Ubuntu
php7.0 package

please update to latest upstream release 7.0.24

Bug #1721607 reported by Steven Lindsey
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
php7.0 (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Zesty
Fix Released
Undecided
Unassigned

Bug Description

There are serious vulnerabilties in php7.0.22, which is what is currently considered up to date.

https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2017-093/

There is a patched version at
https://launchpad.net/~ondrej/+archive/ubuntu/php?field.series_filter=xenial

Is there a reason not to make it the current version?

CVE References

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Hello and thanks for the bug report!

We typically backport individual security fixes rather than bringing in new upstream releases. See this FAQ entry for more information:

  https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions

Can you give a list of CVEs that were fixed by the PHP 7.0.22 and/or 7.0.24 releases? It isn't clear to me from the changelogs:

  http://www.php.net/ChangeLog-7.php#7.0.22
  http://www.php.net/ChangeLog-7.php#7.0.24

Please update the bug status to "NEW" if you're able to list CVEs that were fixed.

Changed in php7.0 (Ubuntu):
status: New → Incomplete
information type: Private Security → Public Security
Revision history for this message
Nish Aravamudan (nacc) wrote :

Thank Tyler :)

Steven,

a) The patched version from Ondrej's repo is not an official, nor supported version, it's irrelevant to this discussion.

b) If you can provide the CVEs that Tyler asked for, then a security update will occur.

c) We do have an MRE for PHP7.0 (probably also for PHP7.1 by the same logic) and I plan on submitting an update to the latest PHP7.0 upstream in the next week or two. But that will only be present in -updates, not -security unless b) is addressed.

Sorry for the delay on my end in replying to this bug.

Revision history for this message
Steven Lindsey (lindss2) wrote : Re: [Bug 1721607] Re: please update to latest upstream release 7.0.24

I don't know if a CVE was generated or not, I'm only going off the
information at

https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2017-093/

Steven Lindsey
Sr. Systems Administrator
RPI Computer Science

On 10/13/2017 03:41 PM, Nish Aravamudan wrote:
> Thank Tyler :)
>
> Steven,
>
> a) The patched version from Ondrej's repo is not an official, nor
> supported version, it's irrelevant to this discussion.
>
> b) If you can provide the CVEs that Tyler asked for, then a security
> update will occur.
>
> c) We do have an MRE for PHP7.0 (probably also for PHP7.1 by the same
> logic) and I plan on submitting an update to the latest PHP7.0 upstream
> in the next week or two. But that will only be present in -updates, not
> -security unless b) is addressed.
>
> Sorry for the delay on my end in replying to this bug.
>

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I looked through the commits mentioned in the cisecurity.org advisory a week or two ago, but I couldn't find anything that looked to be security relevant. Perhaps they just used placeholder text?

Revision history for this message
Nish Aravamudan (nacc) wrote :

Just an FYI that I have uploaded an update to php7.0 for x and z and php7.1 for aa (which should get copied to bb, but bb will end up with 7.2 before release), but not as a security update. It will go through the normal SRU process before being available.

Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Steven, or anyone else affected,

Accepted php7.0 into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/php7.0/7.0.25-0ubuntu0.17.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in php7.0 (Ubuntu Zesty):
status: New → Fix Committed
tags: added: verification-needed verification-needed-zesty
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Steven, or anyone else affected,

Accepted php7.0 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/php7.0/7.0.25-0ubuntu0.16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in php7.0 (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed-xenial
Revision history for this message
Simon Déziel (sdeziel) wrote :

After this upgrade:

The following packages will be upgraded:
   php-common (1:35ubuntu6 => 1:35ubuntu6.1)
   php-fpm (1:7.0+35ubuntu6 => 1:7.0+35ubuntu6.1)
   php-mysql (1:7.0+35ubuntu6 => 1:7.0+35ubuntu6.1)
   php7.0-cli (7.0.22-0ubuntu0.16.04.1 => 7.0.25-0ubuntu0.16.04.1)
   php7.0-common (7.0.22-0ubuntu0.16.04.1 => 7.0.25-0ubuntu0.16.04.1)
   php7.0-fpm (7.0.22-0ubuntu0.16.04.1 => 7.0.25-0ubuntu0.16.04.1)
   php7.0-json (7.0.22-0ubuntu0.16.04.1 => 7.0.25-0ubuntu0.16.04.1)
   php7.0-mysql (7.0.22-0ubuntu0.16.04.1 => 7.0.25-0ubuntu0.16.04.1)
   php7.0-opcache (7.0.22-0ubuntu0.16.04.1 => 7.0.25-0ubuntu0.16.04.1)
   php7.0-readline (7.0.22-0ubuntu0.16.04.1 => 7.0.25-0ubuntu0.16.04.1)
10 upgraded, 0 newly installed, 0 to remove and 21 not upgraded.
Need to get 3,668 kB of archives.
After this operation, 6,144 B of additional disk space will be used.
Do you want to continue? [Y/n]

I was able to successfully test Wordpress 4.7.8 and 4.8.4 as well as MediaWiki 1.29.2. Marking as verified on Xenial.

tags: added: verification-done-xenial
removed: verification-needed-xenial
Revision history for this message
Simon Déziel (sdeziel) wrote :

CVEs addressed in PHP 7.0.23:

* CVE-2017-12932 (https://bugs.php.net/bug.php?id=74103)

In 7.0.24:

* N/A

In 7.0.25:

* CVE-2016-1283 (https://bugs.php.net/bug.php?id=75207)

Revision history for this message
Simon Déziel (sdeziel) wrote :

Bad timing, on the day Nish updated x/z to 7.0.25, upstream released 7.0.26. No CVEs are addressed by 7.0.26 though.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thanks for the verify Simon,
yes it is an ever ongoing race with code releases :-)
Lets complete this one and Nish likely will take a look at the next version somewhen later.

Revision history for this message
Simon Déziel (sdeziel) wrote :

Marking verification-done-zesty as @nacc did the verification in LP: #1724896 already.

tags: added: verification-done verification-done-zesty
removed: verification-needed verification-needed-zesty
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php7.0 - 7.0.25-0ubuntu0.16.04.1

---------------
php7.0 (7.0.25-0ubuntu0.16.04.1) xenial; urgency=medium

  * New upstream release (7.0.25)
    - LP: #1724896
    - LP: #1721607

 -- Nishanth Aravamudan <email address hidden> Wed, 01 Nov 2017 10:18:38 -0700

Changed in php7.0 (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for php7.0 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Simon Déziel (sdeziel)
Changed in php7.0 (Ubuntu Zesty):
status: Fix Committed → Fix Released
Changed in php7.0 (Ubuntu):
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.