[SECURITY] [DLA 1034-1] php5 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1034-1] php5 security update
From: Markus Koschany <apo@debian.org>
Date: Fri, 21 Jul 2017 13:45:57 +0200
Message-id: <[🔎] 0d5bcb50-b802-c234-17e0-cf4e10c1007d@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : php5
Version        : 5.4.45-0+deb7u9
CVE ID         : CVE-2016-10397 CVE-2017-11143 CVE-2017-11144
                 CVE-2017-11145 CVE-2017-11147

Several issues have been discovered in PHP (recursive acronym for PHP:
Hypertext Preprocessor), a widely-used open source general-purpose
scripting language that is especially suited for web development and can
be embedded into HTML.

CVE-2016-10397
  Incorrect handling of various URI components in the URL parser could
  be used by attackers to bypass hostname-specific URL checks.

CVE-2017-11143
  An invalid free in the WDDX deserialization of boolean parameters
  could be used by attackers able to inject XML for deserialization to
  crash the PHP interpreter.

CVE-2017-11144
  The openssl extension PEM sealing code did not check the return value
  of the OpenSSL sealing function, which could lead to a crash of the
  PHP interpreter.

CVE-2017-11145
  Lack of a bounds check in the date extension's timelib_meridian
  parsing code could be used by attackers able to supply date strings to
  leak information from the interpreter.

CVE-2017-11147
  The PHAR archive handler could be used by attackers supplying
  malicious archive files to crash the PHP interpreter or potentially
  disclose information due to a buffer over-read in the
  phar_parse_pharfile function in ext/phar/phar.c.

For Debian 7 "Wheezy", these problems have been fixed in version
5.4.45-0+deb7u9.

We recommend that you upgrade your php5 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAllx6XVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeR/JRAAqbDotxgpXTpTLCB64hBkv9RAKoXT4O37Z30fj5N0BJz1lAfS3E/DxpU8
OYH8cguq5k6dp6lEdNDhx1w3AFwZ1wMvAx4HPvEf64k6ryW5bGfbZHmFOl1E8Hxk
ov/yQelLMzeb5BfyzDew2Q6Ssp5VM0+alZMTrjl9DS58i9IO2tN4xVYbcqXuOwQf
SQPHtbc/ov3QWobOs8v5D1ZO9Xcd5E4AsVuFz2Uesko6M42TNsFmtSLlGe4hrv2r
ATtWBe4B/10Es9MngdusYU3bQ6cThABH/nG8WGXscOZn6SPrD1fmyx/u3bPy8n0f
y4tc++/lZvjHpsozc903DxKoiNkhWJUNwnjmN5qIFJBgfXGjiw83I96MYxwyHi+U
7smpduYhKsH6Egzf81jRf8uLwBlfKAl0knNBgXKHRpyHcMAWwp2XPFEbRGrm809D
KF8YnxLKj+Wu9GLuWIxeHHR5c6b0hJKEg0DxELLngS2YJ+WGdPXE3QjccvuM/jtm
n6H/NhqyMH/hhuz5aaKWN7zCwUplDI/qhlurNijz0Myps5/gNf6IA6Bs5qVOIkum
/R3IznHXloAbh0LaFPeGdYHf/j3eRXrUAkWxjJCHDZwk343FQxRvV3K+ZYBUbDlr
JfqlIv+/6SF00YhyiJP+becMTRXk7Xc0VBAcQ/j4GKzdm6U3dDs=
=xHPR
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1033-1] memcached security update
Next by Date: [SECURITY] [DLA 1035-1] qemu security update
Previous by thread: [SECURITY] [DLA 1033-1] memcached security update
Next by thread: [SECURITY] [DLA 1035-1] qemu security update
Index(es):
- Date
- Thread