Security Advisory Critical: php security update

Advisory: RHSA-2013:1815-1
Type: Security Advisory
Severity: Critical
Issued on: 2013-12-11
Last updated on: 2013-12-11
Affected Products: Red Hat Software Collections 1 for RHEL 6
CVEs (cve.mitre.org): CVE-2013-6420

Details

Updated php packages that fix one security issue are now available for Red
Hat Software Collections 1.

The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Server.

A memory corruption flaw was found in the way the openssl_x509_parse()
function of the PHP openssl extension parsed X.509 certificates. A remote
attacker could use this flaw to provide a malicious self-signed certificate
or a certificate signed by a trusted authority to a PHP application using
the aforementioned function, causing the application to crash or, possibly,
allow the attacker to execute arbitrary code with the privileges of the
user running the PHP interpreter. (CVE-2013-6420)

Red Hat would like to thank the PHP project for reporting this issue.
Upstream acknowledges Stefan Esser as the original reporter of this issue.

All php users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. After installing the
updated packages, the httpd daemon must be restarted for the update to
take effect.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

Red Hat Software Collections 1 for RHEL 6

SRPMS:
php54-php-5.4.16-7.el6.1.src.rpm
File outdated by:  RHSA-2014:1765
    MD5: 1114a49215551ac73e91feb4f84b109c
SHA-256: 48ad18e9a6f783db00bca5bc640fe0816a1452291b841e1e01f5d1495c1fabd2
 
x86_64:
php54-php-5.4.16-7.el6.1.x86_64.rpm
File outdated by:  RHBA-2014:0618
    MD5: 72f285c6449e4befd5c9df030d3176f4
SHA-256: 0f02e60af8f1722ee5453fe379c9999b894fa6524fecf769d1a5a3a4c1309c98
php54-php-bcmath-5.4.16-7.el6.1.x86_64.rpm
File outdated by:  RHBA-2014:0618
    MD5: 5e89caae307052888be9a3c242e471ca
SHA-256: dad6ef3e8eb5adb18d5a187cad2028522f61d67336a40d765ed4899ad2512bca
php54-php-cli-5.4.16-7.el6.1.x86_64.rpm
File outdated by:  RHBA-2014:0618
    MD5: 02aa8c43c01c3d4971afe61593edc062
SHA-256: f5015f648f9cfffa3da79dbad9a5dd0d3f42db405aa88275216d10b117b20664
php54-php-common-5.4.16-7.el6.1.x86_64.rpm
File outdated by:  RHBA-2014:0618
    MD5: bc6b55a91374d2007fc8afd6d9e3d31b
SHA-256: 8c127876a1e4d6f79500509a2bb7ea0c6449d3b6e8e9f8c1e7ac196cd6d7b1e1
php54-php-dba-5.4.16-7.el6.1.x86_64.rpm
File outdated by:  RHBA-2014:0618
    MD5: 15119cd3f73d5556d6db2e60057ee7ff
SHA-256: 9b40058763ede452c413c88206cf303930ed32d77d6eb8a6f55704d2dffb4b6d
php54-php-debuginfo-5.4.16-7.el6.1.x86_64.rpm
File outdated by:  RHBA-2014:0618
    MD5: 236feedefbd4e0feefdb4b9c53382c4d
SHA-256: 578ca9f862e14a424071486561fabb7099084ea83b1b7fa67461d039d3c1dac8
php54-php-devel-5.4.16-7.el6.1.x86_64.rpm
File outdated by:  RHBA-2014:0618
    MD5: 7f2988d180d957ecbacf3c53daf9d384
SHA-256: b9e32e257cf4f5591e74a1086bb47b8ab01134698c1269c2774da004fc7bb8e6
php54-php-enchant-5.4.16-7.el6.1.x86_64.rpm
File outdated by:  RHBA-2014:0618
    MD5: e0f5f3b03fe0e198fe3a0b04d8715e6c
SHA-256: 42535f17f22d920092ab737cdff198a984e3fba642b9280a36fe5bc283d11832
php54-php-fpm-5.4.16-7.el6.1.x86_64.rpm
File outdated by:  RHBA-2014:0618
    MD5: 7b903d33ef4953e736c856490d74c111
SHA-256: c6ee57a1407f6f63e68b0b57fef68fed5b1d2c9dabd0c4f1ecddcb47c16049d7
php54-php-gd-5.4.16-7.el6.1.x86_64.rpm
File outdated by:  RHBA-2014:0618
    MD5: 2ea8d68241ad38015080c26dd3055e8c
SHA-256: 7fd56f7377ec142225e8783d49fcd5fa9f1d4368b1645dd448193a1979d42228
php54-php-imap-5.4.16-7.el6.1.x86_64.rpm
File outdated by:  RHBA-2014:0618
    MD5: caf2dad3ff3b1fa5809613f5f9e29431
SHA-256: 74d1fa9291b8dcdc523a8c458ee35accab212b10b1ddfa70b7c0411cfec91458
php54-php-intl-5.4.16-7.el6.1.x86_64.rpm
File outdated by:  RHBA-2014:0618
    MD5: 82de975d0952699072adf3895eb252ff
SHA-256: bc1d2f6dd011c8bf32a678b054f19b0e660e564b576ae9a284ab8d0b23e9312a
php54-php-ldap-5.4.16-7.el6.1.x86_64.rpm
File outdated by:  RHBA-2014:0618
    MD5: fbc4fced22a21ede75137bbff266178a
SHA-256: 12f8fc062070afe9f42ab2fcb432bcab877c9bab30a26e18aac97686f94a6dc8
php54-php-mbstring-5.4.16-7.el6.1.x86_64.rpm
File outdated by:  RHBA-2014:0618
    MD5: 2883849cf9775dc1c81061a4397f5250
SHA-256: 951a88d4c0e7e82462a781da5804c755945bbe68701cb04cedcea3c354d99e4c
php54-php-mysqlnd-5.4.16-7.el6.1.x86_64.rpm
File outdated by:  RHBA-2014:0618
    MD5: 3c6b9e60b4473f91eb805ae76696e566
SHA-256: 26f272d25fdc2ac789bb9ba953467c895a892d9cd58dd14f15d88ce3463da9f4
php54-php-odbc-5.4.16-7.el6.1.x86_64.rpm
File outdated by:  RHBA-2014:0618
    MD5: 7d643fe6c908608f4b3f0bce27fc6951
SHA-256: 59184b0afe1f41f2c36c12657339c6747ef7cecea792fe5977d27399c8e02191
php54-php-pdo-5.4.16-7.el6.1.x86_64.rpm
File outdated by:  RHBA-2014:0618
    MD5: 9d29fd309f136cbfed1eab04ae8043da
SHA-256: ce8df3444d13a3dafe1749272cbb920a2db23e31eeef98c4dbd4dbc2b2fb24bf
php54-php-pgsql-5.4.16-7.el6.1.x86_64.rpm
File outdated by:  RHBA-2014:0618
    MD5: 1f1328c002fcc8c1623f2a706ae6e7ca
SHA-256: b2a5fe48fcf1a292c4fa903648fde5e0d835276dbf6597f95c7823e3abf646ed
php54-php-process-5.4.16-7.el6.1.x86_64.rpm
File outdated by:  RHBA-2014:0618
    MD5: 87fee9eb512b622fd7d4574ec01de30d
SHA-256: 8761d8568863055e39b03f98f7f2d557ed7d770ed77e33aa6bc28d889aafb044
php54-php-pspell-5.4.16-7.el6.1.x86_64.rpm
File outdated by:  RHBA-2014:0618
    MD5: 5d76bebbb69c796983a8e702ba89b2f3
SHA-256: aa41a0e3676a102e91aec88bd68c63e9403b6b1dcbe390f1ff410798c0e18d19
php54-php-recode-5.4.16-7.el6.1.x86_64.rpm
File outdated by:  RHBA-2014:0618
    MD5: d70b8df4287a769f965eced087f29800
SHA-256: 092554a731f7aa160af02236e232854240e7556c47956f0097c568ffb4c4ec0b
php54-php-snmp-5.4.16-7.el6.1.x86_64.rpm
File outdated by:  RHBA-2014:0618
    MD5: 2be04a0164d39195e04793db75349092
SHA-256: 030ce9ce5da3726932fef4c29259cd4a0661450cd16cfd77056c8e465fc3c53a
php54-php-soap-5.4.16-7.el6.1.x86_64.rpm
File outdated by:  RHBA-2014:0618
    MD5: c0901ba26fe7076d106c6837a962ae9e
SHA-256: 5823e985995c8ba2e2fda147448f50eb9232a341cd53c3805f5438ddcb204124
php54-php-tidy-5.4.16-7.el6.1.x86_64.rpm
File outdated by:  RHBA-2014:0618
    MD5: 90cca985cf0de1992d613300b86b2ae1
SHA-256: 84b19d4dcd0387c16d15a6a82707c33bc221d08592d5999df2e3b418c932439e
php54-php-xml-5.4.16-7.el6.1.x86_64.rpm
File outdated by:  RHBA-2014:0618
    MD5: 7200c31324198ca8d86a8d7f127fc7d2
SHA-256: c2a315051a0d44b596e108783075b1787970dbf15be9b73de236510ac4022831
php54-php-xmlrpc-5.4.16-7.el6.1.x86_64.rpm
File outdated by:  RHBA-2014:0618
    MD5: 5f98b28447c435f380dafd9c4af1c224
SHA-256: f6a8d1940d617c4ae7d99dda5cbaf4845ec3e905fd88235f520820b422fcdc58
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1036830 - CVE-2013-6420 php: memory corruption in openssl_x509_parse()


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/