MGASA-2014-0324

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2014-0324.html

Import Source

https://advisories.mageia.org/MGASA-2014-0324.json

JSON Data

https://api.test.osv.dev/v1/vulns/MGASA-2014-0324

Related

CVE-2014-3538
CVE-2014-4670
CVE-2014-4698

Published

2014-08-08T11:23:49Z

Modified

2014-08-08T11:10:58Z

Summary

Updated php packages fix security vulnerabilities

Details

Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted ArrayIterator usage within applications in certain web-hosting environments (CVE-2014-4698).

Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted iterator usage within applications in certain web-hosting environments (CVE-2014-4670).

file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule, due to an incomplete fix for CVE-2013-7345 (CVE-2014-3538).

The php packages have been updated to 5.4.31 for Mageia 3 and 5.5.14 for Mageia 4, and additional patches have been added to fix these issues and several other bugs.

Also, php-apc has been rebuilt against the updated PHP versions and the php-timezonedb package has been updated to the latest version, 2014.5.

Additionally, the jsonc extension has been upgraded to the 1.3.6 version.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:4 / php

Package

Name: php
Purl: pkg:rpm/mageia/php?distro=mageia-4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.5.15-1.1.mga4

Ecosystem specific

{
    "section": "core"
}

Mageia:4 / php-apc

Package

Name: php-apc
Purl: pkg:rpm/mageia/php-apc?distro=mageia-4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.15-4.6.mga4

Ecosystem specific

{
    "section": "core"
}

Mageia:4 / php-timezonedb

Package

Name: php-timezonedb
Purl: pkg:rpm/mageia/php-timezonedb?distro=mageia-4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2014.5-1.mga4

Ecosystem specific

{
    "section": "core"
}

Mageia:3 / php

Package

Name: php
Purl: pkg:rpm/mageia/php?distro=mageia-3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.4.31-1.2.mga3

Ecosystem specific

{
    "section": "core"
}

Mageia:3 / php-apc

Package

Name: php-apc
Purl: pkg:rpm/mageia/php-apc?distro=mageia-3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.14-7.11.mga3

Ecosystem specific

{
    "section": "core"
}

Mageia:3 / php-gd-bundled

Package

Name: php-gd-bundled
Purl: pkg:rpm/mageia/php-gd-bundled?distro=mageia-3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.4.31-1.mga3

Ecosystem specific

{
    "section": "core"
}

Mageia:3 / php-timezonedb

Package

Name: php-timezonedb
Purl: pkg:rpm/mageia/php-timezonedb?distro=mageia-3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2014.5-1.mga3

Ecosystem specific

{
    "section": "core"
}