From debbugs-submit-bounces@debbugs.gnu.org Tue Jul 25 11:26:52 2017 Received: (at 27808) by debbugs.gnu.org; 25 Jul 2017 15:26:52 +0000 Received: from localhost ([127.0.0.1]:56091 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1da1jX-0007R1-P5 for submit@debbugs.gnu.org; Tue, 25 Jul 2017 11:26:51 -0400 Received: from mail.pompo.co ([87.243.223.35]:50947 helo=ronja.pompo.co) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1da1jV-0007Qn-Jb for 27808@debbugs.gnu.org; Tue, 25 Jul 2017 11:26:50 -0400 Received: from pegasus (unknown [109.131.47.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ronja.pompo.co (Postfix) with ESMTPSA id 036BA402E5; Tue, 25 Jul 2017 15:26:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pompo.co; s=mail; t=1500996403; bh=3kkMq0ZX/KRPXbMXeAoS1IVgW2zZm1WMnuON6RwHQ4E=; h=References:From:To:Cc:Subject:Reply-To:In-reply-to:Date:From; b=PC8ITTT2XsVpSr3mYoKAAnWtAtcCQPksLMm+/zHLXQmfITnos9WnZbXxiay/AtGNQ ceilBEbZkgtdbrQ/Bb6eIzzYvyalBMSNFzH04vXX+PL5+CtRB6QDN/9g4dpNK0Eudq /kC/19O/2tYyTJEw7qgnlBJ7SpBxDb1jgSgyJeYA= References: <20170724185744.GA4997@jasmine.lan> User-agent: mu4e 0.9.18; emacs 25.2.1 From: Alex Sassmannshausen To: Leo Famulari Subject: Re: bug#27808: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362 In-reply-to: <20170724185744.GA4997@jasmine.lan> Date: Tue, 25 Jul 2017 17:26:35 +0200 Message-ID: <87k22wo7v8.fsf@pompo.co> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 27808 Cc: 27808@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: alex@pompo.co Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) Hi Leo, I've just submitted a patch to update PHP to version 7.1.7, which resolves the CVEs. Unfortunately PHP has 4 test errors on my machine (but also on the previous version), so I could not fully build it (disabling tests results in a working version of PHP). The relevant patch is at 27826. If someone could try building it, on x86_64 then we could be sure it's just my local environment that messes things up… Alex Leo Famulari writes: > Apparently our PHP package is vulnerable to CVE-2017-11144, > CVE-2017-11145, and CVE-2017-11362: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11144 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11145 > > This one looks especially bad: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11362 > > Can someone please take a look at this?