[SECURITY] [DLA 569-1] xmlrpc-epi security update

2016-07-2921:13:39

lists.debian.org

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.021 Low

EPSS

Percentile

88.9%

JSON

Package : xmlrpc-epi
Version : 0.54.2-1+deb7u1
CVE ID : CVE-2016-6296

Integer signedness error in the simplestring_addn function in
simplestring.c in xmlrpc-epi through 0.54.2 allows remote attackers to
cause a denial of service (heap-based buffer overflow) or possibly have
unspecified other impact via a long first argument to the PHP
xmlrpc_encode_request function.

For Debian 7 "Wheezy", these problems have been fixed in version
0.54.2-1+deb7u1.

We recommend that you upgrade your xmlrpc-epi packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian8kfreebsd-i386php5-ldap< 5.6.24+dfsg-0+deb8u1php5-ldap_5.6.24+dfsg-0+deb8u1_kfreebsd-i386.deb
Debian7i386php5-curl< 5.4.45-0+deb7u5php5-curl_5.4.45-0+deb7u5_i386.deb
Debian7amd64php5-tidy< 5.4.45-0+deb7u5php5-tidy_5.4.45-0+deb7u5_amd64.deb
Debian8armelphp5-cli< 5.6.24+dfsg-0+deb8u1php5-cli_5.6.24+dfsg-0+deb8u1_armel.deb
Debian8kfreebsd-amd64php5-xmlrpc< 5.6.24+dfsg-0+deb8u1php5-xmlrpc_5.6.24+dfsg-0+deb8u1_kfreebsd-amd64.deb
Debian8s390xphp5-gmp< 5.6.24+dfsg-0+deb8u1php5-gmp_5.6.24+dfsg-0+deb8u1_s390x.deb
Debian8armelphp5-pgsql< 5.6.24+dfsg-0+deb8u1php5-pgsql_5.6.24+dfsg-0+deb8u1_armel.deb
Debian8mipsellibphp5-embed< 5.6.24+dfsg-0+deb8u1libphp5-embed_5.6.24+dfsg-0+deb8u1_mipsel.deb
Debian8kfreebsd-amd64libapache2-mod-php5< 5.6.24+dfsg-0+deb8u1libapache2-mod-php5_5.6.24+dfsg-0+deb8u1_kfreebsd-amd64.deb
Debian8mipselphp5-fpm< 5.6.24+dfsg-0+deb8u1php5-fpm_5.6.24+dfsg-0+deb8u1_mipsel.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	kfreebsd-i386	php5-ldap	< 5.6.24+dfsg-0+deb8u1	php5-ldap_5.6.24+dfsg-0+deb8u1_kfreebsd-i386.deb
Debian	7	i386	php5-curl	< 5.4.45-0+deb7u5	php5-curl_5.4.45-0+deb7u5_i386.deb
Debian	7	amd64	php5-tidy	< 5.4.45-0+deb7u5	php5-tidy_5.4.45-0+deb7u5_amd64.deb
Debian	8	armel	php5-cli	< 5.6.24+dfsg-0+deb8u1	php5-cli_5.6.24+dfsg-0+deb8u1_armel.deb
Debian	8	kfreebsd-amd64	php5-xmlrpc	< 5.6.24+dfsg-0+deb8u1	php5-xmlrpc_5.6.24+dfsg-0+deb8u1_kfreebsd-amd64.deb
Debian	8	s390x	php5-gmp	< 5.6.24+dfsg-0+deb8u1	php5-gmp_5.6.24+dfsg-0+deb8u1_s390x.deb
Debian	8	armel	php5-pgsql	< 5.6.24+dfsg-0+deb8u1	php5-pgsql_5.6.24+dfsg-0+deb8u1_armel.deb
Debian	8	mipsel	libphp5-embed	< 5.6.24+dfsg-0+deb8u1	libphp5-embed_5.6.24+dfsg-0+deb8u1_mipsel.deb
Debian	8	kfreebsd-amd64	libapache2-mod-php5	< 5.6.24+dfsg-0+deb8u1	libapache2-mod-php5_5.6.24+dfsg-0+deb8u1_kfreebsd-amd64.deb
Debian	8	mipsel	php5-fpm	< 5.6.24+dfsg-0+deb8u1	php5-fpm_5.6.24+dfsg-0+deb8u1_mipsel.deb