MGASA-2014-0324
Vulnerability Summary
Timeline
Description
Updated php packages fix security vulnerabilities Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted ArrayIterator usage within applications in certain web-hosting environments (CVE-2014-4698). Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted iterator usage within applications in certain web-hosting environments (CVE-2014-4670). file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule, due to an incomplete fix for CVE-2013-7345 (CVE-2014-3538). The php packages have been updated to 5.4.31 for Mageia 3 and 5.5.14 for Mageia 4, and additional patches have been added to fix these issues and several other bugs. Also, php-apc has been rebuilt against the updated PHP versions and the php-timezonedb package has been updated to the latest version, 2014.5. Additionally, the jsonc extension has been upgraded to the 1.3.6 version.
Affected Systems
- mageia•php
< 5.4.31-1.2.mga3
- mageia•php-apc
< 3.1.14-7.11.mga3
- mageia•php-gd-bundled
< 5.4.31-1.mga3
- mageia•php-timezonedb
< 2014.5-1.mga3
- mageia•php
< 5.5.15-1.1.mga4
- mageia•php-apc
< 3.1.15-4.6.mga4
- mageia•php-timezonedb
< 2014.5-1.mga4
References (7)
- https://advisories.mageia.org/MGASA-2014-0324.html
- https://bugs.mageia.org/show_bug.cgi?id=13796
- http://php.net/ChangeLog-5.php#5.4.31
- http://php.net/ChangeLog-5.php#5.5.15
- http://pecl.php.net/package-changelog.php?package=jsonc&release=1.3.6
- http://lists.opensuse.org/opensuse-updates/2014-07/msg00035.html
- http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014:149/