Description of problem: php-mbstring bundles oniguruma: https://github.com/php/php-src/tree/master/ext/mbstring/oniguruma so first of all, php-mbstring rpm must contain bundled(oniguruma) (seems = 6.1.2 on rawhide php 7.1.6 RC1): https://fedoraproject.org/wiki/Bundled_Libraries?rd=Packaging:Bundled_Libraries Recently multiple security issues were found on oniguruma: CVE-2017-9226 https://github.com/kkos/oniguruma/issues/55 CVE-2017-9225 https://github.com/kkos/oniguruma/issues/56 CVE-2017-9224 https://github.com/kkos/oniguruma/issues/57 CVE-2017-9227 https://github.com/kkos/oniguruma/issues/58 CVE-2017-9229 https://github.com/kkos/oniguruma/issues/59 CVE-2017-9228 https://github.com/kkos/oniguruma/issues/60 , all of them are fixed in 6.3.0: https://github.com/kkos/oniguruma/releases Looks like oniguruma bundled in rawhide php is affected by all of them. Note that F-25 ships oniguruma 6.1.3, and today I've applied fixes for the above : http://pkgs.fedoraproject.org/cgit/rpms/oniguruma.git/commit/?h=f25&id=31ddb4bfb4451f89060d47e937f43ab6afda07aa Version-Release number of selected component (if applicable): php-7.1.6~RC1-1.fc27 and php on older branches may also be affected. Additional info: It is preferable that php-mbstring is linked against system oniguruma.
All PHP versions 5.6, 7.0, 7.1 use bundled version 5.9.6 PHP version 7.2 (master) used bundled version 6.1.2, which I have updated to 6.3.0
oniguruma 5.9.6 is affected by CVE-2017-922{4,6,7,8,9} (CVE-2017-9225 is not affected as far as I have inspected). ref: http://pkgs.fedoraproject.org/cgit/rpms/oniguruma.git/commit/?h=f24&id=033caa9c1864f37b6dafa893280ffda7b39d5490
@Mamoru, great thanks, this help a lot. See http://git.php.net/?p=php-src.git;a=commitdiff;h=1e0c4386ab87c6f6392933450130470cbd1a2b19 http://git.php.net/?p=php-src.git;a=commitdiff;h=60b1829e1cd18facc696264fd830c4bbd593cfa9 http://git.php.net/?p=php-src.git;a=commitdiff;h=6a8ae7cf8db3ec8dabfd027e01cdbcbb52654c90 http://git.php.net/?p=php-src.git;a=commitdiff;h=5416deec665db293ae25548828791453d776a6bf http://git.php.net/?p=php-src.git;a=commitdiff;h=1c845d295037702d63097e2216b3c5db53f79273 http://git.php.net/?p=php-src.git;a=commitdiff;h=46bb35a853e5dbb9cc7f9ca87ad5c3ca5d728750 FYI, PHP bundled this library with minor changes for Windows See: http://git.php.net/?p=php-src.git;a=commitdiff;h=b8a334f149b1ebd3404f2c950fe622fda73e812e I plan to use system library with 7.2 (F27, later this year) I will add the missing provide for next update
php-7.1.6-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-e097be7a47
Fixed upstream (will be in 7.0.21 and 7.1.7) PHP 7.2.0alpha1 use bundled onigurama 6.3 Fedora 27 will use system library (when updated to 7.2, later, probably this summer), have bundled(oniguruma) for now Fedora 26 (7.1.6-1) have upstream patches Fedora 25 (7.0.20-1) have upstream patches
php-7.1.6-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-e097be7a47
php-7.1.6-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.