Debian Security Advisory

DSA-3074-1 php5 -- security update

Date Reported:
18 Nov 2014
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 768807.
In Mitre's CVE dictionary: CVE-2014-3710.
More information:

Francisco Alonso of Red Hat Product Security found an issue in the file utility, whose code is embedded in PHP, a general-purpose scripting language. When checking ELF files, note headers are incorrectly checked, thus potentially allowing attackers to cause a denial of service (out-of-bounds read and application crash) by supplying a specially crafted ELF file.

As announced in DSA-3064-1 it has been decided to follow the stable 5.4.x releases for the Wheezy php5 packages. Consequently the vulnerability is addressed by upgrading PHP to a new upstream version 5.4.35, which includes additional bug fixes, new features and possibly incompatible changes. Please refer to the upstream changelog for more information:

For the stable distribution (wheezy), this problem has been fixed in version 5.4.35-0+deb7u1.

We recommend that you upgrade your php5 packages.