You are here
Home > Preporuke > Sigurnosni nedostatak programskog paketa php

Sigurnosni nedostatak programskog paketa php

  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LFE

Fedora Update Notification
2014-05-03 19:14:19

Name : php
Product : Fedora 20
Version : 5.5.12
Release : 1.fc20
Summary : PHP scripting language for creating dynamic web sites
Description :
PHP is an HTML-embedded scripting language. PHP attempts to make it
easy for developers to write dynamically generated web pages. PHP also
offers built-in database integration for several commercial and
non-commercial database management systems, so writing a
database-enabled webpage with PHP is fairly simple. The most common
use of PHP coding is probably as a replacement for CGI scripts.

The php package contains the module (often referred to as mod_php)
which adds support for the PHP language to Apache HTTP Server.

Update Information:

Notice: to fix CVE-2014-0185 this version change default php-fpm unix domain socket permission to 660 (instead of 666). Check your configuration if php-fpm use UDS (default configuration use a network socket).

Upstream Changelog: 01 May 2014, PHP 5.5.12
* Fixed bug #61019 (Out of memory on command stream_get_contents). (Mike)
* Fixed bug #64330 (stream_socket_server() creates wrong Abstract Namespace UNIX sockets). (Mike)
* Fixed bug #66182 (exit in stream filter produces segfault). (Mike)
* Fixed bug #66736 (fpassthru broken). (Mike)
* Fixed bug #67024 (getimagesize should recognize BMP files with negative height). (Gabor Buella)
* Fixed bug #67043 (substr_compare broke by previous change) (Tjerk)

* Fixed bug #66562 (curl_exec returns differently than curl_multi_getcontent). (Freek Lijten)

* Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is supplied). (Boro Sitnikovski)

* Fixed bug #65715 (php5embed.lib isn’t provided anymore). (Anatol).

* Fixed bug #66987 (Memory corruption in fileinfo ext / bigendian). (Remi)

* Fixed bug #66482 (unknown entry ‘priority’ in php-fpm.conf).
* Fixed bug #67060 (possible privilege escalation due to insecure default configuration). (CVE-2014-0185) (christian at hoffie dot info)

* Fixed issue with null bytes in LDAP bindings. (Matthew Daley)

* Fixed problem in mysqli_commit()/mysqli_rollback() with second parameter (extra comma) and third parameters (lack of escaping). (Andrey)

* Fix bug #66942 (memory leak in openssl_seal()). (Chuan Ma)
* Fix bug #66952 (memory leak in openssl_open()). (Chuan Ma)

* Fixed bug #66084 (simplexml_load_string() mangles empty node name) (Anatol)

* Fixed bug #66967 (Updated bundled libsqlite to (Anatol)

* Fixed bug #53965 (<xsl:include> cannot find files with relative paths when loaded with “file://”). (Anatol)

Apache2 Handler SAPI:
* Fixed Apache log issue caused by APR’s lack of support for %zu (APR issue (Jeff Trawick)

* Sat May 3 2014 Remi Collet <> 5.5.12-1
– Update to 5.5.12
– php-fpm: change default unix socket permission CVE-2014-0185
* Thu Apr 3 2014 Remi Collet <> 5.5.11-1
– Update to 5.5.11
* Thu Mar 6 2014 Remi Collet <> 5.5.10-1
– Update to 5.5.10
– php-fpm should own /var/lib/php/session and wsdlcache
– fix pcre test results with libpcre < 8.34
* Tue Feb 18 2014 Remi Collet <> 5.5.9-2
– upstream patch for
* Tue Feb 11 2014 Remi Collet <> 5.5.9-1
– Update to 5.5.9
– Install macros to /usr/lib/rpm/macros.d
* Thu Jan 23 2014 Joe Orton <> – 5.5.8-2
– fix _httpd_mmn expansion in absence of httpd-devel
* Wed Jan 8 2014 Remi Collet <> 5.5.8-1
– update to 5.5.8
– drop conflicts with other opcode caches as both can
be used only for user data cache
* Wed Dec 11 2013 Remi Collet <> 5.5.7-1
– update to 5.5.7, fix for CVE-2013-6420
– fix zend_register_functions breaks reflection, php bug 66218
– fix Heap buffer over-read in DateInterval, php bug 66060
– fix fix overflow handling bug in non-x86

[ 1 ] Bug #1092815 – CVE-2014-0185 php: PHP script execution by default via PHP FPM

This update can be installed with the “yum” update program. Use
su -c ‘yum update php’ at the command line.
For more information, refer to “Managing Software with yum”,
available at

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
package-announce mailing list

AutorMarijo Plepelic
Cert idNCERT-REF-2014-05-0001-ADV
More in Preporuke
Sigurnosni nedostaci programskog paketa fish

Otkriveni su sigurnosni nedostaci u programskom paketu fish za Fedoru 20. Otkriveni nedostaci potencijalnim napadačima omogućuju stjecanje uvećanih ovlasti i...