Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0091 php7.0 security update 9 January 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: php7.0 Publisher: Debian Operating System: Debian GNU/Linux 9 Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-16642 CVE-2017-12934 CVE-2017-12933 CVE-2017-12932 CVE-2017-11628 CVE-2017-11145 CVE-2017-11144 Reference: ESB-2017.2174 Original Bulletin: http://www.debian.org/security/2018/dsa-4080 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4080-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff January 08, 2018 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : php7.0 CVE ID : CVE-2017-11144 CVE-2017-11145 CVE-2017-11628 CVE-2017-12932 CVE-2017-12933 CVE-2017-12934 CVE-2017-16642 Several vulnerabilities were found in PHP, a widely-used open source general purpose scripting language: CVE-2017-11144 Denial of service in openssl extension due to incorrect return value check of OpenSSL sealing function CVE-2017-11145 Out-of-bounds read in wddx_deserialize() CVE-2017-11628 Buffer overflow in PHP INI parsing API CVE-2017-12932 / CVE-2017-12934 Use-after-frees during unserialisation CVE-2017-12933 Buffer overread in finish_nested_data() CVE-2017-16642 Out-of-bounds read in timelib_meridian() For the stable distribution (stretch), these problems have been fixed in version 7.0.27-0+deb9u1. We recommend that you upgrade your php7.0 packages. For the detailed security status of php7.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/php7.0 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlpT7hUACgkQEMKTtsN8 TjZWCRAAg8ilmfTDQOwCCwXF2nwOk9Ev6G7hZkHzrAO3w9b7E9ygSjUCEIh+7Jqh zJ4AcZuAH/fzGcr84mMboeAL6decXXM5g4Pi0jWuTBXHJCaW3rfgh0RZdJIacz3V p7niE81skjOZQJsIsrthHtYBB5jhi4jJmLrxowEOcFyNYfkEPjJ3GsHaRMJy8kdZ 3idASsC3gisnBhSiCGZdFV6JzNOrErMJ5XPSzN7BNsiSny7TrwyGQCFsxP92Bq7F 7Wc+L9YZnJeaiNkpHK4ur9nbL4Jr8irtMYSERXoZwKX2eYaRK37gR6sjUfdCWssT tASVTWlVvClGwp0cqkV2C5hcFeVKC1bASxCqROPWPFZ6+pl4ai8KOli6fyA18f0L kskALnZSsB+XZbxzXrN/FKRfsUJIARwebrMMcTQxvlaFsnUxf73jz0sQ/WYrzIeV PXICiTwg6L2kiGyFdgOardcEMzl/50V64/vAtsHlAladzLQN00dDYrkUqjhI3ZEq 2nA2GnBoLC/8OJSU+CRSvNOfSW2UoxEr2GBvh5xtlyCEeeo3ytgOZrtyNE9AGwgq MDkK9EXEXuMtb7mFcf4uRVPam+4kUESKH3aD1L9ObTlfweMKp7iJeWBuMsmgulOT NKWKPVmXkEgh/tRTtqjMEF7LIvXWe3qZAo2HVUBPOFTFijTn4cw= =xo2P - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWlP+lYx+lLeg9Ub1AQjPTA/9F+VUFLq7Luqnbc7JaNAuZLiVMOBAvsua WA+8z3aRAUgedthnNResp8vcXtQ6OkjVLlPYCBpinfs0n29PIf+KaOu1s5sE+Uao EuJnMXVw7Csl+0SmuHG5zXvqrRUO45SjCtPPw+WUkzwVm5t1MAXmMUTufDiVUK21 mT55s9ucANzEnNy3zEkX8/Ch+cuKCMj93Jjqvj/Vr5tNodJR++c6Uomf3qygYkKW wvs3xy1XtcWQrHgYmdHi9wxwQ9b8y37kF7iTKxBQZ7F9DcdQ3RVI7ZmUErO0BRdN 1cUUGS39fgaoB/v8EbFybWZwMMzfzLpUa4Y6Qx0qJLuD4iltPDBX9ZYFIiHPsaH2 T6XkphH/ap5LhU4itAIVW1zn271dMBKq0oJqch1mwguMhL3R/6eQ41q1WlK5grcB mXp4b5GepEWfGNqqXAo7aYgeVD4ji7aFxM/sxTXwyWWzxEnSDZRitWPx3vfrsglg +OVoVFBpJsYts+CMR9bmofj5Z0xZilvsQl0K8Wb1/DIT3TrzS2h+AuTPmUJmIlKJ g6puxK8I4Zy/ty70j8sHOiVoZ4IVzSgw/unyDSbThqYzao2QxQc0xShRE5G7Op7E lQeS0SMrm1TWSiesUsKddAZ01TAt4G/08DGujBWn01WDp/D41OEveDKy5w6rzKfS 8V1FE+AWYno= =m599 -----END PGP SIGNATURE-----