Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 604776 (CVE-2016-9935) - <dev-lang/php-5.6.29: multiple vulnerabilities (CVE-2016-9935)
Summary: <dev-lang/php-5.6.29: multiple vulnerabilities (CVE-2016-9935)
Status: RESOLVED FIXED
Alias: CVE-2016-9935
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.php.net/ChangeLog-5.php#5....
Whiteboard: A3 [glsa cve blocked]
Keywords:
Depends on: CVE-2016-10158, CVE-2016-10159, CVE-2016-10160, CVE-2016-10161
Blocks:
  Show dependency tree
 
Reported: 2017-01-05 18:15 UTC by Michael Orlitzky
Modified: 2017-02-21 00:33 UTC (History)
1 user (show)

See Also:
Package list:
=dev-lang/php-5.6.29 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 =dev-util/lcov-1.11 alpha hppa ia64 ppc64 sparc
Runtime testing required: Yes
mjo: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-01-05 18:15:38 UTC
The fixed version php-5.6.29 is already in the tree. We only need to stabilize it and get rid of v5.6.28, so arches, please proceed.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-01-05 18:20:24 UTC
Version 5.6.29
08 Dec 2016

    Mysqlnd:
        Fixed bug #64526 (Add missing mysqlnd.* parameters to php.ini-*).
    Opcache:
        Fixed bug #73402 (Opcache segfault when using class constant to call a method).
        Fixed bug #69090 (check cached files permissions)
    OpenSSL:
        Fixed bug #72776 (Invalid parameter in memcpy function trough openssl_pbkdf2).
    Postgres:
        Fixed bug #73498 (Incorrect SQL generated for pg_copy_to()).
    SOAP:
        Fixed bug #73452 (Segfault (Regression for #69152)).
    SQLite3:
        Fixed bug #73530 (Unsetting result set may reset other result set).
    Standard:
        Fixed bug #73297 (HTTP stream wrapper should ignore HTTP 100 Continue).
    WDDX:
        Fixed bug #73631 (Invalid read when wddx decodes empty boolean element). (CVE-2016-9935)

##
Seems to be more than the one identified vulnerability, at least some DoS vectors
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2017-01-06 09:01:09 UTC
amd64 stable
Comment 3 Tobias Klausmann (RETIRED) gentoo-dev 2017-01-06 12:50:47 UTC
This also requries dev-util/lcov on some arches.
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2017-01-06 13:36:47 UTC
Stable on alpha
Comment 5 Agostino Sarubbo gentoo-dev 2017-01-10 15:26:15 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-01-11 10:54:09 UTC
sparc stable
Comment 7 Markus Meier gentoo-dev 2017-01-13 17:00:37 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-01-15 16:06:58 UTC
ppc stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-16 23:43:45 UTC
Stable for HPPA.
Comment 10 Agostino Sarubbo gentoo-dev 2017-01-17 14:41:48 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-01-18 10:06:13 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Michael Orlitzky gentoo-dev 2017-01-18 14:20:46 UTC
The vulnerable version has been removed.
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2017-01-18 23:06:12 UTC
GLSA request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2017-02-21 00:33:30 UTC
This issue was resolved and addressed in
 GLSA 201702-29 at https://security.gentoo.org/glsa/201702-29
by GLSA coordinator Thomas Deutschmann (whissi).