[SECURITY] [DSA 3074-1] php5 security update

2014-11-1821:10:45

lists.debian.org

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.044 Low

EPSS

Percentile

92.3%

JSON

Debian Security Advisory DSA-3074-1 [email protected]
http://www.debian.org/security/ Yves-Alexis Perez
November 18, 2014 http://www.debian.org/security/faq

Package : php5
CVE ID : CVE-2014-3710
Debian Bug : 68283

Francisco Alonso of Red Hat Product Security found an issue in the file
utility, whose code is embedded in PHP, a general-purpose scripting
language. When checking ELF files, note headers are incorrectly
checked, thus potentially allowing attackers to cause a denial of
service (out-of-bounds read and application crash) by supplying a
specially crafted ELF file.

As announced in DSA-3064-1 it has been decided to follow the stable
5.4.x releases for the Wheezy php5 packages. Consequently the
vulnerability is addressed by upgrading PHP to a new upstream version
5.4.35, which includes additional bug fixes, new features and possibly
incompatible changes. Please refer to the upstream changelog for more
information:

http://php.net/ChangeLog-5.php#5.4.35

For the stable distribution (wheezy), this problem has been fixed in
version 5.4.35-0+deb7u1.

We recommend that you upgrade your php5 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian7s390xfile< 5.11-2+deb7u6file_5.11-2+deb7u6_s390x.deb
Debian7allphp-pear< 5.4.35-0+deb7u1php-pear_5.4.35-0+deb7u1_all.deb
Debian7ia64libapache2-mod-php5< 5.4.35-0+deb7u1libapache2-mod-php5_5.4.35-0+deb7u1_ia64.deb
Debian7amd64php5-gmp< 5.4.35-0+deb7u1php5-gmp_5.4.35-0+deb7u1_amd64.deb
Debian6allphp-pear< 5.3.3-7+squeeze23php-pear_5.3.3-7+squeeze23_all.deb
Debian7mipsphp5-pspell< 5.4.35-0+deb7u1php5-pspell_5.4.35-0+deb7u1_mips.deb
Debian7amd64php5-mysqlnd< 5.4.35-0+deb7u1php5-mysqlnd_5.4.35-0+deb7u1_amd64.deb
Debian7kfreebsd-i386php5-odbc< 5.4.35-0+deb7u1php5-odbc_5.4.35-0+deb7u1_kfreebsd-i386.deb
Debian7kfreebsd-i386python-magic-dbg< 5.11-2+deb7u6python-magic-dbg_5.11-2+deb7u6_kfreebsd-i386.deb
Debian6amd64python-magic-dbg< 5.04-5+squeeze8python-magic-dbg_5.04-5+squeeze8_amd64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	7	s390x	file	< 5.11-2+deb7u6	file_5.11-2+deb7u6_s390x.deb
Debian	7	all	php-pear	< 5.4.35-0+deb7u1	php-pear_5.4.35-0+deb7u1_all.deb
Debian	7	ia64	libapache2-mod-php5	< 5.4.35-0+deb7u1	libapache2-mod-php5_5.4.35-0+deb7u1_ia64.deb
Debian	7	amd64	php5-gmp	< 5.4.35-0+deb7u1	php5-gmp_5.4.35-0+deb7u1_amd64.deb
Debian	6	all	php-pear	< 5.3.3-7+squeeze23	php-pear_5.3.3-7+squeeze23_all.deb
Debian	7	mips	php5-pspell	< 5.4.35-0+deb7u1	php5-pspell_5.4.35-0+deb7u1_mips.deb
Debian	7	amd64	php5-mysqlnd	< 5.4.35-0+deb7u1	php5-mysqlnd_5.4.35-0+deb7u1_amd64.deb
Debian	7	kfreebsd-i386	php5-odbc	< 5.4.35-0+deb7u1	php5-odbc_5.4.35-0+deb7u1_kfreebsd-i386.deb
Debian	7	kfreebsd-i386	python-magic-dbg	< 5.11-2+deb7u6	python-magic-dbg_5.11-2+deb7u6_kfreebsd-i386.deb
Debian	6	amd64	python-magic-dbg	< 5.04-5+squeeze8	python-magic-dbg_5.04-5+squeeze8_amd64.deb