Operating System:

[Debian]

Published:

27 July 2016

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2016.1820 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.1820
                           php5 security update
                               27 July 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           php5
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Denial of Service               -- Remote/Unauthenticated      
                   Provide Misleading Information  -- Remote/Unauthenticated      
                   Access Confidential Data        -- Remote with User Interaction
                   Reduced Security                -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-6297 CVE-2016-6296 CVE-2016-6295
                   CVE-2016-6294 CVE-2016-6292 CVE-2016-6291
                   CVE-2016-6290 CVE-2016-6289 CVE-2016-5399
                   CVE-2016-5385  

Reference:         ESB-2016.1782
                   ESB-2016.1764

Original Bulletin: 
   http://www.debian.org/security/2016/dsa-3631

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3631-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 26, 2016                         https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : php5
CVE ID         : CVE-2016-5385 CVE-2016-5399 CVE-2016-6289 CVE-2016-6290 
                 CVE-2016-6291 CVE-2016-6292 CVE-2016-6294 CVE-2016-6295
                 CVE-2016-6296 CVE-2016-6297

Several vulnerabilities were found in PHP, a general-purpose scripting
language commonly used for web application development.

The vulnerabilities are addressed by upgrading PHP to the new upstream
version 5.6.24, which includes additional bug fixes. Please refer to the
upstream changelog for more information:

https://php.net/ChangeLog-5.php#5.6.24

For the stable distribution (jessie), these problems have been fixed in
version 5.6.24+dfsg-0+deb8u1.

For the unstable distribution (sid), these problems have been fixed in
version 7.0.9-1 of the php7.0 source package.

We recommend that you upgrade your php5 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJXl8vVAAoJEBDCk7bDfE423hAQAIPEiALq8HQACO7oVQWG1X14
T5M+RjjR/EYHqN0VLZ6JprRZDmN4noANfvWX2onKzF/KhA+1cKBvWrUz+X9623kb
6T5Cd2tsLJI9Cke83UcDJlD3wbPTW//9TRVLdPU1FI5LgJ4FU1pdxQ6KTMlcjiZ8
xAPCjwae8MOT+p4ajxjRS5DWM+oqEXi9oOIE4Ru+zUFY2y2zmV1u5rgSRRJbbeCv
RUsPj6XGWHkEc36eoOLH3AC0ZKBfW6eQAC5NTUyMxFCYghD94QCHIGGNzeRrvnfX
fvejjNAvgXcSle4xs2D4ltFUpF0uDWqrqflJKO7IvnNXB1uBgrCVcXsK+laz9dIX
hYEy/HX/+lAcjPFSlZGj1LMKKHjVAvNJpjMGcC7hizOPVSOT/r0BvBhdID4sV26S
WtkE60R6NcSwe589N+aIBLSPeR1YMs5wVi+Ez4iUR5VPOkqxOio412I5s1GiGeAg
RJbZVHgxMPpsRpWhrXho+ZdDNI4Nd865MdQn8yIbCK4FmjsnN/gz5urWyLQcsSTT
8xnq3yaWK3dbfzWC6ZcvAdTBrDVXHTUeFU7XFMylMiCUGBHw7cgznJ47amWDmnnc
Y2usZhlKV/c7rBDgYYH0dQfAIm93SSi5236wpWNA9utxbks0Lg0Uh2HpJ0zAZv1V
LaE1mifVk8/cCxLvmcXn
=7J9V
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV5gHRIx+lLeg9Ub1AQjn+RAArcK3PobNZNhKo+F5j7o6ezJkbnKNXa1i
m5uL3KhQ151iEzAq2jWrlAzn71TG5VJI3eGGNo1BeTZWrW41TaOm2nHfDEZVJ6zI
JR5HoXOF56dgH2bgHVGsiGlNGH50BN91BE+E83hkn/3q9TH1xL/0epQnerAacN1k
1KUvnzNnF1N3KPkjlCsphFc7hiLNJUNNLywjdsQTnrP6+D1JwFSOB76HH51j+Ztu
bnYtXfRKT3j4kh0QZGBEHLlEIjolsB3ZF6RLzsd9b30NCJTBBlMP3p8EokYuRyjp
X81i5DY8O75G6VUrjEwX4JLFYbK3E8VuAmRY5uTm1VNSbEUKFp36CDTsA6pM64lJ
OKZtRq8AFU+ANDJ1hB9yPejJb33II2uXZmoKYr1s/hCBHxt15/oICHEqJQPGVKNI
1q1RYGJixwFMsvms9a3a/WnCfsOov2GS9nGeBHOBXZ89yK12mCLYmhzTrZzlBOvX
59Z5uszW+YySTP7XsrWnBD5IOWU5eQiuFaEfoQpFcpNq6OPyu0eGKidMRzKqt/Gi
lvsnfp+bJ/6EvEi/tmnJU3AJD2X8uV2pn/0xz6KOL9FBKwjEExUiOVg53wshr6dY
JtQiLhYfuZuAw6lXiK7Fk5Kz11oeLajvwG/CULPjkbEAHjsTrrHNBCV+pbXPv8/l
9Jc6qv3paTg=
=Oy/5
-----END PGP SIGNATURE-----