[SECURITY] [DLA 67-1] php5 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 67-1] php5 security update
From: Thorsten Alteholz <debian@alteholz.de>
Date: Tue, 30 Sep 2014 09:41:52 +0200 (CEST)
Message-id: <[🔎] Pine.LNX.4.64.1409292211410.15522@tor.gallien.in-chemnitz.de>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package        : php5
Version        : 5.3.3-7+squeeze22
CVE ID         : CVE-2014-3538 CVE-2014-3587 CVE-2014-3597


CVE-2014-3538

    It was discovered that the original fix for CVE-2013-7345 did not
    sufficiently address the problem. A remote attacker could still
    cause a denial of service (CPU consumption) via a specially-crafted
    input file that triggers backtracking during processing of an awk
    regular expression rule.

CVE-2014-3587

    It was discovered that the CDF parser of the fileinfo module does
    not properly process malformed files in the Composite Document File
    (CDF) format, leading to crashes.

CVE-2014-3597

    It was discovered that the original fix for CVE-2014-4049 did not
    completely address the issue. A malicious server or
    man-in-the-middle attacker could cause a denial of service (crash)
    and possibly execute arbitrary code via a crafted DNS TXT record.

CVE-2014-4670

    It was discovered that PHP incorrectly handled certain SPL
    Iterators. A local attacker could use this flaw to cause PHP to
    crash, resulting in a denial of service.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFUKl7E02K2KlS5mJARArRYAKCUVQeEWMaVHiOOrd9s0D+amhBEKQCdE5Tk
tmpHDouz2xXL+hyh4DCO7hM=
=JkZD
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 66-1] apache2 security update
Next by Date: [SECURITY] [DLA 68-1] fex security update
Previous by thread: [SECURITY] [DLA 66-1] apache2 security update
Next by thread: [SECURITY] [DLA 68-1] fex security update
Index(es):
- Date
- Thread