PHP 5.3.29 is available, PHP 5.3 reaching end of life 14 Aug 2014 The PHP development team announces the immediate availability of PHP 5.3.29. This release marks the end of life of the PHP 5.3 series. Future releases of this series are not planned. All PHP 5.3 users are encouraged to upgrade to the current stable version of PHP 5.5 or previous stable version of PHP 5.4, which are supported till at least 2016 and 2015 respectively. PHP 5.3.29 contains about 25 potentially security related fixes backported from PHP 5.4 and 5.5. PHP-5.5.29 was just added to the tree.
Arches, please stabilize: =dev-lang/php-5.3.29 Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Stable for HPPA.
amd64 stable
x86 stable
ia64 stable
ppc64 stable
ppc stable
alpha stable
arm stable
CVE-2014-4049 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4049): Heap-based buffer overflow in the php_parserr function in ext/standard/dns.c in PHP 5.6.0beta4 and earlier allows remote servers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS TXT record, related to the dns_get_record function. CVE-2014-3981 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3981): acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack on the /tmp/phpglibccheck file. CVE-2014-3515 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3515): The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage.
CVE-2014-5177 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5177): libvirt 1.0.0 through 1.2.x before 1.2.5, when fine grained access control is enabled, allows local users to read arbitrary files via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virDomainDefineXML, (2) virNetworkCreateXML, (3) virNetworkDefineXML, (4) virStoragePoolCreateXML, (5) virStoragePoolDefineXML, (6) virStorageVolCreateXML, (7) virDomainCreateXML, (8) virNodeDeviceCreateXML, (9) virInterfaceDefineXML, (10) virStorageVolCreateXMLFrom, (11) virConnectDomainXMLFromNative, (12) virConnectDomainXMLToNative, (13) virSecretDefineXML, (14) virNWFilterDefineXML, (15) virDomainSnapshotCreateXML, (16) virDomainSaveImageDefineXML, (17) virDomainCreateXMLWithFiles, (18) virConnectCompareCPU, or (19) virConnectBaselineCPU API method, related to an XML External Entity (XXE) issue. NOTE: this issue was SPLIT from CVE-2014-0179 per ADT3 due to different affected versions of some vectors. CVE-2014-0238 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0238): The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (infinite loop or out-of-bounds memory access) via a vector that (1) has zero length or (2) is too long. CVE-2014-0237 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0237): The cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (performance degradation) by triggering many file_printf calls.
CVE-2014-0207 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0207): The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.
sparc stable
Arches: Thank you for your work. We already have a GLSA draft for this. @maintainers: please clean up vulnerable versions
cleanup done
This issue was resolved and addressed in GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml by GLSA coordinator Kristian Fiskerstrand (K_F).