Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1431 php5 security update 22 August 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: php5 Publisher: Debian Operating System: Debian GNU/Linux 7 Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-4670 CVE-2014-4049 CVE-2014-3597 CVE-2014-3587 CVE-2014-3538 CVE-2013-7345 Reference: ASB-2014.0083 ESB-2014.1429 ESB-2014.1331 ESB-2014.1327 ESB-2014.1032 ESB-2014.0991 Original Bulletin: http://www.debian.org/security/2014/dsa-3008 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3008-1 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso August 21, 2014 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : php5 CVE ID : CVE-2014-3538 CVE-2014-3587 CVE-2014-3597 CVE-2014-4670 Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2014-3538 It was discovered that the original fix for CVE-2013-7345 did not sufficiently address the problem. A remote attacker could still cause a denial of service (CPU consumption) via a specially-crafted input file that triggers backtracking during processing of an awk regular expression rule. CVE-2014-3587 It was discovered that the CDF parser of the fileinfo module does not properly process malformed files in the Composite Document File (CDF) format, leading to crashes. CVE-2014-3597 It was discovered that the original fix for CVE-2014-4049 did not completely address the issue. A malicious server or man-in-the-middle attacker could cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS TXT record. CVE-2014-4670 It was discovered that PHP incorrectly handled certain SPL Iterators. A local attacker could use this flaw to cause PHP to crash, resulting in a denial of service. For the stable distribution (wheezy), these problems have been fixed in version 5.4.4-14+deb7u13. In addition, this update contains several bugfixes originally targeted for the upcoming Wheezy point release. For the unstable distribution (sid), these problems will be fied soon. We recommend that you upgrade your php5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJT9YtyAAoJEAVMuPMTQ89EHS8P/2xNY3Oj3k311OfPJa43FUsf PcYr76gEN/FojTw0swNYMKJB8K3Dbypa5QARnOqVICzF0iIeQt00a7kX/ZRzZEZd rcmvrgcZSIY0ZfscYEy6+AQJaCjVEvihDZL8aVWsNqR/TQQHIXp4urpVEktcLvQU Wsk5J8sXK3GSKMcIM0CF2y078KUYZYEqCS8xwUhUBYYj7a7jZiZNAiJ43Xz2mc5q gjuZ7lpUTRy9IYZCqNOYMdtoFeHqJr94pIqoJQVG6MvutyVGGPfYlhanrOSc/Kk/ GELEosuf9ng0YgIiwqC3m9gMYNwMI3ZGlJm4f+9P7AFPNcYVJ/grrGpnZzmzovVS d11sikhTqjdfIoZ3ZTsjXATTORKxku/naOZoO4b8dx8Li0b8byuwt75MElMoyAfY WZYzBAArF6vX7GOsGVN8eLLgFCJDWP/8IcgJjV2+fYLRl3NPBhDbvYuzgq+RjHO6 4g6mekc9v2RNug10z/ypPtmL9WMWUeV+B843lpCIo7GKh/tZSwPh/8udMMMW3Ppk nrWwUFh0S+bSC99Rx39+IhUPD63xqaGDB/K1RoUIb13XT3a8dMm/zfM433Un0JPD 2cNDs+wuSTv9UVjLT8tls1nLAI7qSfhELL2s4RTTHaGJu9sIoNjuMcVzRcoQp0fR tTcc81EqUmCm/XjEOkjW =MzKR - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3008-2 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso August 21, 2014 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : php5 CVE ID : CVE-2014-3538 CVE-2014-3587 CVE-2014-3597 CVE-2014-4670 This update corrects a packaging error for the packages released in DSA-3008-1. The new sessionclean script used in the updated cronjob in /etc/cron.d/php5 was not installed into the php5-common package. No other changes are introduced. For reference, the original advisory text follows. Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2014-3538 It was discovered that the original fix for CVE-2013-7345 did not sufficiently address the problem. A remote attacker could still cause a denial of service (CPU consumption) via a specially-crafted input file that triggers backtracking during processing of an awk regular expression rule. CVE-2014-3587 It was discovered that the CDF parser of the fileinfo module does not properly process malformed files in the Composite Document File (CDF) format, leading to crashes. CVE-2014-3597 It was discovered that the original fix for CVE-2014-4049 did not completely address the issue. A malicious server or man-in-the-middle attacker could cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS TXT record. CVE-2014-4670 It was discovered that PHP incorrectly handled certain SPL Iterators. A local attacker could use this flaw to cause PHP to crash, resulting in a denial of service. For the stable distribution (wheezy), these problems have been fixed in version 5.4.4-14+deb7u13. In addition, this update contains several bugfixes originally targeted for the upcoming Wheezy point release. For the unstable distribution (sid), these problems will be fied soon. We recommend that you upgrade your php5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJT9eUoAAoJEAVMuPMTQ89EiDoP+wftzu0sf173a/tdX4DjbUNg wgBqIYnDlSlRtfLZLYRZYesXepB5WYsi9yuU4M8lI1Cv79ykORuFHhe8pSXAW736 h4w+U2ex6TF5ary8LPc3f/Fg1idAeEBXToRmpS60FDcu5Q5yF45MNq4pIxR7aMHr xkflLDsW/hnF5izWyrFnA8LyDOHlg4JcTPBjP615E8PQFUtEMrRIFCuT8jqvmo0H D5DXkJ0wqXh2FiWqdFACXZkYrrF2WOTQg0s27Zi296m9/qf6SiWHmOAX0ktX3AjQ Z+uJRoMp4yH8uwDnYLE6JDcgB5aEKOKcVtzrJRoflLahUOVoV8xJtX7Uw9VsLRx3 acZ8raUzU3V71vlTkTUF6A63psJofOqU9NuzDINX5sINGWeLu12E5cCn3YYA8mVn fMiB7qkkY0TMBl71IFgDnvxHOgucyWSGrkYxhLb/ptJM7i5fI2DBUk1VQ5WtxYCd fzygImkh5gLa4GHXqkdg8xXdDvO81ehCpXXI058DoCIBljI4YR4VJUa3HfUle/nH E6f31ZSCI+As49Vqt345J6HhowgBhpNt5C/bGfbQOx7n9aeAPT7hsX44fg4iOHU9 kj57rpBTMTHKm/MKzyoHQCz6rTYS+mAbjCQ/kp6BSDskhE7MWc1bkAvKUqyNrFAa ux5kmj8hP/XRqb8BxAFr =G/yJ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU/aVZhLndAQH1ShLAQJzcRAAqybww98ZP18O0uilzPId+8YniKCsGQKZ 5cnZ6g0tPY/j3iARLOjsgKkucVV6RXURxbGrh5IdjcroORgyG9TiVidFAheS+mbY co4jArApPLyUWHZCJcGaePwVfculPM0+EQnTgmMuoTBid0qgqqXoxWqq/1k2BmMq rTExQ+ayCC8WXEGavaYg72LQ5i3mu/aQz+kYXmLTGllb0BklCYIOMV1XVVBsxtQ4 GEVlx0Uiwx4RsSlV6vcSvPcaLQ2zIwBJEDy43sxrsyRxQ1OGmJem9bIeEix9exqu pLxKD0Uku1vwxEtt7E2LUyE17tS9SKhZ3+KNARIWIJ9Dmiay+fkSJgxWhkAnnDox CBKLXdiOomh0atlq0fM03RaPrX9oU1r1hsdvZfEaUD4l4LTMuzJLjzS6F7yOJkpT xsBaCeTCvqCF5j2U0zCr30a0yzphbD5q5bY3k7yyIz47E9P3NsfAbxZmEuD2PFkm pcmz9tSLCy1GwWrsFWVDtH4GScfbmhAO3JsiHDHbnSACVXXSOHaQp0kx++Hznlev DyCL0E+4B94Mm0fUQx4u1/7bE73aWV5Ha8DBsp+UTOCBQCxgW19d4ReBgSIjiWBP 6R4MR2YVmyb+E6ugjDxvaUm/D4W7HSni+7uYmX86b/fyIdNg7USQp79MI1K/Jw2R RfZ+IzqVUMg= =KF0m -----END PGP SIGNATURE-----