Debian Security Advisory

DLA-94-1 php5 -- LTS security update

Date Reported:
25 Nov 2014
Affected Packages:
php5
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2014-3668, CVE-2014-3669, CVE-2014-3670, CVE-2014-3710.
More information:
  • CVE-2014-3668

    Fix bug #68027 - fix date parsing in XMLRPC lib

  • CVE-2014-3669

    Fix bug #68044: Integer overflow in unserialize() (32-bits only)

  • CVE-2014-3670

    Fix bug #68113 (Heap corruption in exif_thumbnail())

  • CVE-2014-3710

    Fix bug #68283: fileinfo: out-of-bounds read in elf note headers

Additional bugfix

Fix null byte handling in LDAP bindings in ldap-fix.patch

For Debian 6 Squeeze, these issues have been fixed in php5 version 5.3.3-7+squeeze23