Lucene search

K
amazonAmazonALAS-2013-262
HistoryDec 17, 2013 - 9:29 p.m.

Critical: php

2013-12-1721:29:00
alas.aws.amazon.com
41

7.5 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.95 High

EPSS

Percentile

99.3%

Issue Overview:

The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not properly parse (1) notBefore and (2) notAfter timestamps in X.509 certificates, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted certificate that is not properly handled by the openssl_x509_parse function.

Affected Packages:

php

Issue Correction:
Run yum update php to update your system.

New Packages:

i686:  
    php-mysqlnd-5.3.28-1.2.amzn1.i686  
    php-snmp-5.3.28-1.2.amzn1.i686  
    php-debuginfo-5.3.28-1.2.amzn1.i686  
    php-common-5.3.28-1.2.amzn1.i686  
    php-imap-5.3.28-1.2.amzn1.i686  
    php-fpm-5.3.28-1.2.amzn1.i686  
    php-enchant-5.3.28-1.2.amzn1.i686  
    php-mcrypt-5.3.28-1.2.amzn1.i686  
    php-mbstring-5.3.28-1.2.amzn1.i686  
    php-dba-5.3.28-1.2.amzn1.i686  
    php-odbc-5.3.28-1.2.amzn1.i686  
    php-ldap-5.3.28-1.2.amzn1.i686  
    php-pgsql-5.3.28-1.2.amzn1.i686  
    php-5.3.28-1.2.amzn1.i686  
    php-soap-5.3.28-1.2.amzn1.i686  
    php-recode-5.3.28-1.2.amzn1.i686  
    php-mysql-5.3.28-1.2.amzn1.i686  
    php-xml-5.3.28-1.2.amzn1.i686  
    php-pspell-5.3.28-1.2.amzn1.i686  
    php-mssql-5.3.28-1.2.amzn1.i686  
    php-bcmath-5.3.28-1.2.amzn1.i686  
    php-cli-5.3.28-1.2.amzn1.i686  
    php-process-5.3.28-1.2.amzn1.i686  
    php-embedded-5.3.28-1.2.amzn1.i686  
    php-pdo-5.3.28-1.2.amzn1.i686  
    php-intl-5.3.28-1.2.amzn1.i686  
    php-xmlrpc-5.3.28-1.2.amzn1.i686  
    php-gd-5.3.28-1.2.amzn1.i686  
    php-tidy-5.3.28-1.2.amzn1.i686  
    php-devel-5.3.28-1.2.amzn1.i686  
  
src:  
    php-5.3.28-1.2.amzn1.src  
  
x86_64:  
    php-common-5.3.28-1.2.amzn1.x86_64  
    php-mssql-5.3.28-1.2.amzn1.x86_64  
    php-mysql-5.3.28-1.2.amzn1.x86_64  
    php-soap-5.3.28-1.2.amzn1.x86_64  
    php-odbc-5.3.28-1.2.amzn1.x86_64  
    php-recode-5.3.28-1.2.amzn1.x86_64  
    php-mysqlnd-5.3.28-1.2.amzn1.x86_64  
    php-xmlrpc-5.3.28-1.2.amzn1.x86_64  
    php-embedded-5.3.28-1.2.amzn1.x86_64  
    php-enchant-5.3.28-1.2.amzn1.x86_64  
    php-dba-5.3.28-1.2.amzn1.x86_64  
    php-cli-5.3.28-1.2.amzn1.x86_64  
    php-snmp-5.3.28-1.2.amzn1.x86_64  
    php-mcrypt-5.3.28-1.2.amzn1.x86_64  
    php-pgsql-5.3.28-1.2.amzn1.x86_64  
    php-imap-5.3.28-1.2.amzn1.x86_64  
    php-pspell-5.3.28-1.2.amzn1.x86_64  
    php-bcmath-5.3.28-1.2.amzn1.x86_64  
    php-devel-5.3.28-1.2.amzn1.x86_64  
    php-fpm-5.3.28-1.2.amzn1.x86_64  
    php-ldap-5.3.28-1.2.amzn1.x86_64  
    php-mbstring-5.3.28-1.2.amzn1.x86_64  
    php-gd-5.3.28-1.2.amzn1.x86_64  
    php-xml-5.3.28-1.2.amzn1.x86_64  
    php-5.3.28-1.2.amzn1.x86_64  
    php-debuginfo-5.3.28-1.2.amzn1.x86_64  
    php-tidy-5.3.28-1.2.amzn1.x86_64  
    php-pdo-5.3.28-1.2.amzn1.x86_64  
    php-intl-5.3.28-1.2.amzn1.x86_64  
    php-process-5.3.28-1.2.amzn1.x86_64  

Additional References

Red Hat: CVE-2013-6420

Mitre: CVE-2013-6420

7.5 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.95 High

EPSS

Percentile

99.3%