[SECURITY] [DLA 875-1] php5 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 875-1] php5 security update
From: Markus Koschany <apo@debian.org>
Date: Tue, 28 Mar 2017 01:05:29 +0200
Message-id: <[🔎] b56b9608-af87-6480-152e-8d47bd6fed29@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : php5
Version        : 5.4.45-0+deb7u8
CVE ID         : CVE-2016-7478 CVE-2016-7479 CVE-2017-7272

Several issues have been discovered in PHP (recursive acronym for PHP:
Hypertext Preprocessor), a widely-used open source general-purpose
scripting language that is especially suited for web development and can
be embedded into HTML.

CVE-2016-7478:
    Zend/zend_exceptions.c in PHP allows remote attackers to
    cause a denial of service (infinite loop) via a crafted Exception
    object in serialized data, a related issue to CVE-2015-8876.

CVE-2016-7479:
    During the unserialization process, resizing the 'properties' hash
    table of a serialized object may lead to use-after-free. A remote
    attacker may exploit this bug to gain the ability of arbitrary code
    execution. Even though the property table issue only affects PHP 7
    this change also prevents a wide range of other __wakeup() based
    attacks.

CVE-2017-7272:
    The fsockopen() function will use the port number which is defined
    in hostname instead of the port number passed to the second
    parameter of the function. This misbehavior may introduce another
    attack vector for an already known application vulnerability (e.g.
    Server Side Request Forgery).

For Debian 7 "Wheezy", these problems have been fixed in version
5.4.45-0+deb7u8.

We recommend that you upgrade your php5 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAljZmrlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeS4oBAAx8XlBG/MDeaSUqv/Xqi8SvIkr7N8BLMymRbVA3WQ7tSNGpes0/SQWmlk
x4o0RDhTdZoEH256vfDt3qZlEoT0ncPm+9Oc/A/7TCDgyBFmBb//rh2CZMnxBB5N
hbDsDHP3ityvgFspSGBRkrGsbNAwHirCll2eUdk0PVsZT7xgwEaaIEUra5lY9w0M
duhTnV8GndkFZOXwSN8BeqvQuEoY8DbPTAi6Hm57IIvOrJn0AjDMWmx6mcSwfPEo
74pux5yzL+1oyVgEXJyGxxRMWykbyK2FTs+YWgerTcLUiOVff9T+r+wxpPAtsBcC
WY5zUuPH2Tgk9sZikMkuc3YvPj/wnxmsDotf/P04Ucj7vqZ2ZIs+9/adT3w6QOk1
riMaBnCzvegf7nMj0P1R57XIOToLsrufYflAubPDoUKozBP0XpejssR0fFT/DXFt
7XlZTb5Yy0DKwW5iGMxZ1oy6SIJrbA9r96voxMnzEXV7ToyBPBMNhamdEIZtc1e3
X0M3CFHRbv3NR/xgTsL2jOTJSn8RoW1GRgW19kh+0vRCtF+VqBiWggDY8ZDUxRVj
uJgQGTCfiyEJKvv9v7nSRFAGDDi+003LXHIfWE4+L39F+Ci4KDWUXMqagwUlv4cL
faNWnziaAkytfJdzKNY96HzRctRvC2Ik5vqV/epeHuPaLDjCpp8=
=eQcM
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 874-1] jbig2dec security update
Next by Date: [SECURITY] [DLA 876-1] eject security update
Previous by thread: [SECURITY] [DLA 874-1] jbig2dec security update
Next by thread: [SECURITY] [DLA 876-1] eject security update
Index(es):
- Date
- Thread