[SECURITY] Fedora 17 Update: php-5.4.13-1.fc17

updates at fedoraproject.org updates at fedoraproject.org
Wed Apr 3 04:38:44 UTC 2013


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2013-3927
2013-03-16 00:33:19
--------------------------------------------------------------------------------

Name        : php
Product     : Fedora 17
Version     : 5.4.13
Release     : 1.fc17
URL         : http://www.php.net/
Summary     : PHP scripting language for creating dynamic web sites
Description :
PHP is an HTML-embedded scripting language. PHP attempts to make it
easy for developers to write dynamically generated web pages. PHP also
offers built-in database integration for several commercial and
non-commercial database management systems, so writing a
database-enabled webpage with PHP is fairly simple. The most common
use of PHP coding is probably as a replacement for CGI scripts.

The php package contains the module which adds support for the PHP
language to Apache HTTP Server.

--------------------------------------------------------------------------------
Update Information:

Upstream NEWS, 14 Mar 2012, PHP 5.4.13

Core:
* Fixed bug #64235 (Insteadof not work for class method in 5.4.11). (Laruence)
* Implemented FR #64175 (Added HTTP codes as of RFC 6585). (Jonh Wendell)
* Fixed bug #64142 (dval to lval different behavior on ppc64). (Remi)
* Fixed bug #64070 (Inheritance with Traits failed with error). (Dmitry)

CLI server:
* Fixed bug #64128 (buit-in web server is broken on ppc64). (Remi)

Mbstring:
* mb_split() can now handle empty matches like preg_split() does. (Moriyoshi)

OpenSSL:
* Fixed bug #61930 (openssl corrupts ssl key resource when using openssl_get_publickey()). (Stas)

PDO_mysql:
* Fixed bug #60840 (undefined symbol: mysqlnd_debug_std_no_trace_funcs). (Johannes)

Phar:
* Fixed timestamp update on Phar contents modification. (Dmitry)

SOAP:
* Added check that soap.wsdl_cache_dir conforms to open_basedir (CVE-2013-1635). (Dmitry)
* Disabled external entities loading (CVE-2013-1643). (Dmitry)

SPL:
* Fixed bug #64264 (SPLFixedArray toArray problem). (Laruence)
* Fixed bug #64228 (RecursiveDirectoryIterator always assumes SKIP_DOTS). (patch by kriss at krizalys.com, Laruence)
* Fixed bug #64106 (Segfault on SplFixedArray[][x] = y when extended). (Nikita Popov)
* Fixed bug #52861 (unset fails with ArrayObject and deep arrays). (Mike Willbanks)

SNMP:
* Fixed bug #64124 (IPv6 malformed). (Boris Lytochkin)
--------------------------------------------------------------------------------
ChangeLog:

* Thu Mar 14 2013 Remi Collet <rcollet at redhat.com> 5.4.13-1
- update to 5.4.13
- security fix for CVE-2013-1643
- Hardened build (links with -z now option)
- Remove %config from %{_sysconfdir}/rpm/macros.*
  (https://fedorahosted.org/fpc/ticket/259).
* Wed Feb 20 2013 Remi Collet <remi at fedoraproject.org> 5.4.12-1
- update to 5.4.12
- security fix for CVE-2013-1635
- enable tokyocabinet dba handler
- upstream patch (5.4.13) to fix dval to lval conversion
  https://bugs.php.net/64142
- upstream patch (5.4.13) for 2 failed tests
- fix buit-in web server on ppc64 (fdset usage)
  https://bugs.php.net/64128
* Wed Jan 16 2013 Remi Collet <rcollet at redhat.com> 5.4.11-1
- update to 5.4.11
* Wed Dec 19 2012 Remi Collet <rcollet at redhat.com> 5.4.10-1
- update to 5.4.10
- remove patches merged upstream
* Tue Dec 11 2012 Remi Collet <rcollet at redhat.com> 5.4.9-3
- drop "Configure Command" from phpinfo output
* Tue Dec 11 2012 Joe Orton <jorton at redhat.com> - 5.4.9-2
- prevent php_config.h changes across (otherwise identical) rebuilds
* Thu Nov 22 2012 Remi Collet <rcollet at redhat.com> 5.4.9-1
- update to 5.4.9
- switch back to upstream generated scanner/parser
- use _httpd_contentdir macro and fix php.gif path
- improve system libzip patch to use pkg-config
- use _httpd_moddir macro
- apply ldap_r patch on fedora >= 18 only
* Fri Nov  9 2012 Remi Collet <rcollet at redhat.com> 5.4.8-6
- clarify Licenses
- missing provides xmlreader and xmlwriter
- modernize spec
- change php embedded library soname version to 5.4
* Tue Nov  6 2012 Remi Collet <rcollet at redhat.com> 5.4.8-5
- fix _httpd_mmn macro definition
* Mon Nov  5 2012 Remi Collet <rcollet at redhat.com> 5.4.8-4
- fix mysql_sock macro definition
* Thu Oct 25 2012 Remi Collet <rcollet at redhat.com> 5.4.8-3
- fix installed headers
* Tue Oct 23 2012 Joe Orton <jorton at redhat.com> - 5.4.8-2
- use libldap_r for ldap extension
* Thu Oct 18 2012 Remi Collet <remi at fedoraproject.org> 5.4.8-1
- update to 5.4.8
- define both session.save_handler and session.save_path
- fix possible segfault in libxml (#828526)
- php-fpm: create apache user if needed
- use SKIP_ONLINE_TEST during make test
- php-devel requires pcre-devel and php-cli (instead of php)
* Fri Oct  5 2012 Remi Collet <remi at fedoraproject.org> 5.4.7-11
- provides php-phar
- update systzdata patch to v10, timezone are case insensitive
* Mon Oct  1 2012 Remi Collet <remi at fedoraproject.org> 5.4.7-10
- fix typo in systemd macro
* Mon Oct  1 2012 Remi Collet <remi at fedoraproject.org> 5.4.7-9
- php-fpm: new systemd macros (#850268)
- php-fpm: add upstream patch for startup issue (#846858)
* Fri Sep 28 2012 Remi Collet <rcollet at redhat.com> 5.4.7-8
- systemd integration, https://bugs.php.net/63085
- no odbc call during timeout, https://bugs.php.net/63171
- check sqlite3_column_table_name, https://bugs.php.net/63149
* Mon Sep 24 2012 Remi Collet <rcollet at redhat.com> 5.4.7-7
- most failed tests explained (i386, x86_64)
* Wed Sep 19 2012 Remi Collet <rcollet at redhat.com> 5.4.7-6
- fix for http://bugs.php.net/63126 (#783967)
* Wed Sep 19 2012 Remi Collet <rcollet at redhat.com> 5.4.7-5
- patch to ensure we use latest libdb (not libdb4)
* Wed Sep 19 2012 Remi Collet <rcollet at redhat.com> 5.4.7-4
- really fix rhel tests (use libzip and libdb)
* Tue Sep 18 2012 Remi Collet <rcollet at redhat.com> 5.4.7-3
- fix test to enable zip extension on RHEL-7
* Fri Sep 14 2012 Remi Collet <remi at fedoraproject.org> 5.4.7-1
- update to 5.4.7
  http://www.php.net/releases/5_4_7.php
* Mon Aug 20 2012 Remi Collet <remi at fedoraproject.org> 5.4.6-2
- enable php-fpm on secondary arch (#849490)
* Fri Aug 17 2012 Remi Collet <remi at fedoraproject.org> 5.4.6-1
- update to 5.4.6
- update to v9 of systzdata patch
- backport fix for new libxml
* Fri Jul 20 2012 Remi Collet <remi at fedoraproject.org> 5.4.5-1
- update to 5.4.5
* Mon Jul  2 2012 Remi Collet <remi at fedoraproject.org> 5.4.4-4
- also provide php(language)%{_isa}
- define %{php_version}
* Mon Jul  2 2012 Remi Collet <remi at fedoraproject.org> 5.4.4-3
- drop BR for libevent (#835671)
- provide php(language) to allow version check
* Thu Jun 21 2012 Remi Collet <remi at fedoraproject.org> 5.4.4-2
- add missing provides (core, ereg, filter, standard)
* Thu Jun 14 2012 Remi Collet <remi at fedoraproject.org> 5.4.4-1
- update to 5.4.4 (CVE-2012-2143, CVE-2012-2386)
- use /usr/lib/tmpfiles.d instead of /etc/tmpfiles.d
- use /run/php-fpm instead of /var/run/php-fpm
* Wed May  9 2012 Remi Collet <remi at fedoraproject.org> 5.4.3-1
- update to 5.4.3 (CVE-2012-2311, CVE-2012-2329)
* Thu May  3 2012 Remi Collet <remi at fedoraproject.org> 5.4.2-1
- update to 5.4.2 (CVE-2012-1823)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #918187 - CVE-2013-1643 php: Ability to read arbitrary files due use of external entities while parsing SOAP WSDL files
        https://bugzilla.redhat.com/show_bug.cgi?id=918187
  [ 2 ] Bug #918196 - CVE-2013-1635 php, php53: Arbitrary locations file write due absent validation of soap.wsdl_cache_dir configuration directive value
        https://bugzilla.redhat.com/show_bug.cgi?id=918196
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update php' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


More information about the package-announce mailing list