Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.2166.2
php5 security update
21 November 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: php5
Publisher: Debian
Operating System: Debian GNU/Linux 7
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-3710
Reference: ESB-2014.2139
ESB-2014.2005
Original Bulletin:
http://www.debian.org/security/2014/dsa-3074
Revision History: November 21 2014: Previous update introduced a regression
November 19 2014: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3074-2 security@debian.org
http://www.debian.org/security/ Yves-Alexis Perez
November 19, 2014 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : php5
The previous update for php5, DSA-3074-1, introduced regression in the
sessionclean cron script. The change was intended to fix a potential
symlink attack using filenames including the NULL character (Debian bug
#766147), but depended on sed package version too recent, not in Wheezy.
This update reverts the fix, so people are advised to keep kernel
symlink protection (sysctl fs.protected_symlinks=1) enabled as it is by
default on Wheezy, which is enough to prevent successful exploitation.
For the stable distribution (wheezy), this problem has been fixed in
version 5.4.35-0+deb7u2.
We recommend that you upgrade your php5 packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCgAGBQJUbHXDAAoJEG3bU/KmdcClQksIALHORGkFY4jBHkqu8zhU2jJT
cwsgTfzcjqGOsIHVPTN3vS7ynB9qvFP9miYgFCn87pV2aZo66Nztgsrw6rt6tkBm
vhUg18sxDkc46M/Wtlh5m9tk+2nuEVROlnxQXTuid5ipn79N59uUtVHGyvkVfboc
m2noyg1zFK43g4pDovAQYZDXVd0uwHJwDoQevORZ10BoJj93SowkKcmLgJNolGyQ
UFU8oyE6lrZdkyxmtSHWI4I98FDIL2oSzQEAy3dx33mTCR1HSS5fLOCCo5D8vQSk
CAFXfLeYyK4xVmBds9U4loOj5Ll/g1PRs0yHEUPWwPlEUTVXFlKpMK729j7HOmc=
=uIwr
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3074-1 security@debian.org
http://www.debian.org/security/ Yves-Alexis Perez
November 18, 2014 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : php5
CVE ID : CVE-2014-3710
Debian Bug : 68283
Francisco Alonso of Red Hat Product Security found an issue in the file
utility, whose code is embedded in PHP, a general-purpose scripting
language. When checking ELF files, note headers are incorrectly
checked, thus potentially allowing attackers to cause a denial of
service (out-of-bounds read and application crash) by supplying a
specially crafted ELF file.
As announced in DSA-3064-1 it has been decided to follow the stable
5.4.x releases for the Wheezy php5 packages. Consequently the
vulnerability is addressed by upgrading PHP to a new upstream version
5.4.35, which includes additional bug fixes, new features and possibly
incompatible changes. Please refer to the upstream changelog for more
information:
http://php.net/ChangeLog-5.php#5.4.35
For the stable distribution (wheezy), this problem has been fixed in
version 5.4.35-0+deb7u1.
We recommend that you upgrade your php5 packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCgAGBQJUa7XMAAoJEG3bU/KmdcClzHgH/3sZmgwrWGUenVLcg3c8TWE3
uPMWOrUcRmPLzkyWuixKKaU1nijwB3EEYknNqGKqT87lLmZIntWF9FoJXfX6mxrg
UpeSHQTknLPdL8w6gAg2KTFCkua+k8wIOqmW7TSpSHr6LU6Aq6ePkBGzBfEaXWLK
JbL1HE8/SmfQ5+DWbaxz+g9cb5vJRHUUWGbTs2WotdrBlYho9wz4cSlx9khEIt3V
B/NJ3Etvl7UMgS7Tii3h0WW+hksrgrXt8itBj7aNtasnFNf3iySlUoEaxeotIugu
W6chDiuEKYdsq1jDdl0T/GhT2K9UxGIPoTwhvygLbGO20bw1Ux1Ku+r2qSNfryY=
=0CGm
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVG5t0xLndAQH1ShLAQLSQQ/9GHsC+s2nuLwO+VsIcOFnt9U2GOGl/ooL
M8FOmpTJOqg+Jso5EP53aVTne8clnD5Of7LacQZs56xSfHYHA5FhGUQM2Ch07RwZ
Lk5/CBGGHY4x6p9BOJG0wmJ2NNnpykWqt5oEGuQuxYjDzuQTu3FofRg8+LLnnAa2
nUeA8DI/kHEms43OUnLYJzoTuXBd+SRrv/29aN/QLgXIQWYkS0+iSMOCVvdTi++8
/Rc4kZhsKLYA/iB/fJFGI98+zFC65pPPwOIaQxeSXn6ce9y+qTAR/Tm4NxIred5T
QzUyU/ZNSH/0lFoimHDk2UWAZFoA8c6Mn/K4q67zTYswbDB82w8A/KlrA6xcvnpy
BpkqohhZcmFo4vq9OCilpfMITlB1fhxQ47qCWYEaK470u+BUwS1Hjn0cX8SY1qsV
3Xij7stLZOZCJ0HjFVtQvla7i2z5MiLM9TcmgWCX2GimUwHKhYHFIjmv6A7nXFKg
t1W2SSnGXeHdRfV4+64xV4nkYbRwcjV0JzrrJMZXdS3zVi5u7UiL2kHrXFbg0B6C
ApKrLQZi7gg2c+vcthL2AOCbVmxoPUzjZYOguih355WeoHkI9C4YngHsKvQnNfVo
Z4IQcrSntMirNAIzY7d7a/abxIA3bh0x6LESjn9lJZCUNpAY9/YSMIQTcsQn0JJx
xx+ArsSk3NE=
=ZJej
-----END PGP SIGNATURE-----