Security Information / 2015 / Security Information -- DSA-3195-1 php5

Debian Security Advisory

DSA-3195-1 php5 -- security update

Date Reported:

18 Mar 2015

Affected Packages:

php5

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2014-9705, CVE-2015-0231, CVE-2015-0232, CVE-2015-0273, CVE-2015-2305.

More information:

Multiple vulnerabilities have been discovered in the PHP language:

• CVE-2015-2305

  Guido Vranken discovered a heap overflow in the ereg extension (only applicable to 32 bit systems).

• CVE-2014-9705

  Buffer overflow in the enchant extension.

• CVE-2015-0231

  Stefan Esser discovered a use-after-free in the unserialisation of objects.

• CVE-2015-0232

  Alex Eubanks discovered incorrect memory management in the exif extension.

• CVE-2015-0273

  Use-after-free in the unserialisation of DateTimeZone.

For the stable distribution (wheezy), these problems have been fixed in version 5.4.38-0+deb7u1.

For the upcoming stable distribution (jessie), these problems have been fixed in version 5.6.6+dfsg-2.

For the unstable distribution (sid), these problems have been fixed in version 5.6.6+dfsg-2.

We recommend that you upgrade your php5 packages.