Debian Long Term Support / LTS Security Information / 2014 / Security Information -- DLA-67-1 php5

Debian Security Advisory

DLA-67-1 php5 -- LTS security update

Date Reported:

30 Sep 2014

Affected Packages:

php5

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2014-3538, CVE-2014-3587, CVE-2014-3597.

More information:

• CVE-2014-3538

  It was discovered that the original fix for CVE-2013-7345 did not sufficiently address the problem. A remote attacker could still cause a denial of service (CPU consumption) via a specially-crafted input file that triggers backtracking during processing of an awk regular expression rule.

• CVE-2014-3587

  It was discovered that the CDF parser of the fileinfo module does not properly process malformed files in the Composite Document File (CDF) format, leading to crashes.

• CVE-2014-3597

  It was discovered that the original fix for CVE-2014-4049 did not completely address the issue. A malicious server or man-in-the-middle attacker could cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS TXT record.

• CVE-2014-4670

  It was discovered that PHP incorrectly handled certain SPL Iterators. A local attacker could use this flaw to cause PHP to crash, resulting in a denial of service.

For Debian 6 Squeeze, these issues have been fixed in php5 version 5.3.3-7+squeeze22