USN-2126-1] PHP vulnerabilities

2014-03-13T00:00:00
ID SECURITYVULNS:DOC:30361
Type securityvulns
Reporter Securityvulns
Modified 2014-03-13T00:00:00

Description

========================================================================== Ubuntu Security Notice USN-2126-1 March 03, 2014

php5 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 13.10
  • Ubuntu 12.10
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in PHP.

Software Description: - php5: HTML-embedded scripting language interpreter

Details:

Bernd Melchers discovered that PHP's embedded libmagic library incorrectly handled indirect offset values. An attacker could use this issue to cause PHP to consume resources or crash, resulting in a denial of service. (CVE-2014-1943)

It was discovered that PHP incorrectly handled certain values when using the imagecrop function. An attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, obtain sensitive information, or possibly execute arbitrary code. This issue only affected Ubuntu 13.10. (CVE-2013-7226, CVE-2013-7327, CVE-2013-7328, CVE-2014-2020)

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 13.10: libapache2-mod-php5 5.5.3+dfsg-1ubuntu2.2 php5-cgi 5.5.3+dfsg-1ubuntu2.2 php5-cli 5.5.3+dfsg-1ubuntu2.2 php5-gd 5.5.3+dfsg-1ubuntu2.2

Ubuntu 12.10: libapache2-mod-php5 5.4.6-1ubuntu1.7 php5-cgi 5.4.6-1ubuntu1.7 php5-cli 5.4.6-1ubuntu1.7 php5-gd 5.4.6-1ubuntu1.7

Ubuntu 12.04 LTS: libapache2-mod-php5 5.3.10-1ubuntu3.10 php5-cgi 5.3.10-1ubuntu3.10 php5-cli 5.3.10-1ubuntu3.10 php5-gd 5.3.10-1ubuntu3.10

Ubuntu 10.04 LTS: libapache2-mod-php5 5.3.2-1ubuntu4.23 php5-cgi 5.3.2-1ubuntu4.23 php5-cli 5.3.2-1ubuntu4.23 php5-gd 5.3.2-1ubuntu4.23

In general, a standard system update will make all the necessary changes.

References: http://www.ubuntu.com/usn/usn-2126-1 CVE-2013-7226, CVE-2013-7327, CVE-2013-7328, CVE-2014-1943, CVE-2014-2020

Package Information: https://launchpad.net/ubuntu/+source/php5/5.5.3+dfsg-1ubuntu2.2 https://launchpad.net/ubuntu/+source/php5/5.4.6-1ubuntu1.7 https://launchpad.net/ubuntu/+source/php5/5.3.10-1ubuntu3.10 https://launchpad.net/ubuntu/+source/php5/5.3.2-1ubuntu4.23

-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce