From Mageia wiki
Jump to: navigation, search

MGASA-2013-0101

Date: April 2nd, 2013
Affected releases: 2
Media: Core


Description:
Multiple vulnerabilities has been discovered and corrected in php:

ext/soap/soap.c in PHP before 5.3.22 and 5.4.x before 5.4.13 does not
validate the relationship between the soap.wsdl_cache_dir directive and
the open_basedir directive, which allows remote attackers to bypass
intended access restrictions by triggering the creation of cached SOAP
WSDL files in an arbitrary directory (CVE-2013-1635).

The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.13 allows remote
attackers to read arbitrary files via a SOAP WSDL file containing an XML
external entity declaration in conjunction with an entity reference,
related to an XML External Entity (XXE) issue in the soap_xmlParseFile and
soap_xmlParseMemory functions (CVE-2013-1643).

Backported upstream php bug #61930: "openssl corrupts ssl key resource when
using openssl_get_publickey()" to php-5.3.x.

The new "Powered by Mageia logo" has been added to php, this is only a
cosmetic change.

The authentication logic and how this was handled in the APC admin script
in the php-apc-admin package was flawed. If you previousely enabled the
authentication by setting a password in the /var/www/php-apc/index.php file
the changes would be lost with a possible future update of the package. If
the authentication mechanism was not used local users could access features
they shouldn't have access to. This has been addressed by using a new
/etc/php-apc/config.php configuration file containing the the
authentication credentials and more, in a much more safe, secure and
update-friendly way.

The owner of the system (the root user or equal) has to examine the
/etc/php-apc/config.php file for the login name and password. The strong
password is automatically generated on new installs.

The php-timezonedb package has been updated to the 2013.2 version.

The updated packages have been upgraded to the 5.3.23 version which is not
vulnerable to these issues.

Additionally, some packages which requires so has been rebuilt for
php-5.3.23.


Updated Packages:
i586:
apache-mod_php-5.3.23-1.mga2.i586.rpm
libphp5_common5-5.3.23-1.mga2.i586.rpm
php-bcmath-5.3.23-1.mga2.i586.rpm
php-bz2-5.3.23-1.mga2.i586.rpm
php-calendar-5.3.23-1.mga2.i586.rpm
php-cgi-5.3.23-1.mga2.i586.rpm
php-cli-5.3.23-1.mga2.i586.rpm
php-ctype-5.3.23-1.mga2.i586.rpm
php-curl-5.3.23-1.mga2.i586.rpm
php-dba-5.3.23-1.mga2.i586.rpm
php-devel-5.3.23-1.mga2.i586.rpm
php-dom-5.3.23-1.mga2.i586.rpm
php-enchant-5.3.23-1.mga2.i586.rpm
php-exif-5.3.23-1.mga2.i586.rpm
php-fileinfo-5.3.23-1.mga2.i586.rpm
php-filter-5.3.23-1.mga2.i586.rpm
php-fpm-5.3.23-1.mga2.i586.rpm
php-ftp-5.3.23-1.mga2.i586.rpm
php-gd-5.3.23-1.mga2.i586.rpm
php-gettext-5.3.23-1.mga2.i586.rpm
php-gmp-5.3.23-1.mga2.i586.rpm
php-hash-5.3.23-1.mga2.i586.rpm
php-iconv-5.3.23-1.mga2.i586.rpm
php-imap-5.3.23-1.mga2.i586.rpm
php-ini-5.3.23-1.mga2.i586.rpm
php-intl-5.3.23-1.mga2.i586.rpm
php-json-5.3.23-1.mga2.i586.rpm
php-ldap-5.3.23-1.mga2.i586.rpm
php-mbstring-5.3.23-1.mga2.i586.rpm
php-mcrypt-5.3.23-1.mga2.i586.rpm
php-mssql-5.3.23-1.mga2.i586.rpm
php-mysql-5.3.23-1.mga2.i586.rpm
php-mysqli-5.3.23-1.mga2.i586.rpm
php-mysqlnd-5.3.23-1.mga2.i586.rpm
php-odbc-5.3.23-1.mga2.i586.rpm
php-openssl-5.3.23-1.mga2.i586.rpm
php-pcntl-5.3.23-1.mga2.i586.rpm
php-pdo-5.3.23-1.mga2.i586.rpm
php-pdo_dblib-5.3.23-1.mga2.i586.rpm
php-pdo_mysql-5.3.23-1.mga2.i586.rpm
php-pdo_odbc-5.3.23-1.mga2.i586.rpm
php-pdo_pgsql-5.3.23-1.mga2.i586.rpm
php-pdo_sqlite-5.3.23-1.mga2.i586.rpm
php-pgsql-5.3.23-1.mga2.i586.rpm
php-phar-5.3.23-1.mga2.i586.rpm
php-posix-5.3.23-1.mga2.i586.rpm
php-readline-5.3.23-1.mga2.i586.rpm
php-recode-5.3.23-1.mga2.i586.rpm
php-session-5.3.23-1.mga2.i586.rpm
php-shmop-5.3.23-1.mga2.i586.rpm
php-snmp-5.3.23-1.mga2.i586.rpm
php-soap-5.3.23-1.mga2.i586.rpm
php-sockets-5.3.23-1.mga2.i586.rpm
php-sqlite3-5.3.23-1.mga2.i586.rpm
php-sqlite-5.3.23-1.mga2.i586.rpm
php-sybase_ct-5.3.23-1.mga2.i586.rpm
php-sysvmsg-5.3.23-1.mga2.i586.rpm
php-sysvsem-5.3.23-1.mga2.i586.rpm
php-sysvshm-5.3.23-1.mga2.i586.rpm
php-tidy-5.3.23-1.mga2.i586.rpm
php-tokenizer-5.3.23-1.mga2.i586.rpm
php-wddx-5.3.23-1.mga2.i586.rpm
php-xml-5.3.23-1.mga2.i586.rpm
php-xmlreader-5.3.23-1.mga2.i586.rpm
php-xmlrpc-5.3.23-1.mga2.i586.rpm
php-xmlwriter-5.3.23-1.mga2.i586.rpm
php-xsl-5.3.23-1.mga2.i586.rpm
php-zip-5.3.23-1.mga2.i586.rpm
php-zlib-5.3.23-1.mga2.i586.rpm
php-debug-5.3.23-1.mga2.i586.rpm
php-firebird-5.3.23-1.mga2.i586.rpm
php-firebird-debug-5.3.23-1.mga2.i586.rpm
php-gd-bundled-5.3.23-1.mga2.i586.rpm
php-gd-bundled-debug-5.3.23-1.mga2.i586.rpm
php-pdo_firebird-5.3.23-1.mga2.i586.rpm
php-pdo_firebird-debug-5.3.23-1.mga2.i586.rpm
php-apc-3.1.13-1.7.mga2.i586.rpm
php-apc-admin-3.1.13-1.7.mga2.i586.rpm
php-apc-debug-3.1.13-1.7.mga2.i586.rpm
php-eaccelerator-0.9.6.1-10.9.mga2.i586.rpm
php-eaccelerator-admin-0.9.6.1-10.9.mga2.i586.rpm
php-eaccelerator-debug-0.9.6.1-10.9.mga2.i586.rpm
php-timezonedb-2013.2-1.mga2.i586.rpm
php-timezonedb-debug-2013.2-1.mga2.i586.rpm

x86_64:
apache-mod_php-5.3.23-1.mga2.x86_64.rpm
lib64php5_common5-5.3.23-1.mga2.x86_64.rpm
php-bcmath-5.3.23-1.mga2.x86_64.rpm
php-bz2-5.3.23-1.mga2.x86_64.rpm
php-calendar-5.3.23-1.mga2.x86_64.rpm
php-cgi-5.3.23-1.mga2.x86_64.rpm
php-cli-5.3.23-1.mga2.x86_64.rpm
php-ctype-5.3.23-1.mga2.x86_64.rpm
php-curl-5.3.23-1.mga2.x86_64.rpm
php-dba-5.3.23-1.mga2.x86_64.rpm
php-devel-5.3.23-1.mga2.x86_64.rpm
php-dom-5.3.23-1.mga2.x86_64.rpm
php-enchant-5.3.23-1.mga2.x86_64.rpm
php-exif-5.3.23-1.mga2.x86_64.rpm
php-fileinfo-5.3.23-1.mga2.x86_64.rpm
php-filter-5.3.23-1.mga2.x86_64.rpm
php-fpm-5.3.23-1.mga2.x86_64.rpm
php-ftp-5.3.23-1.mga2.x86_64.rpm
php-gd-5.3.23-1.mga2.x86_64.rpm
php-gettext-5.3.23-1.mga2.x86_64.rpm
php-gmp-5.3.23-1.mga2.x86_64.rpm
php-hash-5.3.23-1.mga2.x86_64.rpm
php-iconv-5.3.23-1.mga2.x86_64.rpm
php-imap-5.3.23-1.mga2.x86_64.rpm
php-ini-5.3.23-1.mga2.x86_64.rpm
php-intl-5.3.23-1.mga2.x86_64.rpm
php-json-5.3.23-1.mga2.x86_64.rpm
php-ldap-5.3.23-1.mga2.x86_64.rpm
php-mbstring-5.3.23-1.mga2.x86_64.rpm
php-mcrypt-5.3.23-1.mga2.x86_64.rpm
php-mssql-5.3.23-1.mga2.x86_64.rpm
php-mysql-5.3.23-1.mga2.x86_64.rpm
php-mysqli-5.3.23-1.mga2.x86_64.rpm
php-mysqlnd-5.3.23-1.mga2.x86_64.rpm
php-odbc-5.3.23-1.mga2.x86_64.rpm
php-openssl-5.3.23-1.mga2.x86_64.rpm
php-pcntl-5.3.23-1.mga2.x86_64.rpm
php-pdo-5.3.23-1.mga2.x86_64.rpm
php-pdo_dblib-5.3.23-1.mga2.x86_64.rpm
php-pdo_mysql-5.3.23-1.mga2.x86_64.rpm
php-pdo_odbc-5.3.23-1.mga2.x86_64.rpm
php-pdo_pgsql-5.3.23-1.mga2.x86_64.rpm
php-pdo_sqlite-5.3.23-1.mga2.x86_64.rpm
php-pgsql-5.3.23-1.mga2.x86_64.rpm
php-phar-5.3.23-1.mga2.x86_64.rpm
php-posix-5.3.23-1.mga2.x86_64.rpm
php-readline-5.3.23-1.mga2.x86_64.rpm
php-recode-5.3.23-1.mga2.x86_64.rpm
php-session-5.3.23-1.mga2.x86_64.rpm
php-shmop-5.3.23-1.mga2.x86_64.rpm
php-snmp-5.3.23-1.mga2.x86_64.rpm
php-soap-5.3.23-1.mga2.x86_64.rpm
php-sockets-5.3.23-1.mga2.x86_64.rpm
php-sqlite3-5.3.23-1.mga2.x86_64.rpm
php-sqlite-5.3.23-1.mga2.x86_64.rpm
php-sybase_ct-5.3.23-1.mga2.x86_64.rpm
php-sysvmsg-5.3.23-1.mga2.x86_64.rpm
php-sysvsem-5.3.23-1.mga2.x86_64.rpm
php-sysvshm-5.3.23-1.mga2.x86_64.rpm
php-tidy-5.3.23-1.mga2.x86_64.rpm
php-tokenizer-5.3.23-1.mga2.x86_64.rpm
php-wddx-5.3.23-1.mga2.x86_64.rpm
php-xml-5.3.23-1.mga2.x86_64.rpm
php-xmlreader-5.3.23-1.mga2.x86_64.rpm
php-xmlrpc-5.3.23-1.mga2.x86_64.rpm
php-xmlwriter-5.3.23-1.mga2.x86_64.rpm
php-xsl-5.3.23-1.mga2.x86_64.rpm
php-zip-5.3.23-1.mga2.x86_64.rpm
php-zlib-5.3.23-1.mga2.x86_64.rpm
php-debug-5.3.23-1.mga2.x86_64.rpm
php-firebird-5.3.23-1.mga2.x86_64.rpm
php-firebird-debug-5.3.23-1.mga2.x86_64.rpm
php-gd-bundled-5.3.23-1.mga2.x86_64.rpm
php-gd-bundled-debug-5.3.23-1.mga2.x86_64.rpm
php-pdo_firebird-5.3.23-1.mga2.x86_64.rpm
php-pdo_firebird-debug-5.3.23-1.mga2.x86_64.rpm
php-apc-3.1.13-1.7.mga2.x86_64.rpm
php-apc-admin-3.1.13-1.7.mga2.x86_64.rpm
php-apc-debug-3.1.13-1.7.mga2.x86_64.rpm
php-eaccelerator-0.9.6.1-10.9.mga2.x86_64.rpm
php-eaccelerator-admin-0.9.6.1-10.9.mga2.x86_64.rpm
php-eaccelerator-debug-0.9.6.1-10.9.mga2.x86_64.rpm
php-timezonedb-2013.2-1.mga2.x86_64.rpm
php-timezonedb-debug-2013.2-1.mga2.x86_64.rpm

SRPMS:
php-5.3.23-1.mga2.src.rpm
php-firebird-5.3.23-1.mga2.src.rpm
php-gd-bundled-5.3.23-1.mga2.src.rpm
php-pdo_firebird-5.3.23-1.mga2.src.rpm
php-apc-3.1.13-1.7.mga2.src.rpm
php-eaccelerator-0.9.6.1-10.9.mga2.src.rpm
php-timezonedb-2013.2-1.mga2.src.rpm


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1635
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1643
http://www.php.net/ChangeLog-5.php#5.3.20
http://www.php.net/ChangeLog-5.php#5.3.21
http://www.php.net/ChangeLog-5.php#5.3.22
http://www.php.net/ChangeLog-5.php#5.3.23
https://bugs.php.net/bug.php?id=61930
https://bugs.mageia.org/show_bug.cgi?id=8489