970047da4f0e8520a00b5f2ae8e5a2dd mbs1/x86_64/php-mcrypt-5.5.13-1.mbs1.x86_64.rpm 08cb4e6b70bb5d8c988b626c62d37510 mbs1/x86_64/php-mssql-5.5.13-1.mbs1.x86_64.rpm e1b13a6b4f448304d60568bdf390f74f mbs1/x86_64/php-mysql-5.5.13-1.mbs1.x86_64.rpm 756d526191c09b5c1163b648d2955399 mbs1/x86_64/php-mysqli-5.5.13-1.mbs1.x86_64.rpm 7ce3b6d6f5e05747c8dc29afd1dab49b mbs1/x86_64/php-mysqlnd-5.5.13-1.mbs1.x86_64.rpm 19dfa9eaececdd180f6a0f07347932cd mbs1/x86_64/php-odbc-5.5.13-1.mbs1.x86_64.rpm 8ca0d0b4b46cf1d37443a55b96e05754 mbs1/x86_64/php-opcache-5.5.13-1.mbs1.x86_64.rpm 2471c8af7a847b3d13c8a519fa78ed90 mbs1/x86_64/php-openssl-5.5.13-1.mbs1.x86_64.rpm 69b5a4852f380bd1f83f45021960fac4 mbs1/x86_64/php-pcntl-5.5.13-1.mbs1.x86_64.rpm 48b2a529902592be79fda68adf791ba1 mbs1/x86_64/php-pdo-5.5.13-1.mbs1.x86_64.rpm f490ec2b03038f9dfb07c7baf80b9664 mbs1/x86_64/php-pdo_dblib-5.5.13-1.mbs1.x86_64.rpm 9d3c2aadfc6b570c0e3a096214d44d52 mbs1/x86_64/php-pdo_mysql-5.5.13-1.mbs1.x86_64.rpm e996d335c93727f93f295dd5e7e62aea mbs1/x86_64/php-pdo_odbc-5.5.13-1.mbs1.x86_64.rpm edb94ed0076da44690b2bae5763bdc43 mbs1/x86_64/php-pdo_pgsql-5.5.13-1.mbs1.x86_64.rpm 4baddbb93b3f3762e418fab8ba8bd902 mbs1/x86_64/php-pdo_sqlite-5.5.13-1.mbs1.x86_64.rpm b21e5a3f672f8cc7ca952d0a38660f76 mbs1/x86_64/php-pgsql-5.5.13-1.mbs1.x86_64.rpm cd37ec13b2908d246ec96a22ad22faec mbs1/x86_64/php-phar-5.5.13-1.mbs1.x86_64.rpm 3683391016afb537b91b17113f8605c5 mbs1/x86_64/php-posix-5.5.13-1.mbs1.x86_64.rpm 7d318534a12a7a8ffbdabd79775c82f8 mbs1/x86_64/php-readline-5.5.13-1.mbs1.x86_64.rpm 4b631eb7e2c745751abfb58710e4562d mbs1/x86_64/php-recode-5.5.13-1.mbs1.x86_64.rpm 6a2ec65e4fad9af3cc8f8ba0f63a7aa9 mbs1/x86_64/php-session-5.5.13-1.mbs1.x86_64.rpm 883dc6088ec2f1c720b74327dffeef03 mbs1/x86_64/php-shmop-5.5.13-1.mbs1.x86_64.rpm ae0f47fb7c0f1e44b2ff5ec0fb3e8afc mbs1/x86_64/php-snmp-5.5.13-1.mbs1.x86_64.rpm a5b4e4b42414a9e2cdb21df3536e9f80 mbs1/x86_64/php-soap-5.5.13-1.mbs1.x86_64.rpm 60f2ff75f09c0cd16fc6b6aad1742ad6 mbs1/x86_64/php-sockets-5.5.13-1.mbs1.x86_64.rpm f8deb4a7555238285c37d4c60480958c mbs1/x86_64/php-sqlite3-5.5.13-1.mbs1.x86_64.rpm bde8d1303001a649802d4d3c370af035 mbs1/x86_64/php-sybase_ct-5.5.13-1.mbs1.x86_64.rpm 30854dc35b450154e23fbd1cd8ec48ed mbs1/x86_64/php-sysvmsg-5.5.13-1.mbs1.x86_64.rpm a2c8af3e1a951d36eaebf1b58b756376 mbs1/x86_64/php-sysvsem-5.5.13-1.mbs1.x86_64.rpm 6f0530e3ea94463b826f77da51b65963 mbs1/x86_64/php-sysvshm-5.5.13-1.mbs1.x86_64.rpm 7680c4d7bc14e8960954b23564a2a57c mbs1/x86_64/php-tidy-5.5.13-1.mbs1.x86_64.rpm d63c45b031eac0d51cfe42d445d33607 mbs1/x86_64/php-tokenizer-5.5.13-1.mbs1.x86_64.rpm aa1c71889b8e6a95be194f402cd659b2 mbs1/x86_64/php-wddx-5.5.13-1.mbs1.x86_64.rpm 12f25f419fa8652c55c1a47bd64e1853 mbs1/x86_64/php-xml-5.5.13-1.mbs1.x86_64.rpm 9ca69fe4dc9d28f9651c2f2448bfde43 mbs1/x86_64/php-xmlreader-5.5.13-1.mbs1.x86_64.rpm 7354023fdbe9c756fae68fb2649facdb mbs1/x86_64/php-xmlrpc-5.5.13-1.mbs1.x86_64.rpm 59f0f3169959c31adb8333f1e597a796 mbs1/x86_64/php-xmlwriter-5.5.13-1.mbs1.x86_64.rpm 35ff0c499c20239387daef7f60cec4c6 mbs1/x86_64/php-xsl-5.5.13-1.mbs1.x86_64.rpm bec63d966cc6b9e756272baf66815045 mbs1/x86_64/php-zip-5.5.13-1.mbs1.x86_64.rpm dc2e485d9587eb28a7b8b1915dd0f40c mbs1/x86_64/php-zlib-5.5.13-1.mbs1.x86_64.rpm 4c530928dfecb79e8de977555cb38f37 mbs1/SRPMS/php-5.5.13-1.mbs1.src.rpm cf24973b34d24e31942a1e04b63125c3 mbs1/SRPMS/php-apc-3.1.15-1.7.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTlsPomqjQ0CJFipgRAg1qAJ0YBZob4nXqZms0MkA/1T74J2VLYgCfRsp6 cJwFAWk8ttlBXch5pCInVCs= =1IOZ -----END PGP SIGNATURE-----