PHP Updates for CVE-2013-6420

Bug #1260032 reported by Jeff Sheltren on 2013-12-11
This bug affects 1 person
Affects Status Importance Assigned to Milestone
IUS Community Project

Bug Description

RedHat has released PHP updates for PHP 5.1, 5.3, 5.4. See

Seems this would affect many IUS versions as well, though I don't see any references to it (yet?) on

CVE References

information type: Private Security → Public Security
bharper (bharper) wrote :

Hello Jeff,

Thanks for taking the time to submit this bug. So far the only reference I can find from PHP is from their git repo:;a=commit;h=c1224573c773b6845e83505f717fbf820fc18415

The update to the NEWS file would appear that a new release of PHP is coming out tomorrow:;a=blobdiff;f=NEWS;h=8abf65e05b0298a6f2dba9439c9513919234766f;hp=70461d97d85c65e01e739514923303b09257f65f;hb=c1224573c773b6845e83505f717fbf820fc18415;hpb=32873cd0ddea7df8062213bb025beb6fb070e59d

It would appear that our php53u, php54 and php55u packages are effected. I will work on applying to this patch, just encase the new PHP is not released tomorrow.


Changed in ius:
assignee: nobody → bharper (bharper)
bharper (bharper) wrote :

I have built php53u-5.3.27-2, php54-5.4.22-2 and php55u-5.5.6-3 with the patch from PHP's git repo and they have been tagged testing-candidate. They will be in placed in the testing repos tonight and can take around 24 hours to hit all the mirrors.

See the following for information on how to use the testing repo:


Changed in ius:
status: New → Fix Released
bharper (bharper) on 2013-12-12
Changed in ius:
status: Fix Released → Fix Committed
bharper (bharper) wrote :

Two days after Red Hat released their updates, PHP released new versions that included fixes for this CVE. The php53u-5.3.27-2, php54-5.4.22-2 and php55u-5.5.6-3 package have been taken out the stable repos and the updated PHP packages have already made their way into the stable repos. See the following bugs:


Changed in ius:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers