Issued:
2016-11-15
Updated:
2016-11-15

RHSA-2016:2750 - Moderate: rh-php56 security, bug fix, and enhancement update

Synopsis

Moderate: rh-php56 security, bug fix, and enhancement update

Type/Severity

Security Advisory Moderate

Topic

An update for rh-php56, rh-php56-php, and rh-php56-php-pear is now available for Red Hat Software Collections.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. The rh-php56 packages provide a recent stable release of PHP with PEAR 1.9.5 and enhanced language features including constant expressions, variadic functions, arguments unpacking, and the interactive debuger. The memcache, mongo, and XDebug extensions are also included.

The rh-php56 Software Collection has been upgraded to version 5.6.25, which provides a number of bug fixes and enhancements over the previous version. (BZ#1356157, BZ#1365401)

Security Fixes in the rh-php56-php component:

  • Several Moderate and Low impact security issues were found in PHP. Under certain circumstances, these issues could cause PHP to crash, disclose portions of its memory, execute arbitrary code, or impact PHP application integrity. Space precludes documenting each of these issues in this advisory. Refer to the CVE links in the References section for a description of each of these vulnerabilities. (CVE-2013-7456, CVE-2014-9767, CVE-2015-8835, CVE-2015-8865, CVE-2015-8866, CVE-2015-8867, CVE-2015-8873, CVE-2015-8874, CVE-2015-8876, CVE-2015-8877, CVE-2015-8879, CVE-2016-1903, CVE-2016-2554, CVE-2016-3074, CVE-2016-3141, CVE-2016-3142, CVE-2016-4070, CVE-2016-4071, CVE-2016-4072, CVE-2016-4073, CVE-2016-4342, CVE-2016-4343, CVE-2016-4473, CVE-2016-4537, CVE-2016-4538, CVE-2016-4539, CVE-2016-4540, CVE-2016-4541, CVE-2016-4542, CVE-2016-4543, CVE-2016-4544, CVE-2016-5093, CVE-2016-5094, CVE-2016-5096, CVE-2016-5114, CVE-2016-5399, CVE-2016-5766, CVE-2016-5767, CVE-2016-5768, CVE-2016-5770, CVE-2016-5771, CVE-2016-5772, CVE-2016-5773, CVE-2016-6128, CVE-2016-6207, CVE-2016-6288, CVE-2016-6289, CVE-2016-6290, CVE-2016-6291, CVE-2016-6292, CVE-2016-6294, CVE-2016-6295, CVE-2016-6296, CVE-2016-6297, CVE-2016-7124, CVE-2016-7125, CVE-2016-7126, CVE-2016-7127, CVE-2016-7128, CVE-2016-7129, CVE-2016-7130, CVE-2016-7131, CVE-2016-7132)

  • Multiple flaws were found in the PCRE library included with the rh-php56-php packages for Red Hat Enterprise Linux 6. A specially crafted regular expression could cause PHP to crash or, possibly, execute arbitrary code. (CVE-2015-2325, CVE-2015-2326, CVE-2015-2327, CVE-2015-2328, CVE-2015-3210, CVE-2015-3217, CVE-2015-5073, CVE-2015-8381, CVE-2015-8383, CVE-2015-8384, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, CVE-2015-8391, CVE-2015-8392, CVE-2015-8395)

Red Hat would like to thank Hans Jerry Illikainen for reporting CVE-2016-3074, CVE-2016-4473, and CVE-2016-5399.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

Affected Products

ProductVersionArch
Red Hat Software Collections (for RHEL Workstation)1x86_64
Red Hat Software Collections (for RHEL Workstation)1x86_64
Red Hat Software Collections (for RHEL Server)1x86_64
Red Hat Software Collections (for RHEL Server)1x86_64
Red Hat Software Collections (for RHEL Server)1x86_64
Red Hat Software Collections (for RHEL Server)1x86_64
Red Hat Software Collections (for RHEL Server)1x86_64
Red Hat Software Collections (for RHEL Server)1x86_64
Red Hat Software Collections (for RHEL Server)1x86_64
Red Hat Software Collections (for RHEL Server)1x86_64
Red Hat Software Collections (for RHEL Server)1x86_64

Updated Packages

  • rh-php56-php-dbg-5.6.25-1.el6.x86_64.rpm
  • rh-php56-runtime-2.3-1.el7.x86_64.rpm
  • rh-php56-php-intl-5.6.25-1.el7.x86_64.rpm
  • rh-php56-php-mbstring-5.6.25-1.el7.x86_64.rpm
  • rh-php56-2.3-1.el6.x86_64.rpm
  • rh-php56-php-tidy-5.6.25-1.el6.x86_64.rpm
  • rh-php56-php-opcache-5.6.25-1.el7.x86_64.rpm
  • rh-php56-php-pgsql-5.6.25-1.el7.x86_64.rpm
  • rh-php56-php-debuginfo-5.6.25-1.el7.x86_64.rpm
  • rh-php56-php-enchant-5.6.25-1.el6.x86_64.rpm
  • rh-php56-php-intl-5.6.25-1.el6.x86_64.rpm
  • rh-php56-php-opcache-5.6.25-1.el6.x86_64.rpm
  • rh-php56-php-soap-5.6.25-1.el6.x86_64.rpm
  • rh-php56-php-gd-5.6.25-1.el7.x86_64.rpm
  • rh-php56-php-5.6.25-1.el6.src.rpm
  • rh-php56-php-cli-5.6.25-1.el6.x86_64.rpm
  • rh-php56-scldevel-2.3-1.el7.x86_64.rpm
  • rh-php56-php-pear-1.9.5-4.el7.noarch.rpm
  • rh-php56-php-xml-5.6.25-1.el7.x86_64.rpm
  • rh-php56-php-pdo-5.6.25-1.el7.x86_64.rpm
  • rh-php56-runtime-2.3-1.el6.x86_64.rpm
  • rh-php56-php-pear-1.9.5-4.el6.noarch.rpm
  • rh-php56-php-fpm-5.6.25-1.el6.x86_64.rpm
  • rh-php56-2.3-1.el7.src.rpm
  • rh-php56-php-odbc-5.6.25-1.el6.x86_64.rpm
  • rh-php56-php-debuginfo-5.6.25-1.el6.x86_64.rpm
  • rh-php56-php-pear-1.9.5-4.el7.src.rpm
  • rh-php56-php-dbg-5.6.25-1.el7.x86_64.rpm
  • rh-php56-php-pspell-5.6.25-1.el6.x86_64.rpm
  • rh-php56-php-imap-5.6.25-1.el6.x86_64.rpm
  • rh-php56-php-embedded-5.6.25-1.el6.x86_64.rpm
  • rh-php56-2.3-1.el6.src.rpm
  • rh-php56-php-devel-5.6.25-1.el6.x86_64.rpm
  • rh-php56-php-pgsql-5.6.25-1.el6.x86_64.rpm
  • rh-php56-php-pspell-5.6.25-1.el7.x86_64.rpm
  • rh-php56-php-5.6.25-1.el6.x86_64.rpm
  • rh-php56-php-pdo-5.6.25-1.el6.x86_64.rpm
  • rh-php56-php-fpm-5.6.25-1.el7.x86_64.rpm
  • rh-php56-php-snmp-5.6.25-1.el7.x86_64.rpm
  • rh-php56-php-pear-1.9.5-4.el6.src.rpm
  • rh-php56-php-dba-5.6.25-1.el6.x86_64.rpm
  • rh-php56-php-process-5.6.25-1.el6.x86_64.rpm
  • rh-php56-php-gmp-5.6.25-1.el6.x86_64.rpm
  • rh-php56-php-gmp-5.6.25-1.el7.x86_64.rpm
  • rh-php56-php-mysqlnd-5.6.25-1.el6.x86_64.rpm
  • rh-php56-php-bcmath-5.6.25-1.el7.x86_64.rpm
  • rh-php56-2.3-1.el7.x86_64.rpm
  • rh-php56-scldevel-2.3-1.el6.x86_64.rpm
  • rh-php56-php-common-5.6.25-1.el6.x86_64.rpm
  • rh-php56-php-bcmath-5.6.25-1.el6.x86_64.rpm
  • rh-php56-php-common-5.6.25-1.el7.x86_64.rpm
  • rh-php56-php-5.6.25-1.el7.src.rpm
  • rh-php56-php-xml-5.6.25-1.el6.x86_64.rpm
  • rh-php56-php-xmlrpc-5.6.25-1.el6.x86_64.rpm
  • rh-php56-php-recode-5.6.25-1.el6.x86_64.rpm
  • rh-php56-php-snmp-5.6.25-1.el6.x86_64.rpm
  • rh-php56-php-process-5.6.25-1.el7.x86_64.rpm
  • rh-php56-php-xmlrpc-5.6.25-1.el7.x86_64.rpm
  • rh-php56-php-recode-5.6.25-1.el7.x86_64.rpm
  • rh-php56-php-devel-5.6.25-1.el7.x86_64.rpm
  • rh-php56-php-embedded-5.6.25-1.el7.x86_64.rpm
  • rh-php56-php-5.6.25-1.el7.x86_64.rpm
  • rh-php56-php-cli-5.6.25-1.el7.x86_64.rpm
  • rh-php56-php-ldap-5.6.25-1.el6.x86_64.rpm
  • rh-php56-php-gd-5.6.25-1.el6.x86_64.rpm
  • rh-php56-php-mbstring-5.6.25-1.el6.x86_64.rpm
  • rh-php56-php-enchant-5.6.25-1.el7.x86_64.rpm
  • rh-php56-php-ldap-5.6.25-1.el7.x86_64.rpm
  • rh-php56-php-mysqlnd-5.6.25-1.el7.x86_64.rpm
  • rh-php56-php-odbc-5.6.25-1.el7.x86_64.rpm
  • rh-php56-php-dba-5.6.25-1.el7.x86_64.rpm
  • rh-php56-php-soap-5.6.25-1.el7.x86_64.rpm

Fixes

CVEs

References

Additional information