Debian Security Advisory
DSA-3074-1 php5 -- security update
- Date Reported:
- 18 Nov 2014
- Affected Packages:
- php5
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 768807.
In Mitre's CVE dictionary: CVE-2014-3710. - More information:
-
Francisco Alonso of Red Hat Product Security found an issue in the file utility, whose code is embedded in PHP, a general-purpose scripting language. When checking ELF files, note headers are incorrectly checked, thus potentially allowing attackers to cause a denial of service (out-of-bounds read and application crash) by supplying a specially crafted ELF file.
As announced in DSA-3064-1 it has been decided to follow the stable 5.4.x releases for the Wheezy php5 packages. Consequently the vulnerability is addressed by upgrading PHP to a new upstream version 5.4.35, which includes additional bug fixes, new features and possibly incompatible changes. Please refer to the upstream changelog for more information:
http://php.net/ChangeLog-5.php#5.4.35For the stable distribution (wheezy), this problem has been fixed in version 5.4.35-0+deb7u1.
We recommend that you upgrade your php5 packages.