-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2015.0698.2
                           php5 security update
                               30 March 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           php5
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-2331 CVE-2015-2301 

Original Bulletin: 
   http://www.debian.org/security/2015/dsa-3198

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running php5 check for an updated version of the software for their
         operating system.

Revision History:  March 30 2015: The previous update for php5, DSA-3198-1, 
                   introduced a regression causing segmentation faults
                   March 23 2015: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3198-2                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
March 28, 2015                         http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : php5
Debian Bug     : 781125

The previous update for php5, DSA-3198-1, introduced a regression
causing segmentation faults when using SoapClient::__setSoapHeader.
Updated packages are now available to address this regression. For
reference, the original advisory text follows.

Multiple vulnerabilities have been discovered in the PHP language:

CVE-2015-2301

    Use-after-free in the phar extension.

CVE-2015-2331

    Emmanuel Law discovered an integer overflow in the processing
    of ZIP archives, resulting in denial of service or potentially
    the execution of arbitrary code.

For the stable distribution (wheezy), this problem has been fixed in
version 5.4.39-0+deb7u2.

We recommend that you upgrade your php5 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVFvbyAAoJEAVMuPMTQ89E1pcP/2Twi1qdPzOX+85Aosyg82jx
+lvbxl/AjjyJ/Awc88ZpuhUBpC++93Qe0dAx3BWhNqIqwM1m+vCxWM/f8oWhnoIQ
MWFLDz4uYn+3tUBoilnx5bck2p39Qvi/Q9S6Z7WWwv16O7O8u0UQu4cSzFg5v3IC
zpTGw4jsjwXi9n1r9gzInU6LV8lJ7nAeL/sTHiRUDeZSeQ/1xlp7lK5+9PwdrAqe
VeowB9mrvtrWtr8Q8twu2IumXNizmZlmQHtmAFLE8OCpF1olcdMvMQvJe3YaWTr1
kr3OBvIbdNJMEvwVxEU37epq9Tx4R1RO1US3NPoDZuQXcQZhHQXYQo4BEQMMI/HV
6R36P9Mqis4CZgVl4O8GlHDujVwK+Y1ncOV7sDrWSGrNd98VV5Zb3ayBh2CgtM8U
CxScFASmYCrkfZd/qX/NNdBBiriwxBbjf4rhbPVtRNX4fxBKqPPfAab03G7yFl+8
0trCprjO+SCX6/vOqAcKRRuK6EVfw34qD6XVmVxTmIgzCIQNF161AHgpVCyS515P
agiAogObz5s9gngyYQw4OKlNO7WtCYCKqkFwvv5Oe6GFIPHZ+ZXpqwtOK996oyoZ
ggwq7cpYPsTSEU9h+y+wcMXo56cPHyYwZeQ33vVIptk6X+qqgQMvWkdyuVPzx6Dg
ZbIikah7hOBTuq2kyunX
=Q9Fo
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVRid/hLndAQH1ShLAQKMnA/9GRAzIUSerrxU3ecFIGOZ/ki/oJODIYF0
ix0kP8nqIAr9b7u0A4ByN4RDxOLDlS4DD2b0OrkQ/GapY45rKeEXxGBVhOa1e+OW
texxAwS7ykm62hduWo2zbjo0W5nM7czVjvHWJD4M3F1119GSrLza59XcMNcNp4CO
gkO+AhdZF5hHXTUGir4awKncSZ4xxJH9Jq8YdNYcDiTzYPGZgFS+FfwKe4IlHxap
8h6jfVPV58JRe+FhSHoqrbf0W/1NuWBPpiBl2rUEhgqWNyG8S4EsYI5U+2zeT6oi
bcoZjc46I/dgF9iOa8L9VYJxj3UdWgnQWkgLp07mLzxgcANuAQcSB8yb9qWxHayv
Wk+2dPaTWQzsrE1dYQEImHDUr3+uS6xVi3uDDUuMmyGUKbogUXOpktbwwxUxzRWJ
wbKd3DnXrGxlVsgLHs16hB+uetU7fGfVvTg7okB9SDeBYUCH25LayjuPtzj4kq9Y
MXMqAc1d7LfVus7D8nOIJWGXZzfaQV/27ViNHN759hcUsfR5BppWzKWoBXWYsqpG
WuLl0jBVT70LO6sqkCCN+0jsVRT16fkid46F+c35mheGtbp9wOqRmDi1k3Nq6ts/
LLOJQkPY5rR4Rt3H7BckmHTtZ2Z+wWjUmT/Q3X4CIh8MAvEaNFWEXl1uohgGD9Jm
R9sBIidky+E=
=Hinc
-----END PGP SIGNATURE-----