Debian Security Advisory
DLA-0010-1 php5 -- LTS security update
- Date Reported:
- 27 Jun 2014
- Affected Packages:
- php5
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2014-4049.
- More information:
-
It was discovered that PHP, a general-purpose scripting language commonly used for web application development, is vulnerable to a heap-based buffer overflow in the DNS TXT record parsing. A malicious server or man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as the PHP interpreter if a PHP application uses dns_get_record() to perform a DNS query.
For Debian 6
Squeeze
, these issues have been fixed in php5 version 5.3.3-7+squeeze20