[Cucumber-linux-security] php & php5 (security update is available)
A general purpose desktop and server Linux distribution.
Brought to you by:
z5t1
Menu
▾
▴
[Cucumber-linux-security] php & php5 (security update is available)
|
From: Z5T1 <z5...@z5...> - 2017-10-28 15:17:15
|
Update Information A security update is available for php for the following versions of Cucumber Linux: * 1.0 * 1.1 Alpha Here are the details from the Cucumber 1.0 changelog: +----------------+ Sat Oct 28 10:31:42 EDT 2017 lang-general/php upgraded from 5.6.31 to 5.6.32 to fix CVE-2016-1283, a vulnerability which allowed for a remote attacker to cause a denial of service or possibly have other unspecified impacts via a specially crafted regex passed to PCRE. Note that this vulnerability has long since been fixed in by the upstream PCRE developers and the regular Cucumber PCRE packages are unaffected by this; this was an issue only because PHP was using an old version of PCRE (which was linked statically into the PHP binaries). For more information see: https://nvd.nist.gov/vuln/detail/CVE-2016-1283 http://security.cucumberlinux.com/security/details.php?id=118 https://bugs.php.net/bug.php?id=75207 http://www.php.net/ChangeLog-5.php#5.6.32 * SECURITY FIX * +----------------+ Note for Cucumber 1.1 Alpha Users For users of Cucumber Linux 1.1 Alpha, there have been two package updates released for this vulnerability: one for the mainstream 'php' package (which is PHP version 7.2) and one for the legacy 'php5' package (which is PHP version 5.6). You should only ever use one of these two packages on any given system as they conflict with each other, so make sure to apply the correct update for the version of PHP you are using. If you use Pickle to apply the update, it will take care of this for you. Here are the full details from the Cucumber 1.1 Alpha changelog: Sat Oct 28 10:35:22 EDT 2017 lang-general/php upgraded from 7.2.0RC4 to 7.2.0RC5 to fix CVE-2016-1283, a vulnerability which allowed for a remote attacker to cause a denial of service or possibly have other unspecified impacts via a specially crafted regex passed to PCRE. Note that this vulnerability has long since been fixed in by the upstream PCRE developers and the regular Cucumber PCRE packages are unaffected by this; this was an issue only because PHP was using an old version of PCRE (which was linked statically into the PHP binaries). For more information see: https://nvd.nist.gov/vuln/detail/CVE-2016-1283 http://security.cucumberlinux.com/security/details.php?id=118 https://bugs.php.net/bug.php?id=75207 http://www.php.net/ChangeLog-5.php#5.6.32 lang-extra/php5 upgraded from 5.6.31 to 5.6.32 to fix this same vulnerability in the legacy PHP package. * SECURITY FIX * ------------------------------------------------------------------------ CLD and CVE Information This update is associated with the following Cucumber Linux Deficiency (CLD) and CVE numbers: * CLD-118 [CVE-2016-1283] (http://security.cucumberlinux.com/security/details.php?id=118) More information about these CLDs can be found at their respective pages on the Cucumber Linux Security Advisory Tracker (these are the URLs in parenthesis above). ------------------------------------------------------------------------ Installing the Update The updated package can be installed via Pickle by running the following commands (as root): # pickle --update # pickle Make sure php or php5 is selected on the update list, and then select Ok. Pickle will then install the updated package. If you prefer to download the updated package manually, it can be found on the mirror at http://mirror.cucumberlinux.com/cucumber/. ------------------------------------------------------------------------ The Cucumber Linux Security Team cuc...@li... <mailto:cuc...@li...> http://www.cucumberlinux.com/security.php |
