PHP versions before 5.6.33 in the 5.6 series, 7.0.27 in the 7.0 series, 7.1.13 in the 7.1 series and 7.2.1 in the 7.2 series have 2 Denial of Service bugs. 04 Jan 2018 GD: Fixed bug https://bugs.php.net/bug.php?id=75571 (Potential infinite loop in gdImageCreateFromGifCtx). Phar: Fixed bug https://bugs.php.net/bug.php?id=74782 (Reflected XSS in .phar 404 page). Arches please test and mark stable the noted versions
x86 stable
sparc stable (thanks to Rolf Eike Beer)
amd64 stable
ppc/ppc64 stable
hppa stable
ia64 stable
Stable on alpha.
arm stable, all arches done.
@php, please clean the vulnerable versions.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bcfe61770cdb79778b192326d7dec09a4c7ee4ec commit bcfe61770cdb79778b192326d7dec09a4c7ee4ec Author: Brian Evans <grknight@gentoo.org> AuthorDate: 2018-02-06 13:52:42 +0000 Commit: Brian Evans <grknight@gentoo.org> CommitDate: 2018-02-06 13:52:42 +0000 dev-lang/php: Drop old vulnerable versions Bug: https://bugs.gentoo.org/643564 Package-Manager: Portage-2.3.24, Repoman-2.3.6 dev-lang/php/Manifest | 2 - dev-lang/php/php-5.6.32.ebuild | 771 ----------------------------------------- dev-lang/php/php-7.0.25.ebuild | 739 --------------------------------------- 3 files changed, 1512 deletions(-)}
(In reply to Larry the Git Cow from comment #10) > The bug has been referenced in the following commit(s): > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=bcfe61770cdb79778b192326d7dec09a4c7ee4ec > > commit bcfe61770cdb79778b192326d7dec09a4c7ee4ec > Author: Brian Evans <grknight@gentoo.org> > AuthorDate: 2018-02-06 13:52:42 +0000 > Commit: Brian Evans <grknight@gentoo.org> > CommitDate: 2018-02-06 13:52:42 +0000 > > dev-lang/php: Drop old vulnerable versions > > Bug: https://bugs.gentoo.org/643564 > Package-Manager: Portage-2.3.24, Repoman-2.3.6 > > dev-lang/php/Manifest | 2 - > dev-lang/php/php-5.6.32.ebuild | 771 > ----------------------------------------- > dev-lang/php/php-7.0.25.ebuild | 739 --------------------------------------- > 3 files changed, 1512 deletions(-)} Thank you, Brian! GLSA Vote: No