Debian DLA-1034-1 : php5 security update
Medium Nessus Plugin ID 101908
SynopsisThe remote Debian host is missing a security update.
DescriptionSeveral issues have been discovered in PHP (recursive acronym for PHP:
Hypertext Preprocessor), a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML.
CVE-2016-10397 Incorrect handling of various URI components in the URL parser could be used by attackers to bypass hostname-specific URL checks.
CVE-2017-11143 An invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter.
CVE-2017-11144 The openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function, which could lead to a crash of the PHP interpreter.
CVE-2017-11145 Lack of a bounds check in the date extension's timelib_meridian parsing code could be used by attackers able to supply date strings to leak information from the interpreter.
CVE-2017-11147 The PHAR archive handler could be used by attackers supplying malicious archive files to crash the PHP interpreter or potentially disclose information due to a buffer over-read in the phar_parse_pharfile function in ext/phar/phar.c.
For Debian 7 'Wheezy', these problems have been fixed in version 5.4.45-0+deb7u9.
We recommend that you upgrade your php5 packages.
NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
SolutionUpgrade the affected packages.