Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 555830 - <dev-lang/php-{5.4.43,5.5.27,5.6.11}: BACKRONYM / mysql tls stripping and other vulns (CVE-2015-3152)
Summary: <dev-lang/php-{5.4.43,5.5.27,5.6.11}: BACKRONYM / mysql tls stripping and oth...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa]
Depends on:
Reported: 2015-07-24 22:25 UTC by Hanno Böck
Modified: 2016-06-19 00:27 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2015-07-24 22:25:32 UTC
The latest batch of PHP releases (5.4.43, 5.5.27, 5.6.11) all fix security vulns. CVE-2015-3152 affects all of them (also known as BACKRONYM, TLS stripping for mysql connections, which was originally found in libmysql, but affects PHP's mysqlnd in the same way).

The 5.6.11 release notes mention 5 security fixes, from the changelog these look like security:
Fixed bug #69972 (Use-after-free vulnerability in sqlite3SafetyCheckSickOrOk()).
Fixed bug #69737 (Segfault when SplMinHeap::compare produces fatal error).
Fixed bug #69970 (Use-after-free vulnerability in spl_recursive_it_move_forward_ex()).
Fixed bug #69864 (Segfault in preg_replace_callback).

5.5.43 and 5.5.27 also fix CVE-2015-{5589,5590}, these are not in 5.6, they are already tracked in #555576.

All fixed versions are already in the tree, can we proceed with stabilization?
Comment 1 Michael Orlitzky gentoo-dev 2015-11-19 01:37:27 UTC
The new versions are all stable and the old ones have been removed.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-02-20 04:03:06 UTC
All packages in the tree have fixes for this vulnerability.  Please advise on GLSA.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-02-24 12:39:49 UTC
Added to GLSA cc9dae4d6.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2016-06-19 00:27:19 UTC
This issue was resolved and addressed in
 GLSA 201606-10 at
by GLSA coordinator Kristian Fiskerstrand (K_F).