Debian Long Term Support / LTS Security Information / 2014 / Security Information -- DLA-0010-1 php5

Debian Security Advisory

DLA-0010-1 php5 -- LTS security update

Date Reported:

27 Jun 2014

Affected Packages:

php5

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2014-4049.

More information:

It was discovered that PHP, a general-purpose scripting language commonly used for web application development, is vulnerable to a heap-based buffer overflow in the DNS TXT record parsing. A malicious server or man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as the PHP interpreter if a PHP application uses dns_get_record() to perform a DNS query.

For Debian 6 Squeeze, these issues have been fixed in php5 version 5.3.3-7+squeeze20