Debian Security Advisory

DLA-67-1 php5 -- LTS security update

Date Reported:
30 Sep 2014
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2014-3538, CVE-2014-3587, CVE-2014-3597.
More information:
  • CVE-2014-3538

    It was discovered that the original fix for CVE-2013-7345 did not sufficiently address the problem. A remote attacker could still cause a denial of service (CPU consumption) via a specially-crafted input file that triggers backtracking during processing of an awk regular expression rule.

  • CVE-2014-3587

    It was discovered that the CDF parser of the fileinfo module does not properly process malformed files in the Composite Document File (CDF) format, leading to crashes.

  • CVE-2014-3597

    It was discovered that the original fix for CVE-2014-4049 did not completely address the issue. A malicious server or man-in-the-middle attacker could cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS TXT record.

  • CVE-2014-4670

    It was discovered that PHP incorrectly handled certain SPL Iterators. A local attacker could use this flaw to cause PHP to crash, resulting in a denial of service.

For Debian 6 Squeeze, these issues have been fixed in php5 version 5.3.3-7+squeeze22