Ubuntu alert USN-2254-2 (php5)
| From: | Marc Deslauriers <marc.deslauriers@canonical.com> | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-2254-2] PHP updates | |
| Date: | Wed, 25 Jun 2014 15:47:30 -0400 | |
| Message-ID: | <53AB2752.2090603@canonical.com> |
========================================================================== Ubuntu Security Notice USN-2254-2 June 25, 2014 php5 updates ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS - Ubuntu 13.10 Summary: An improvement was made for PHP FPM environments. Software Description: - php5: HTML-embedded scripting language interpreter Details: USN-2254-1 fixed vulnerabilities in PHP. The fix for CVE-2014-0185 further restricted the permissions on the PHP FastCGI Process Manager (FPM) UNIX socket. This update grants socket access to the www-data user and group so installations and documentation relying on the previous socket permissions will continue to function. Original advisory details: Christian Hoffmann discovered that the PHP FastCGI Process Manager (FPM) set incorrect permissions on the UNIX socket. A local attacker could use this issue to possibly elevate their privileges. This issue only affected Ubuntu 12.04 LTS, Ubuntu 13.10, and Ubuntu 14.04 LTS. (CVE-2014-0185) Francisco Alonso discovered that the PHP Fileinfo component incorrectly handled certain CDF documents. A remote attacker could use this issue to cause PHP to hang or crash, resulting in a denial of service. (CVE-2014-0237, CVE-2014-0238) Stefan Esser discovered that PHP incorrectly handled DNS TXT records. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-4049) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: php5-fpm 5.5.9+dfsg-1ubuntu4.2 Ubuntu 13.10: php5-fpm 5.5.3+dfsg-1ubuntu2.5 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-2254-2 http://www.ubuntu.com/usn/usn-2254-1 https://launchpad.net/bugs/1334337 Package Information: https://launchpad.net/ubuntu/+source/php5/5.5.9+dfsg-1ubu... https://launchpad.net/ubuntu/+source/php5/5.5.3+dfsg-1ubu... -- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security...