[SRU] microrelease exception for src:php7.0 (7.0.13)

Bug #1645431 reported by Nish Aravamudan on 2016-11-28
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
php7.0 (Ubuntu)
Medium
Unassigned
Xenial
Medium
Nish Aravamudan
Yakkety
Medium
Nish Aravamudan

Bug Description

There have been a number of microreleases of PHP 7.0 upstream since the last update to Xenial (which corresponded to the merge in Yakkety). Ase we have re-merged again in Zesty, it feels appropriate to provide another MRE update to php7.0. A number of critical security and bug-fixes are present in each 7.0.x. Rather than backporting individual patches (e.g., Bug # 1569509), I believe it makes significantly more sense to follow the upstream 7.0.x. Upstream PHP is demonstrating an improved approach of bugfixes only in 7.0.x:

 - 7.0.13: http://php.net/ChangeLog-7.php

The upstream CI is at: https://travis-ci.org/php/php-src and is run regularly.

Our php7.0 source package has autopkgtests for the 4 SAPIs, mod-php, cgi, fpm and cli. We have also updated the packing to run the source tests during the build itself.

I do not believe there is a firm statement from upstream on API/ABI stability, but the general approach seems to be a BC-break would result in 7.1.0.

Nish Aravamudan (nacc) wrote :

7.0.12 is in Zesty.

Changed in php7.0 (Ubuntu):
status: New → Fix Released
Changed in php7.0 (Ubuntu Xenial):
assignee: nobody → Nish Aravamudan (nacc)
Changed in php7.0 (Ubuntu Yakkety):
assignee: nobody → Nish Aravamudan (nacc)
Changed in php7.0 (Ubuntu Xenial):
importance: Undecided → Medium
Changed in php7.0 (Ubuntu Yakkety):
importance: Undecided → Medium
Changed in php7.0 (Ubuntu Xenial):
status: New → In Progress
Changed in php7.0 (Ubuntu Yakkety):
status: New → In Progress
Nish Aravamudan (nacc) on 2016-11-28
description: updated
Changed in php7.0 (Ubuntu):
status: Fix Released → In Progress
summary: - [SRU] microrelease exception for src:php7.0 (7.0.12)
+ [SRU] microrelease exception for src:php7.0 (7.0.13)
Nish Aravamudan (nacc) wrote :

I just uploaded 7.0.13 to Zesty today.

Changed in php7.0 (Ubuntu):
assignee: nobody → Nish Aravamudan (nacc)
Nish Aravamudan (nacc) wrote :

7.0.13-2ubuntu1 has migrated to zesty release.

Changed in php7.0 (Ubuntu):
status: In Progress → Fix Released
assignee: Nish Aravamudan (nacc) → nobody

Hello Nish, or anyone else affected,

Accepted php7.0 into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/php7.0/7.0.13-0ubuntu0.16.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in php7.0 (Ubuntu Yakkety):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in php7.0 (Ubuntu Xenial):
status: In Progress → Fix Committed
Brian Murray (brian-murray) wrote :

Hello Nish, or anyone else affected,

Accepted php7.0 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/php7.0/7.0.13-0ubuntu0.16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Nish Aravamudan (nacc) wrote :

Just as a quick note, I tested both a X and Y LXD environment, with php installed, and the upgrade went smoothly. I will hold off on marking verification-done for a bit, so I can do some more testing.

As a part of the Stable Release Updates quality process a search for Launchpad bug reports using the version of php7.0 from xenial-proposed was performed and bug 1646739 was found. Please investigate this bug report to ensure that a regression will not be created by this SRU. In the event that this is not a regression remove the "verification-failed" tag from this bug report and add the tag "bot-stop-nagging" to bug 1646739 (not this bug). Thanks!

tags: added: verification-failed
Nish Aravamudan (nacc) on 2016-12-02
tags: removed: verification-failed
Nish Aravamudan (nacc) on 2017-01-04
tags: added: bot-stop-nagging
Nish Aravamudan (nacc) on 2017-01-07
tags: added: verification-done
removed: verification-needed
Nish Aravamudan (nacc) wrote :

I apologize for not providing more details when I changed the tag a few days ago! I tested by basic updating of PHP in X and Y containers from the version in -updates to the version in -proposed, and verification that simple scripts still continue to function.

I do not have a framework for more extensive testing of the PHP core, but the above is similar to what I have tested in the past for upstream/MRE updates.

Mathew Hodson (mhodson) on 2017-01-11
tags: added: upgrade-software-version
removed: bot-stop-nagging
Changed in php7.0 (Ubuntu):
importance: Undecided → Medium

The verification of the Stable Release Update for php7.0 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :
Download full text (7.2 KiB)

This bug was fixed in the package php7.0 - 7.0.13-0ubuntu0.16.04.1

---------------
php7.0 (7.0.13-0ubuntu0.16.04.1) xenial; urgency=medium

  * New upstream release
    - LP: #1645431
    - Refresh patches for new upstream release.
  * Drop:
    - SECURITY UPDATE: proxy request header vulnerability (httpoxy)
      + debian/patches/CVE-2016-5385.patch: only use HTTP_PROXY from the
        local environment in ext/standard/basic_functions.c, main/SAPI.c,
        main/php_variables.c.
      + CVE-2016-5385
      [ Fixed in 7.0.9 ]
    - SECURITY UPDATE: inadequate error handling in bzread()
      + debian/patches/CVE-2016-5399.patch: do not allow reading past error
        read in ext/bz2/bz2.c.
      + CVE-2016-5399
      [ Fixed in 7.0.9 ]
    - SECURITY UPDATE: integer overflow in the virtual_file_ex function
      + debian/patches/CVE-2016-6289.patch: properly check path_length in
        Zend/zend_virtual_cwd.c.
      + CVE-2016-6289
      [ Fixed in 7.0.9 ]
    - SECURITY UPDATE: use after free in unserialize() with unexpected
      session deserialization
      + debian/patches/CVE-2016-6290.patch: destroy var_hash properly in
        ext/session/session.c, added test to ext/session/tests/bug72562.phpt.
      + CVE-2016-6290
      [ Fixed in 7.0.9 ]
    - SECURITY UPDATE: out of bounds read in exif_process_IFD_in_MAKERNOTE
      + debian/patches/CVE-2016-6291.patch: add more bounds checks to
        ext/exif/exif.c.
      + CVE-2016-6291
      [ Fixed in 7.0.9 ]
    - SECURITY UPDATE: NULL pointer dereference in exif_process_user_comment
      + debian/patches/CVE-2016-6292.patch: properly handle encoding in
        ext/exif/exif.c.
      + CVE-2016-6292
      [ Fixed in 7.0.9 ]
    - SECURITY UPDATE: locale_accept_from_http out-of-bounds access
      + debian/patches/CVE-2016-6294.patch: check length in
        ext/intl/locale/locale_methods.c, added test to
        ext/intl/tests/bug72533.phpt.
      + CVE-2016-6294
      [ Fixed in 7.0.9 ]
    - SECURITY UPDATE: use after free vulnerability in SNMP with GC and
      unserialize()
      + debian/patches/CVE-2016-6295.patch: add new handler to
        ext/snmp/snmp.c, add test to ext/snmp/tests/bug72479.phpt.
      + CVE-2016-6295
      [ Fixed in 7.0.9 ]
    - SECURITY UPDATE: heap buffer overflow in simplestring_addn
      + debian/patches/CVE-2016-6296.patch: prevent overflows in
        ext/xmlrpc/libxmlrpc/simplestring.*.
      + CVE-2016-6296
      [ Fixed in 7.0.9 ]
    - SECURITY UPDATE: integer overflow in php_stream_zip_opener
      + debian/patches/CVE-2016-6297.patch: use size_t in
        ext/zip/zip_stream.c.
      + CVE-2016-6297
      [ Fixed in 7.0.9 ]
    - debian/patches/fix_exif_tests.patch: fix exif test results after
      security changes.
      [ Fixed in 7.0.9 ]
    - SECURITY UPDATE: denial of service or code execution via crafted
      serialized data
      + debian/patches/CVE-2016-7124.patch: fix unserializing logic in
        ext/session/session.c, ext/standard/var_unserializer.c*,
        ext/wddx/wddx.c, added tests to
        ext/standard/tests/serialize/bug72663.phpt,
        ext/standard/tests/serialize/bug72663_2.phpt,
        ext/standard/tests/seria...

Read more...

Changed in php7.0 (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (7.2 KiB)

This bug was fixed in the package php7.0 - 7.0.13-0ubuntu0.16.10.1

---------------
php7.0 (7.0.13-0ubuntu0.16.10.1) yakkety; urgency=medium

  * New upstream release
    - LP: #1645431
    - Refresh patches for new upstream release.
  * Drop:
    - SECURITY UPDATE: proxy request header vulnerability (httpoxy)
      + debian/patches/CVE-2016-5385.patch: only use HTTP_PROXY from the
        local environment in ext/standard/basic_functions.c, main/SAPI.c,
        main/php_variables.c.
      + CVE-2016-5385
      [ Fixed in 7.0.9 ]
    - SECURITY UPDATE: inadequate error handling in bzread()
      + debian/patches/CVE-2016-5399.patch: do not allow reading past error
        read in ext/bz2/bz2.c.
      + CVE-2016-5399
      [ Fixed in 7.0.9 ]
    - SECURITY UPDATE: integer overflow in the virtual_file_ex function
      + debian/patches/CVE-2016-6289.patch: properly check path_length in
        Zend/zend_virtual_cwd.c.
      + CVE-2016-6289
      [ Fixed in 7.0.9 ]
    - SECURITY UPDATE: use after free in unserialize() with unexpected
      session deserialization
      + debian/patches/CVE-2016-6290.patch: destroy var_hash properly in
        ext/session/session.c, added test to ext/session/tests/bug72562.phpt.
      + CVE-2016-6290
      [ Fixed in 7.0.9 ]
    - SECURITY UPDATE: out of bounds read in exif_process_IFD_in_MAKERNOTE
      + debian/patches/CVE-2016-6291.patch: add more bounds checks to
        ext/exif/exif.c.
      + CVE-2016-6291
      [ Fixed in 7.0.9 ]
    - SECURITY UPDATE: NULL pointer dereference in exif_process_user_comment
      + debian/patches/CVE-2016-6292.patch: properly handle encoding in
        ext/exif/exif.c.
      + CVE-2016-6292
      [ Fixed in 7.0.9 ]
    - SECURITY UPDATE: locale_accept_from_http out-of-bounds access
      + debian/patches/CVE-2016-6294.patch: check length in
        ext/intl/locale/locale_methods.c, added test to
        ext/intl/tests/bug72533.phpt.
      + CVE-2016-6294
      [ Fixed in 7.0.9 ]
    - SECURITY UPDATE: use after free vulnerability in SNMP with GC and
      unserialize()
      + debian/patches/CVE-2016-6295.patch: add new handler to
        ext/snmp/snmp.c, add test to ext/snmp/tests/bug72479.phpt.
      + CVE-2016-6295
      [ Fixed in 7.0.9 ]
    - SECURITY UPDATE: heap buffer overflow in simplestring_addn
      + debian/patches/CVE-2016-6296.patch: prevent overflows in
        ext/xmlrpc/libxmlrpc/simplestring.*.
      + CVE-2016-6296
      [ Fixed in 7.0.9 ]
    - SECURITY UPDATE: integer overflow in php_stream_zip_opener
      + debian/patches/CVE-2016-6297.patch: use size_t in
        ext/zip/zip_stream.c.
      + CVE-2016-6297
      [ Fixed in 7.0.9 ]
    - debian/patches/fix_exif_tests.patch: fix exif test results after
      security changes.
      [ Fixed in 7.0.9 ]
    - SECURITY UPDATE: denial of service or code execution via crafted
      serialized data
      + debian/patches/CVE-2016-7124.patch: fix unserializing logic in
        ext/session/session.c, ext/standard/var_unserializer.c*,
        ext/wddx/wddx.c, added tests to
        ext/standard/tests/serialize/bug72663.phpt,
        ext/standard/tests/serialize/bug72663_2.phpt,
        ext/standard/tests/seri...

Read more...

Changed in php7.0 (Ubuntu Yakkety):
status: Fix Committed → Fix Released
stamster (stamster) wrote :

Very good approach for this update! BC breaker would be to jump to 7.1.x release. So as long as there are upstream updates for 7.0.x this repository should implement those.

Thank you for good job on this and all the rest packages!

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers