Bug 555830

Summary:	<dev-lang/php-{5.4.43,5.5.27,5.6.11}: BACKRONYM / mysql tls stripping and other vulns (CVE-2015-3152)
Product:	Gentoo Security	Reporter:	Hanno Böck <hanno>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	hydrapolic, php-bugs
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B4 [glsa]
Package list:		Runtime testing required:	---

Description Hanno Böck gentoo-dev

2015-07-24 22:25:32 UTC

The latest batch of PHP releases (5.4.43, 5.5.27, 5.6.11) all fix security vulns. CVE-2015-3152 affects all of them (also known as BACKRONYM, TLS stripping for mysql connections, which was originally found in libmysql, but affects PHP's mysqlnd in the same way).

The 5.6.11 release notes mention 5 security fixes, from the changelog these look like security:
Fixed bug #69972 (Use-after-free vulnerability in sqlite3SafetyCheckSickOrOk()).
Fixed bug #69737 (Segfault when SplMinHeap::compare produces fatal error).
Fixed bug #69970 (Use-after-free vulnerability in spl_recursive_it_move_forward_ex()).
Fixed bug #69864 (Segfault in preg_replace_callback).

5.5.43 and 5.5.27 also fix CVE-2015-{5589,5590}, these are not in 5.6, they are already tracked in #555576.

All fixed versions are already in the tree, can we proceed with stabilization?

Comment 1 Michael Orlitzky gentoo-dev

2015-11-19 01:37:27 UTC

The new versions are all stable and the old ones have been removed.

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2016-02-20 04:03:06 UTC

All packages in the tree have fixes for this vulnerability.  Please advise on GLSA.

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2016-02-24 12:39:49 UTC

Added to GLSA cc9dae4d6.

Comment 4 GLSAMaker/CVETool Bot gentoo-dev

2016-06-19 00:27:19 UTC

This issue was resolved and addressed in
 GLSA 201606-10 at https://security.gentoo.org/glsa/201606-10
by GLSA coordinator Kristian Fiskerstrand (K_F).