Debian Security Advisory
DLA-1034-1 php5 -- LTS security update
- Date Reported:
- 21 Jul 2017
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2016-10397, CVE-2017-11143, CVE-2017-11144, CVE-2017-11145, CVE-2017-11147.
- More information:
Several issues have been discovered in PHP (recursive acronym for PHP: Hypertext Preprocessor), a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML.
Incorrect handling of various URI components in the URL parser could be used by attackers to bypass hostname-specific URL checks.
An invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter.
The openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function, which could lead to a crash of the PHP interpreter.
Lack of a bounds check in the date extension's timelib_meridian parsing code could be used by attackers able to supply date strings to leak information from the interpreter.
The PHAR archive handler could be used by attackers supplying malicious archive files to crash the PHP interpreter or potentially disclose information due to a buffer over-read in the phar_parse_pharfile function in ext/phar/phar.c.
For Debian 7
Wheezy, these problems have been fixed in version 5.4.45-0+deb7u9.
We recommend that you upgrade your php5 packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS