please update to latest upstream release 7.0.24

Bug #1721607 reported by Steven Lindsey on 2017-10-05
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
php7.0 (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned
Zesty
Undecided
Unassigned

Bug Description

There are serious vulnerabilties in php7.0.22, which is what is currently considered up to date.

https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2017-093/

There is a patched version at
https://launchpad.net/~ondrej/+archive/ubuntu/php?field.series_filter=xenial

Is there a reason not to make it the current version?

CVE References

Tyler Hicks (tyhicks) wrote :

Hello and thanks for the bug report!

We typically backport individual security fixes rather than bringing in new upstream releases. See this FAQ entry for more information:

  https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions

Can you give a list of CVEs that were fixed by the PHP 7.0.22 and/or 7.0.24 releases? It isn't clear to me from the changelogs:

  http://www.php.net/ChangeLog-7.php#7.0.22
  http://www.php.net/ChangeLog-7.php#7.0.24

Please update the bug status to "NEW" if you're able to list CVEs that were fixed.

Changed in php7.0 (Ubuntu):
status: New → Incomplete
information type: Private Security → Public Security
Nish Aravamudan (nacc) wrote :

Thank Tyler :)

Steven,

a) The patched version from Ondrej's repo is not an official, nor supported version, it's irrelevant to this discussion.

b) If you can provide the CVEs that Tyler asked for, then a security update will occur.

c) We do have an MRE for PHP7.0 (probably also for PHP7.1 by the same logic) and I plan on submitting an update to the latest PHP7.0 upstream in the next week or two. But that will only be present in -updates, not -security unless b) is addressed.

Sorry for the delay on my end in replying to this bug.

I don't know if a CVE was generated or not, I'm only going off the
information at

https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2017-093/

Steven Lindsey
Sr. Systems Administrator
RPI Computer Science

On 10/13/2017 03:41 PM, Nish Aravamudan wrote:
> Thank Tyler :)
>
> Steven,
>
> a) The patched version from Ondrej's repo is not an official, nor
> supported version, it's irrelevant to this discussion.
>
> b) If you can provide the CVEs that Tyler asked for, then a security
> update will occur.
>
> c) We do have an MRE for PHP7.0 (probably also for PHP7.1 by the same
> logic) and I plan on submitting an update to the latest PHP7.0 upstream
> in the next week or two. But that will only be present in -updates, not
> -security unless b) is addressed.
>
> Sorry for the delay on my end in replying to this bug.
>

Marc Deslauriers (mdeslaur) wrote :

I looked through the commits mentioned in the cisecurity.org advisory a week or two ago, but I couldn't find anything that looked to be security relevant. Perhaps they just used placeholder text?

Nish Aravamudan (nacc) wrote :

Just an FYI that I have uploaded an update to php7.0 for x and z and php7.1 for aa (which should get copied to bb, but bb will end up with 7.2 before release), but not as a security update. It will go through the normal SRU process before being available.

Hello Steven, or anyone else affected,

Accepted php7.0 into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/php7.0/7.0.25-0ubuntu0.17.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in php7.0 (Ubuntu Zesty):
status: New → Fix Committed
tags: added: verification-needed verification-needed-zesty
Brian Murray (brian-murray) wrote :

Hello Steven, or anyone else affected,

Accepted php7.0 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/php7.0/7.0.25-0ubuntu0.16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in php7.0 (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed-xenial
Simon Déziel (sdeziel) wrote :

After this upgrade:

The following packages will be upgraded:
   php-common (1:35ubuntu6 => 1:35ubuntu6.1)
   php-fpm (1:7.0+35ubuntu6 => 1:7.0+35ubuntu6.1)
   php-mysql (1:7.0+35ubuntu6 => 1:7.0+35ubuntu6.1)
   php7.0-cli (7.0.22-0ubuntu0.16.04.1 => 7.0.25-0ubuntu0.16.04.1)
   php7.0-common (7.0.22-0ubuntu0.16.04.1 => 7.0.25-0ubuntu0.16.04.1)
   php7.0-fpm (7.0.22-0ubuntu0.16.04.1 => 7.0.25-0ubuntu0.16.04.1)
   php7.0-json (7.0.22-0ubuntu0.16.04.1 => 7.0.25-0ubuntu0.16.04.1)
   php7.0-mysql (7.0.22-0ubuntu0.16.04.1 => 7.0.25-0ubuntu0.16.04.1)
   php7.0-opcache (7.0.22-0ubuntu0.16.04.1 => 7.0.25-0ubuntu0.16.04.1)
   php7.0-readline (7.0.22-0ubuntu0.16.04.1 => 7.0.25-0ubuntu0.16.04.1)
10 upgraded, 0 newly installed, 0 to remove and 21 not upgraded.
Need to get 3,668 kB of archives.
After this operation, 6,144 B of additional disk space will be used.
Do you want to continue? [Y/n]

I was able to successfully test Wordpress 4.7.8 and 4.8.4 as well as MediaWiki 1.29.2. Marking as verified on Xenial.

tags: added: verification-done-xenial
removed: verification-needed-xenial
Simon Déziel (sdeziel) wrote :

CVEs addressed in PHP 7.0.23:

* CVE-2017-12932 (https://bugs.php.net/bug.php?id=74103)

In 7.0.24:

* N/A

In 7.0.25:

* CVE-2016-1283 (https://bugs.php.net/bug.php?id=75207)

Simon Déziel (sdeziel) wrote :

Bad timing, on the day Nish updated x/z to 7.0.25, upstream released 7.0.26. No CVEs are addressed by 7.0.26 though.

ChristianEhrhardt (paelzer) wrote :

Thanks for the verify Simon,
yes it is an ever ongoing race with code releases :-)
Lets complete this one and Nish likely will take a look at the next version somewhen later.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.