Debian Security Advisory

DLA-0010-1 php5 -- LTS security update

Date Reported:
27 Jun 2014
Affected Packages:
php5
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2014-4049.
More information:

It was discovered that PHP, a general-purpose scripting language commonly used for web application development, is vulnerable to a heap-based buffer overflow in the DNS TXT record parsing. A malicious server or man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as the PHP interpreter if a PHP application uses dns_get_record() to perform a DNS query.

For Debian 6 Squeeze, these issues have been fixed in php5 version 5.3.3-7+squeeze20