Debian Security Advisory
DSA-1206-1 php4 -- several vulnerabilities
- Date Reported:
- 06 Nov 2006
- Affected Packages:
- php4
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2005-3353, CVE-2006-3017, CVE-2006-4482, CVE-2006-5465.
- More information:
-
Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems:
- CVE-2005-3353
Tim Starling discovered that missing input sanitising in the EXIF module could lead to denial of service.
- CVE-2006-3017
Stefan Esser discovered a security-critical programming error in the hashtable implementation of the internal Zend engine.
- CVE-2006-4482
It was discovered that str_repeat() and wordwrap() functions perform insufficient checks for buffer boundaries on 64 bit systems, which might lead to the execution of arbitrary code.
- CVE-2006-5465
Stefan Esser discovered a buffer overflow in the htmlspecialchars() and htmlentities(), which might lead to the execution of arbitrary code.
For the stable distribution (sarge) these problems have been fixed in version 4:4.3.10-18. Builds for hppa and m68k will be provided later once they are available.
For the unstable distribution (sid) these problems have been fixed in version 4:4.4.4-4 of php4 and version 5.1.6-6 of php5.
We recommend that you upgrade your php4 packages.
- CVE-2005-3353
- Fixed in:
-
Debian GNU/Linux 3.1 (sarge)
- Source:
- http://security.debian.org/pool/updates/main/p/php4/php4_4.3.10-18.dsc
- http://security.debian.org/pool/updates/main/p/php4/php4_4.3.10-18.diff.gz
- http://security.debian.org/pool/updates/main/p/php4/php4_4.3.10.orig.tar.gz
- http://security.debian.org/pool/updates/main/p/php4/php4_4.3.10-18.diff.gz
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/p/php4/php4-pear_4.3.10-18_all.deb
- http://security.debian.org/pool/updates/main/p/php4/php4_4.3.10-18_all.deb
- http://security.debian.org/pool/updates/main/p/php4/php4_4.3.10-18_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/p/php4/libapache-mod-php4_4.3.10-18_alpha.deb
- http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-18_alpha.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.3.10-18_alpha.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-cli_4.3.10-18_alpha.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-common_4.3.10-18_alpha.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.3.10-18_alpha.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-dev_4.3.10-18_alpha.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.3.10-18_alpha.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.3.10-18_alpha.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.3.10-18_alpha.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.3.10-18_alpha.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.3.10-18_alpha.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.3.10-18_alpha.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.3.10-18_alpha.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.3.10-18_alpha.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.3.10-18_alpha.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.3.10-18_alpha.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.3.10-18_alpha.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.3.10-18_alpha.deb
- http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-18_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/p/php4/libapache-mod-php4_4.3.10-18_amd64.deb
- http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-18_amd64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.3.10-18_amd64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-cli_4.3.10-18_amd64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-common_4.3.10-18_amd64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.3.10-18_amd64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-dev_4.3.10-18_amd64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.3.10-18_amd64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.3.10-18_amd64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.3.10-18_amd64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.3.10-18_amd64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.3.10-18_amd64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.3.10-18_amd64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.3.10-18_amd64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.3.10-18_amd64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.3.10-18_amd64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.3.10-18_amd64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.3.10-18_amd64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.3.10-18_amd64.deb
- http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-18_amd64.deb
- ARM:
- http://security.debian.org/pool/updates/main/p/php4/libapache-mod-php4_4.3.10-18_arm.deb
- http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-18_arm.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.3.10-18_arm.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-cli_4.3.10-18_arm.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-common_4.3.10-18_arm.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.3.10-18_arm.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-dev_4.3.10-18_arm.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.3.10-18_arm.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.3.10-18_arm.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.3.10-18_arm.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.3.10-18_arm.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.3.10-18_arm.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.3.10-18_arm.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.3.10-18_arm.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.3.10-18_arm.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.3.10-18_arm.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.3.10-18_arm.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.3.10-18_arm.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.3.10-18_arm.deb
- http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-18_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/p/php4/libapache-mod-php4_4.3.10-18_i386.deb
- http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-18_i386.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.3.10-18_i386.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-cli_4.3.10-18_i386.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-common_4.3.10-18_i386.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.3.10-18_i386.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-dev_4.3.10-18_i386.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.3.10-18_i386.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.3.10-18_i386.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.3.10-18_i386.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.3.10-18_i386.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.3.10-18_i386.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.3.10-18_i386.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.3.10-18_i386.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.3.10-18_i386.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.3.10-18_i386.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.3.10-18_i386.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.3.10-18_i386.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.3.10-18_i386.deb
- http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-18_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/p/php4/libapache-mod-php4_4.3.10-18_ia64.deb
- http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-18_ia64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.3.10-18_ia64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-cli_4.3.10-18_ia64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-common_4.3.10-18_ia64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.3.10-18_ia64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-dev_4.3.10-18_ia64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.3.10-18_ia64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.3.10-18_ia64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.3.10-18_ia64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.3.10-18_ia64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.3.10-18_ia64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.3.10-18_ia64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.3.10-18_ia64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.3.10-18_ia64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.3.10-18_ia64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.3.10-18_ia64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.3.10-18_ia64.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.3.10-18_ia64.deb
- http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-18_ia64.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/p/php4/libapache-mod-php4_4.3.10-18_mips.deb
- http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-18_mips.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.3.10-18_mips.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-cli_4.3.10-18_mips.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-common_4.3.10-18_mips.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.3.10-18_mips.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-dev_4.3.10-18_mips.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.3.10-18_mips.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.3.10-18_mips.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.3.10-18_mips.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.3.10-18_mips.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.3.10-18_mips.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.3.10-18_mips.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.3.10-18_mips.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.3.10-18_mips.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.3.10-18_mips.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.3.10-18_mips.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.3.10-18_mips.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.3.10-18_mips.deb
- http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-18_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/p/php4/libapache-mod-php4_4.3.10-18_mipsel.deb
- http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-18_mipsel.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.3.10-18_mipsel.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-cli_4.3.10-18_mipsel.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-common_4.3.10-18_mipsel.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.3.10-18_mipsel.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-dev_4.3.10-18_mipsel.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.3.10-18_mipsel.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.3.10-18_mipsel.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.3.10-18_mipsel.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.3.10-18_mipsel.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.3.10-18_mipsel.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.3.10-18_mipsel.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.3.10-18_mipsel.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.3.10-18_mipsel.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.3.10-18_mipsel.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.3.10-18_mipsel.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.3.10-18_mipsel.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.3.10-18_mipsel.deb
- http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-18_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/p/php4/libapache-mod-php4_4.3.10-18_powerpc.deb
- http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-18_powerpc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.3.10-18_powerpc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-cli_4.3.10-18_powerpc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-common_4.3.10-18_powerpc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.3.10-18_powerpc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-dev_4.3.10-18_powerpc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.3.10-18_powerpc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.3.10-18_powerpc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.3.10-18_powerpc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.3.10-18_powerpc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.3.10-18_powerpc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.3.10-18_powerpc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.3.10-18_powerpc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.3.10-18_powerpc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.3.10-18_powerpc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.3.10-18_powerpc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.3.10-18_powerpc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.3.10-18_powerpc.deb
- http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-18_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/p/php4/libapache-mod-php4_4.3.10-18_s390.deb
- http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-18_s390.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.3.10-18_s390.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-cli_4.3.10-18_s390.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-common_4.3.10-18_s390.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.3.10-18_s390.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-dev_4.3.10-18_s390.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.3.10-18_s390.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.3.10-18_s390.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.3.10-18_s390.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.3.10-18_s390.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.3.10-18_s390.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.3.10-18_s390.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.3.10-18_s390.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.3.10-18_s390.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.3.10-18_s390.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.3.10-18_s390.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.3.10-18_s390.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.3.10-18_s390.deb
- http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-18_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/p/php4/libapache-mod-php4_4.3.10-18_sparc.deb
- http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-18_sparc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.3.10-18_sparc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-cli_4.3.10-18_sparc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-common_4.3.10-18_sparc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.3.10-18_sparc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-dev_4.3.10-18_sparc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-domxml_4.3.10-18_sparc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-gd_4.3.10-18_sparc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.3.10-18_sparc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-ldap_4.3.10-18_sparc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mcal_4.3.10-18_sparc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mhash_4.3.10-18_sparc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-mysql_4.3.10-18_sparc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-odbc_4.3.10-18_sparc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-recode_4.3.10-18_sparc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-snmp_4.3.10-18_sparc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-sybase_4.3.10-18_sparc.deb
- http://security.debian.org/pool/updates/main/p/php4/php4-xslt_4.3.10-18_sparc.deb
- http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-18_sparc.deb
MD5 checksums of the listed files are available in the original advisory.