Debian Security Advisory
DLA-1373-1 php5 -- LTS security update
- Date Reported:
- 09 May 2018
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2018-10545, CVE-2018-10547, CVE-2018-10548.
- More information:
Several issues have been discovered in PHP (recursive acronym for PHP: Hypertext Preprocessor), a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML.
Dumpable FPM child processes allow bypassing opcache access controls because fpm_unix.c makes a PR_SET_DUMPABLE prctl call, allowing one user (in a multiuser environment) to obtain sensitive information from the process memory of a second user's PHP applications by running gcore on the PID of the PHP-FPM worker process.
There is a reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712.
ext/ldap/ldap.c allows remote LDAP servers to cause a denial of service (NULL pointer dereference and application crash) because of mishandling of the ldap_get_dn return value.
For Debian 7
Wheezy, these problems have been fixed in version 5.4.45-0+deb7u14.
We recommend that you upgrade your php5 packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS