Bug 918187 (CVE-2013-1643)
Summary: | CVE-2013-1643 php: Ability to read arbitrary files due use of external entities while parsing SOAP WSDL files | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | fedora, jkurik, jorton, rcollet, rpm, ssekidde, webstack-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | php 5.3.23, php 5.4.13 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-12-11 10:35:52 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 958614, 988714, 1037490, 1037491 | ||
Bug Blocks: | 918202, 952520, 974906 |
Description
Jan Lieskovsky
2013-03-05 16:49:56 UTC
PHP NEWS file entries: [5] http://git.php.net/?p=php-src.git;a=blob;f=NEWS;h=36f6f9a4396d3034cc903a4271e7fdeccc5d3ea6;hb=refs/heads/PHP-5.4 [6] http://git.php.net/?p=php-src.git;a=blob;f=NEWS;h=82afa3a040e639f3595121e45b850d5453906a00;hb=refs/heads/PHP-5.3 This issue was not correctly fixed in 5.4.12 or 5.3.22, so CVE-2013-1824 was assigned to the incorrect fix present in 5.4.12 and 5.3.22. It was correctly fixed in 5.4.13 and 5.3.23. Since we have not fixed this in our package yet, CVE-2013-1824 does not apply to us (we never provided the incorrect fix). As Remi noted: First fix: http://git.php.net/?p=php-src.git;a=commitdiff;h=afe98b7829d50806559acac9b530acb8283c3bf4 Improved fix: http://git.php.net/?p=php-src.git;a=commitdiff;h=188c196d4da60bdde9190d2fc532650d17f7af2d Revert previous + real fix: http://git.php.net/?p=php-src.git;a=commitdiff;h=8e76d0404b7f664ee6719fd98f0483f0ac4669d6 Fix ZTS: http://git.php.net/?p=php-src.git;a=commitdiff;h=fcd4b5335a6df4e0676ee32e2267ca71d70fe623 php-5.4.13-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. php-5.4.13-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:1307 https://rhn.redhat.com/errata/RHSA-2013-1307.html Statement: (none) This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:1615 https://rhn.redhat.com/errata/RHSA-2013-1615.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:1814 https://rhn.redhat.com/errata/RHSA-2013-1814.html |