ESB-2017.1989.2 - UPDATE [Ubuntu] php5 and php7.0: Multiple vulnerabilities 2017-12-19

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2017.1989.2
                            PHP vulnerabilities
                             19 December 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           php5
                   php7.0
Publisher:         Ubuntu
Operating System:  Ubuntu
Impact/Access:     Denial of Service               -- Remote/Unauthenticated
                   Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Access Confidential Data        -- Existing Account      
                   Reduced Security                -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-11628 CVE-2017-11362 CVE-2017-11147
                   CVE-2017-11145 CVE-2017-11144 CVE-2017-11143
                   CVE-2017-9229 CVE-2017-9228 CVE-2017-9227
                   CVE-2017-9226 CVE-2017-9224 CVE-2016-10397
                   CVE-2015-8994  

Original Bulletin: 
   http://www.ubuntu.com/usn/usn-3382-1
   http://www.ubuntu.com/usn/usn-3382-2

Comment: This bulletin contains two (2) Ubuntu security advisories.
         
         This advisory references vulnerabilities in products which run on 
         platforms other than Ubuntu. It is recommended that administrators 
         running php5 or php7.0 check for an updated version of the software
         for their operating system.

Revision History:  December 19 2017: Vendor patched additional versions
                   August   11 2017: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

==========================================================================
Ubuntu Security Notice USN-3382-1
August 10, 2017

php5, php7.0 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- - Ubuntu 17.04
- - Ubuntu 16.04 LTS
- - Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in PHP.

Software Description:
- - php7.0: HTML-embedded scripting language interpreter
- - php5: HTML-embedded scripting language interpreter

Details:

It was discovered that the PHP opcache created keys for files it cached
based on their filepath. A local attacker could possibly use this issue in
a shared hosting environment to obtain sensitive information. This issue
only affected Ubuntu 14.04 LTS. (CVE-2015-8994)

It was discovered that the PHP URL parser incorrectly handled certain URI
components. A remote attacker could possibly use this issue to bypass
hostname-specific URL checks. This issue only affected Ubuntu 14.04 LTS.
(CVE-2016-10397)

It was discovered that PHP incorrectly handled certain boolean parameters
when unserializing data. A remote attacker could possibly use this issue to
cause PHP to crash, resulting in a denial of service. This issue only
affected Ubuntu 14.04 LTS. (CVE-2017-11143)

Sebastian Li, Wei Lei, Xie Xiaofei, and Liu Yang discovered that PHP
incorrectly handled the OpenSSL sealing function. A remote attacker could
possibly use this issue to cause PHP to crash, resulting in a denial of
service. (CVE-2017-11144)

Wei Lei and Liu Yang discovered that the PHP date extension incorrectly
handled memory. A remote attacker could possibly use this issue to disclose
sensitive information from the server. (CVE-2017-11145)

It was discovered that PHP incorrectly handled certain PHAR archives. A
remote attacker could use this issue to cause PHP to crash or disclose
sensitive information. This issue only affected Ubuntu 14.04 LTS.
(CVE-2017-11147)

It was discovered that PHP incorrectly handled locale length. A remote
attacker could possibly use this issue to cause PHP to crash, resulting in
a denial of service. (CVE-2017-11362)

Wei Lei and Liu Yang discovered that PHP incorrectly handled parsing ini
files. An attacker could possibly use this issue to cause PHP to crash,
resulting in a denial of service. (CVE-2017-11628)

It was discovered that PHP mbstring incorrectly handled certain regular
expressions. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.04:
  libapache2-mod-php7.0           7.0.22-0ubuntu0.17.04.1
  php7.0-cgi                      7.0.22-0ubuntu0.17.04.1
  php7.0-cli                      7.0.22-0ubuntu0.17.04.1
  php7.0-fpm                      7.0.22-0ubuntu0.17.04.1

Ubuntu 16.04 LTS:
  libapache2-mod-php7.0           7.0.22-0ubuntu0.16.04.1
  php7.0-cgi                      7.0.22-0ubuntu0.16.04.1
  php7.0-cli                      7.0.22-0ubuntu0.16.04.1
  php7.0-fpm                      7.0.22-0ubuntu0.16.04.1

Ubuntu 14.04 LTS:
  libapache2-mod-php5             5.5.9+dfsg-1ubuntu4.22
  php5-cgi                        5.5.9+dfsg-1ubuntu4.22
  php5-cli                        5.5.9+dfsg-1ubuntu4.22
  php5-fpm                        5.5.9+dfsg-1ubuntu4.22

In Ubuntu 16.04 LTS and Ubuntu 17.04, this update uses a new upstream
release, which includes additional bug fixes.

In general, a standard system update will make all the necessary changes.

References:
  https://www.ubuntu.com/usn/usn-3382-1
  CVE-2015-8994, CVE-2016-10397, CVE-2017-11143, CVE-2017-11144,
  CVE-2017-11145, CVE-2017-11147, CVE-2017-11362, CVE-2017-11628,
  CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228,
  CVE-2017-9229

Package Information:
  https://launchpad.net/ubuntu/+source/php7.0/7.0.22-0ubuntu0.17.04.1
  https://launchpad.net/ubuntu/+source/php7.0/7.0.22-0ubuntu0.16.04.1
  https://launchpad.net/ubuntu/+source/php5/5.5.9+dfsg-1ubuntu4.22



==========================================================================
Ubuntu Security Notice USN-3382-2
December 18, 2017

php5 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- - Ubuntu 12.04 ESM

Summary:

Several security issues were fixed in PHP.

Software Description:
- - php5: HTML-embedded scripting language interpreter

Details:

USN-3382-1 fixed several vulnerabilities in PHP. This update provides
the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

 It was discovered that the PHP URL parser incorrectly handled certain
 URI components. A remote attacker could possibly use this issue to
 bypass hostname-specific URL checks. (CVE-2016-10397)

 It was discovered that PHP incorrectly handled certain boolean
 parameters when unserializing data. A remote attacker could possibly
 use this issue to cause PHP to crash, resulting in a denial of
 service. (CVE-2017-11143)

 Sebastian Li, Wei Lei, Xie Xiaofei, and Liu Yang discovered that PHP
 incorrectly handled the OpenSSL sealing function. A remote attacker
 could possibly use this issue to cause PHP to crash, resulting in a
 denial of service. (CVE-2017-11144)

 Wei Lei and Liu Yang discovered that the PHP date extension
 incorrectly handled memory. A remote attacker could possibly use this
 issue to disclose sensitive information from the server. 
 (CVE-2017-11145)

 It was discovered that PHP incorrectly handled certain PHAR archives.
 A remote attacker could use this issue to cause PHP to crash or
 disclose sensitive information. This issue only affected Ubuntu 14.04
 LTS. (CVE-2017-11147)

 Wei Lei and Liu Yang discovered that PHP incorrectly handled parsing
 ini files. An attacker could possibly use this issue to cause PHP to
 crash, resulting in a denial of service. (CVE-2017-11628)

 It was discovered that PHP mbstring incorrectly handled certain
 regular expressions. A remote attacker could use this issue to cause
 PHP to crash, resulting in a denial of service, or possibly execute
 arbitrary code. (CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-
 2017-9228, CVE-2017-9229)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 ESM:
  libapache2-mod-php5                          5.3.10-1ubuntu3.28
  php5                                         5.3.10-1ubuntu3.28
  php5-cgi                                     5.3.10-1ubuntu3.28
  php5-cli                                     5.3.10-1ubuntu3.28
  php5-fpm                                     5.3.10-1ubuntu3.28

In general, a standard system update will make all the necessary
changes.

References:
  https://www.ubuntu.com/usn/usn-3382-2
  https://www.ubuntu.com/usn/usn-3382-1
  CVE-2016-10397, CVE-2017-11143, CVE-2017-11144, CVE-2017-11145,
  CVE-2017-11147, CVE-2017-11628, CVE-2017-9224, CVE-2017-9226,
  CVE-2017-9227, CVE-2017-9228, CVE-2017-9229

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWjiH7Ix+lLeg9Ub1AQiQtA/9Hf66ngWI0PuNdv5eOPl+d6qZjQ6lw3tc
Bs4HXzND03DqzlLc9UdMUNhrOaul1GKxu5r56VP/S7UJOjLzobe8dZkKZSxdvuKC
1ePSrNML5TIE7dUhYp5E+c/3eb1tEwH/qW70OWFA5sRBN0DkTrbSlWYISnTLIQLy
7peOWHSIOLDWepYwtxwIkGKcGKtLNNUTDTPE19r6baPlz6sBs1wEYlb77v9vOENA
vBOOvyyE6FrpZRWi/gI6iyHCmaiMlW8c1tnjB3rcN79WwQtHNRzFFn9WwaVo1Loe
H+rm6E+ddMF4Cp3MtXpWQSQ59gqAsQN/pOlDVlvEXDvkQHqA7pI+X4DOMk/H59w4
3gyK+jVNroM3vwsQqhKgzZJ8P71OQnUptn6KMMklwP2xZN0YgqdbqcZZ5P2K7OBU
zqYRKo1dpPHFVIf0nIxZsxX4l8HRNzvGBcYsfU6nWYhLTHOlWTTK7Amy6sV6YKVe
CNx3RDYIrnWBvDWIqb8tZC4qTkO+Sjz9kyD2E41JzmEYsf6FSlT6KWPfgJYLD3M1
IcTh9O9IdXG1H8ioOBMp79+CSjSkTkmaf/23jJPLt0CDRsW1vdDmdHTnyK7UxNrj
LWz+lAi8JwVquegiKffS9E41UOdC9D6KdaBNPBFVulhmEzSXfjPlIlel/eRMCVKh
JZq9jcwFGpw=
=MrXM
-----END PGP SIGNATURE-----

« Back to bulletins