copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2015.0005 - [Win][UNIX/Linux][Debian] php5: Denial of service - Remote/unauthenticated

Date: 05 January 2015
References: ASB-2015.0015  ESB-2015.1462  ESB-2015.1465  ESB-2016.1572  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.0005
                           php5 security update
                              5 January 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           php5
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-8142  

Original Bulletin: 
   http://www.debian.org/security/2014/dsa-3117

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running php5 check for an updated version of the software for their
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3117-1                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
December 31, 2014                      http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : php5
CVE ID         : CVE-2014-8142

Several vulnerabilities were found in PHP, a general-purpose scripting
language commonly used for web application development.

As announced in DSA 3064-1 it has been decided to follow the stable
5.4.x releases for the Wheezy php5 packages. Consequently the
vulnerabilities are addressed by upgrading PHP to a new upstream version
5.4.36, which includes additional bug fixes, new features and possibly
incompatible changes. Please refer to the upstream changelog for more
information:

 http://php.net/ChangeLog-5.php#5.4.36

Two additional patches were applied on top of the imported new upstream
version. An out-of-bounds read flaw was fixed which could lead php5-cgi
to crash. Moreover a bug with php5-pgsql in combination with PostgreSQL
9.1 was fixed (Debian Bug #773182).

For the stable distribution (wheezy), these problems have been fixed in
version 5.4.36-0+deb7u1.

We recommend that you upgrade your php5 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUpAw8AAoJEAVMuPMTQ89EyLcQAI/Hwcf8nmK0dxuGNpN33Vhx
knelAzGeQW/kzmNPCTQAu4R7ncSB/S/oXaSvRayK6dIdf53oJop6819IEUhqh4AB
MNEu3oqMdTiE7w6uAZnRahKEEN/GZ4rm4Vppt8ByvtxR36y9u0AOBQgVZB0zQV/1
p8ewLenSx4SoRVVP630Jc1CUj8AwcgvYUOoLXNmuu5U3PvEPXAVT83i3BHD02Vh9
IyBD9JvRmvX13CaAFC19UuGzzVw7BRrTMQh3E6zoze+dKxadW8N/opr0tBZagqNy
0Lhv7GeldcQBze3O1ZiQvKvXGiDgzJtl4bYy6LMe2nShCXuSkWLOF1UiVbPqHh2N
NRhptHPPFb3nETRdQhIW7ZyLLFMR1ZKhwc4YUNuy/f8SFRddynE1QtVENxDtRmzy
6piuVYNl9fvgolGH3I33hK6O7lRhuXxggIgTEJCSkj3GVc+D6UuUx3njTK5Qac7Y
MT3TTMGuKJYpylCveT372mBkRdvMUVT7yDC3I0PMcWCkZDOUxb8XM6WqkHHa1hWV
rLD76rLBQNxVXaDRmX5/R5d4uzTy17Uio1PYaIr534+LF4HHWiINZVulEbJzN+JY
XUWb9kxZKIcI/Af2xzDhDfXAaAiRZjfSrQ+xczu5aj/1w+9xAIx1eChx2yM0J3GA
GrmtFP6vEovwwGUziHlF
=bK9J
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVKncIxLndAQH1ShLAQJ71RAAlEAzcR2v0JMUVEgPSm1t6fU9vkwE7koY
MYcuikIkYyvPPRRlmzl73YahIBwNFVl+t7Owbnjk0abXEHDqXydcPNYanmtX9sIB
s7iLJ+1VQ4GuDjNSWWkbK8uixYfa+yTq6f1cislp7yjZl2RrwbVylG7dCpo5cWmn
urHppDOcca+axADR1a+1HShusAp6NNB8CQ7upN6pYcFcNElGO63HeQYSaXoxVPSL
GcRTvFVOdkFi96znuldnrs7HHPBn55kBAvsxzogT+usPIbaRoGqSie64ibG7nimh
uMqE6glnb1UDcQnijOPJ99zjtBKIm/JaPxqpnZQPHhqGWeLWNbCGhIyOIy3Nbz4d
dezUce3PVOHqXoTWfwTDZ31GlutZWu8cn71Fzw9WmpE7XQcpCjjkB4dsWnjv4pAm
USBp4fJI4Rb1NW5U8cB1Bh2jkC3Cfcpahy+cVrMkT2shD0khVjDeTC6Abr9NVun9
zo17Y0LPNZoDw+TcxX+Bi5bqBZaa0uZJPI8wto4Rh7I/Y5SymXqzyPEXzZ52SRDQ
rSzWBdsJLqyp13mt7A+o1HlCMjm9GMoRGLAXSTpW7RckguMFbXi0THhLZDM8oRLl
p9SFAYLwf4+kVjgBpCCL92HxykYdiKrzhOwG8/wiTU6JLcpnN3VcnlydSqARNeeM
VL3PYVAK+yU=
=ILey
-----END PGP SIGNATURE-----