Operating System:

[Debian]

Published:

22 August 2014

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1431
                           php5 security update
                              22 August 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           php5
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-4670 CVE-2014-4049 CVE-2014-3597
                   CVE-2014-3587 CVE-2014-3538 CVE-2013-7345

Reference:         ASB-2014.0083
                   ESB-2014.1429
                   ESB-2014.1331
                   ESB-2014.1327
                   ESB-2014.1032
                   ESB-2014.0991

Original Bulletin: 
   http://www.debian.org/security/2014/dsa-3008

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3008-1                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
August 21, 2014                        http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : php5
CVE ID         : CVE-2014-3538 CVE-2014-3587 CVE-2014-3597 CVE-2014-4670

Several vulnerabilities were found in PHP, a general-purpose scripting
language commonly used for web application development. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2014-3538

    It was discovered that the original fix for CVE-2013-7345 did not
    sufficiently address the problem. A remote attacker could still
    cause a denial of service (CPU consumption) via a specially-crafted
    input file that triggers backtracking during processing of an awk
    regular expression rule.

CVE-2014-3587

    It was discovered that the CDF parser of the fileinfo module does
    not properly process malformed files in the Composite Document File
    (CDF) format, leading to crashes.

CVE-2014-3597

    It was discovered that the original fix for CVE-2014-4049 did not
    completely address the issue. A malicious server or
    man-in-the-middle attacker could cause a denial of service (crash)
    and possibly execute arbitrary code via a crafted DNS TXT record.

CVE-2014-4670

    It was discovered that PHP incorrectly handled certain SPL
    Iterators. A local attacker could use this flaw to cause PHP to
    crash, resulting in a denial of service.

For the stable distribution (wheezy), these problems have been fixed in
version 5.4.4-14+deb7u13. In addition, this update contains several
bugfixes originally targeted for the upcoming Wheezy point release.

For the unstable distribution (sid), these problems will be fied soon.

We recommend that you upgrade your php5 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJT9YtyAAoJEAVMuPMTQ89EHS8P/2xNY3Oj3k311OfPJa43FUsf
PcYr76gEN/FojTw0swNYMKJB8K3Dbypa5QARnOqVICzF0iIeQt00a7kX/ZRzZEZd
rcmvrgcZSIY0ZfscYEy6+AQJaCjVEvihDZL8aVWsNqR/TQQHIXp4urpVEktcLvQU
Wsk5J8sXK3GSKMcIM0CF2y078KUYZYEqCS8xwUhUBYYj7a7jZiZNAiJ43Xz2mc5q
gjuZ7lpUTRy9IYZCqNOYMdtoFeHqJr94pIqoJQVG6MvutyVGGPfYlhanrOSc/Kk/
GELEosuf9ng0YgIiwqC3m9gMYNwMI3ZGlJm4f+9P7AFPNcYVJ/grrGpnZzmzovVS
d11sikhTqjdfIoZ3ZTsjXATTORKxku/naOZoO4b8dx8Li0b8byuwt75MElMoyAfY
WZYzBAArF6vX7GOsGVN8eLLgFCJDWP/8IcgJjV2+fYLRl3NPBhDbvYuzgq+RjHO6
4g6mekc9v2RNug10z/ypPtmL9WMWUeV+B843lpCIo7GKh/tZSwPh/8udMMMW3Ppk
nrWwUFh0S+bSC99Rx39+IhUPD63xqaGDB/K1RoUIb13XT3a8dMm/zfM433Un0JPD
2cNDs+wuSTv9UVjLT8tls1nLAI7qSfhELL2s4RTTHaGJu9sIoNjuMcVzRcoQp0fR
tTcc81EqUmCm/XjEOkjW
=MzKR
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3008-2                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
August 21, 2014                        http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : php5
CVE ID         : CVE-2014-3538 CVE-2014-3587 CVE-2014-3597 CVE-2014-4670

This update corrects a packaging error for the packages released in
DSA-3008-1. The new sessionclean script used in the updated cronjob in
/etc/cron.d/php5 was not installed into the php5-common package. No
other changes are introduced. For reference, the original advisory text
follows.

Several vulnerabilities were found in PHP, a general-purpose scripting
language commonly used for web application development. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2014-3538

    It was discovered that the original fix for CVE-2013-7345 did not
    sufficiently address the problem. A remote attacker could still
    cause a denial of service (CPU consumption) via a specially-crafted
    input file that triggers backtracking during processing of an awk
    regular expression rule.

CVE-2014-3587

    It was discovered that the CDF parser of the fileinfo module does
    not properly process malformed files in the Composite Document File
    (CDF) format, leading to crashes.

CVE-2014-3597

    It was discovered that the original fix for CVE-2014-4049 did not
    completely address the issue. A malicious server or
    man-in-the-middle attacker could cause a denial of service (crash)
    and possibly execute arbitrary code via a crafted DNS TXT record.

CVE-2014-4670

    It was discovered that PHP incorrectly handled certain SPL
    Iterators. A local attacker could use this flaw to cause PHP to
    crash, resulting in a denial of service.

For the stable distribution (wheezy), these problems have been fixed in
version 5.4.4-14+deb7u13. In addition, this update contains several
bugfixes originally targeted for the upcoming Wheezy point release.

For the unstable distribution (sid), these problems will be fied soon.

We recommend that you upgrade your php5 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJT9eUoAAoJEAVMuPMTQ89EiDoP+wftzu0sf173a/tdX4DjbUNg
wgBqIYnDlSlRtfLZLYRZYesXepB5WYsi9yuU4M8lI1Cv79ykORuFHhe8pSXAW736
h4w+U2ex6TF5ary8LPc3f/Fg1idAeEBXToRmpS60FDcu5Q5yF45MNq4pIxR7aMHr
xkflLDsW/hnF5izWyrFnA8LyDOHlg4JcTPBjP615E8PQFUtEMrRIFCuT8jqvmo0H
D5DXkJ0wqXh2FiWqdFACXZkYrrF2WOTQg0s27Zi296m9/qf6SiWHmOAX0ktX3AjQ
Z+uJRoMp4yH8uwDnYLE6JDcgB5aEKOKcVtzrJRoflLahUOVoV8xJtX7Uw9VsLRx3
acZ8raUzU3V71vlTkTUF6A63psJofOqU9NuzDINX5sINGWeLu12E5cCn3YYA8mVn
fMiB7qkkY0TMBl71IFgDnvxHOgucyWSGrkYxhLb/ptJM7i5fI2DBUk1VQ5WtxYCd
fzygImkh5gLa4GHXqkdg8xXdDvO81ehCpXXI058DoCIBljI4YR4VJUa3HfUle/nH
E6f31ZSCI+As49Vqt345J6HhowgBhpNt5C/bGfbQOx7n9aeAPT7hsX44fg4iOHU9
kj57rpBTMTHKm/MKzyoHQCz6rTYS+mAbjCQ/kp6BSDskhE7MWc1bkAvKUqyNrFAa
ux5kmj8hP/XRqb8BxAFr
=G/yJ
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU/aVZhLndAQH1ShLAQJzcRAAqybww98ZP18O0uilzPId+8YniKCsGQKZ
5cnZ6g0tPY/j3iARLOjsgKkucVV6RXURxbGrh5IdjcroORgyG9TiVidFAheS+mbY
co4jArApPLyUWHZCJcGaePwVfculPM0+EQnTgmMuoTBid0qgqqXoxWqq/1k2BmMq
rTExQ+ayCC8WXEGavaYg72LQ5i3mu/aQz+kYXmLTGllb0BklCYIOMV1XVVBsxtQ4
GEVlx0Uiwx4RsSlV6vcSvPcaLQ2zIwBJEDy43sxrsyRxQ1OGmJem9bIeEix9exqu
pLxKD0Uku1vwxEtt7E2LUyE17tS9SKhZ3+KNARIWIJ9Dmiay+fkSJgxWhkAnnDox
CBKLXdiOomh0atlq0fM03RaPrX9oU1r1hsdvZfEaUD4l4LTMuzJLjzS6F7yOJkpT
xsBaCeTCvqCF5j2U0zCr30a0yzphbD5q5bY3k7yyIz47E9P3NsfAbxZmEuD2PFkm
pcmz9tSLCy1GwWrsFWVDtH4GScfbmhAO3JsiHDHbnSACVXXSOHaQp0kx++Hznlev
DyCL0E+4B94Mm0fUQx4u1/7bE73aWV5Ha8DBsp+UTOCBQCxgW19d4ReBgSIjiWBP
6R4MR2YVmyb+E6ugjDxvaUm/D4W7HSni+7uYmX86b/fyIdNg7USQp79MI1K/Jw2R
RfZ+IzqVUMg=
=KF0m
-----END PGP SIGNATURE-----