|
|
Log in / Subscribe / Register

Debian-LTS alert DLA-749-1 (php5)



From:
    	      Thorsten Alteholz <debian@alteholz.de> 


To:
    	      debian-lts-announce@lists.debian.org 


Subject:
    	      [SECURITY] [DLA 749-1] php5 security update 


Date:
    	      Fri, 16 Dec 2016 22:48:18 +0100 (CET)


Message-ID:
    	      <alpine.DEB.2.02.1612162245530.807@jupiter.server.alteholz.net>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : php5
Version        : 5.4.45-0+deb7u6
CVE ID         : CVE-2016-5385 CVE-2016-7124 CVE-2016-7128 CVE-2016-7129
                  CVE-2016-7130 CVE-2016-7131 CVE-2016-7132 CVE-2016-7411
                  CVE-2016-7412 CVE-2016-7413 CVE-2016-7414 CVE-2016-7416
                  CVE-2016-7417 CVE-2016-7418


CVE-2016-5385
      PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18
      namespace conflicts and therefore does not protect applications from
      the presence of untrusted client data in the HTTP_PROXY environment
      variable, which might allow remote attackers to redirect an application's
      outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy
      header in an HTTP request, as demonstrated by (1) an application that
      makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP,
      aka an "httpoxy" issue.

CVE-2016-7124
      ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10
      mishandles certain invalid objects, which allows remote attackers to cause
      a denial of service or possibly have unspecified other impact via crafted
      serialized data that leads to a (1) __destruct call or (2) magic method
      call.

CVE-2016-7128
      The exif_process_IFD_in_TIFF function in ext/exif/exif.c in PHP before
      5.6.25 and 7.x before 7.0.10 mishandles the case of a thumbnail offset
      that exceeds the file size, which allows remote attackers to obtain
      sensitive information from process memory via a crafted TIFF image.

CVE-2016-7129
      The php_wddx_process_data function in ext/wddx/wddx.c in PHP before
      5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial
      of service (segmentation fault) or possibly have unspecified other
      impact via an invalid ISO 8601 time value, as demonstrated by
      a wddx_deserialize call that mishandles a dateTime element in
      a wddxPacket XML document.

CVE-2016-7130
      The php_wddx_pop_element function in ext/wddx/wddx.c in PHP before
      5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a
      denial of service (NULL pointer dereference and application crash)
      or possibly have unspecified other impact via an invalid base64
      binary value, as demonstrated by a wddx_deserialize call that
      mishandles a binary element in a wddxPacket XML document.

CVE-2016-7131
      ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows
      remote attackers to cause a denial of service (NULL pointer
      dereference and application crash) or possibly have unspecified
      other impact via a malformed wddxPacket XML document that is
      mishandled in a wddx_deserialize call, as demonstrated by a tag
      that lacks a < (less than) character.

CVE-2016-7132
      ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows
      remote attackers to cause a denial of service (NULL pointer
      dereference and application crash) or possibly have unspecified
      other impact via an invalid wddxPacket XML document that is
      mishandled in a wddx_deserialize call, as demonstrated by
      a stray element inside a boolean element, leading to incorrect
      pop processing.

CVE-2016-7411
      ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles
      object-deserialization failures, which allows remote attackers
      to cause a denial of service (memory corruption) or possibly
      have unspecified other impact via an unserialize call that
      references a partially constructed object.

CVE-2016-7412
      ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x
      before 7.0.11 does not verify that a BIT field has the
      UNSIGNED_FLAG flag, which allows remote MySQL servers to cause
      a denial of service (heap-based buffer overflow) or possibly
      have unspecified other impact via crafted field metadata.

CVE-2016-7413
      Use-after-free vulnerability in the wddx_stack_destroy function in
      ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows
      remote attackers to cause a denial of service or possibly have
      unspecified other impact via a wddxPacket XML document that lacks
      an end-tag for a recordset field element, leading to mishandling
      in a wddx_deserialize call.

CVE-2016-7414
      The ZIP signature-verification feature in PHP before 5.6.26 and 7.x
      before 7.0.11 does not ensure that the uncompressed_filesize field
      is large enough, which allows remote attackers to cause a denial of
      service (out-of-bounds memory access) or possibly have unspecified
      other impact via a crafted PHAR archive, related to ext/phar/util.c
      and ext/phar/zip.c.

CVE-2016-7416
      ext/intl/msgformat/msgformat_format.c in PHP before 5.6.26 and 7.x
      before 7.0.11 does not properly restrict the locale length provided
      to the Locale class in the ICU library, which allows remote attackers
      to cause a denial of service (application crash) or possibly have
      unspecified other impact via a MessageFormatter::formatMessage call
      with a long first argument.

CVE-2016-7417
      ext/spl/spl_array.c in PHP before 5.6.26 and 7.x before 7.0.11
      proceeds with SplArray unserialization without validating a
      return value and data type, which allows remote attackers to
      cause a denial of service or possibly have unspecified other
      impact via crafted serialized data.

CVE-2016-7418
      The php_wddx_push_element function in ext/wddx/wddx.c in PHP before
      5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a
      denial of service (invalid pointer access and out-of-bounds read)
      or possibly have unspecified other impact via an incorrect boolean
      element in a wddxPacket XML document, leading to mishandling in
      a wddx_deserialize call.


For Debian 7 "Wheezy", these problems have been fixed in version
5.4.45-0+deb7u6.

We recommend that you upgrade your php5 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJYVGEiXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHopQQAKvHW9KWyxPYmMVxXL84K+pK
8l7UD9hSQXnjjIwJC+qSxc+00ryOWoV6mv30b6YM4hOQKVB1NU4ihNxasIeGCHaP
NrOqj4vBpY9/ign84u04Thtih8gdF078kw9VXFm2Cinh5VDlgrnb7fK0Lldt8Rvv
5xNcq6v/VIE3SIwPytxPHlMHWol3YZxPmcHZYWc2Kg7KOjzfCaWULjldp8ADqGRr
gOX9BFazOumU+nqwWoY+O8HB1o1S2tW8p4SWNxV8C9fZG2O+Z89WDau7yIuyUsEd
vRy67RauZM/7gVsronCqnwICaz5l98mfb1bm+gUjU09zf9TJxNXFD+mdqBuyrgz7
Ug2eL0LKf4HLqhKkOA2dl8k0E1qVKPl/sDJCUdeaCyBEEScr3m1thqpE37gCk8Ef
AldUDKry5Tz3TN0GJ75jQ1CrUdjdzzWzZHjSfDysk7g/1MQoEf03YyXW/ZyoVYoX
D/+twHdCmVGbKAiAC7C0T2hufYhRy1Plq1cWa3Mu/unRWjkau81hdSMa+50YBLIj
7HRUb0qWPK4aiAyNUsZf1nqcNAqeOOrLsjab8SdzrUjE2DjWU7ofhbFkbwwPc3+U
e1J9gcm+V8a84ianIv4miluJ+e2cfmDn9r0Q4whpKf8bwLFObNIKKxnxpS3OBUeM
TqhV7XE/MgbIRiYHVGUl
=EXBV
-----END PGP SIGNATURE-----
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds