Debian DSA-4080-1 : php7.0 - security update

high Nessus Plugin ID 105663

Language:

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.

VPR Score: 5.9

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities were found in PHP, a widely-used open source general purpose scripting language :

 - CVE-2017-11144 Denial of service in openssl extension due to incorrect return value check of OpenSSL sealing function

 - CVE-2017-11145 Out-of-bounds read in wddx_deserialize()

 - CVE-2017-11628 Buffer overflow in PHP INI parsing API

 - CVE-2017-12932 / CVE-2017-12934 Use-after-frees during unserialisation

 - CVE-2017-12933 Buffer overread in finish_nested_data()

 - CVE-2017-16642 Out-of-bounds read in timelib_meridian()

Solution

Upgrade the php7.0 packages.

For the stable distribution (stretch), these problems have been fixed in version 7.0.27-0+deb9u1.

See Also

https://security-tracker.debian.org/tracker/source-package/php7.0

https://packages.debian.org/source/stretch/php7.0

https://security-tracker.debian.org/tracker/CVE-2017-11144

https://security-tracker.debian.org/tracker/CVE-2017-11145

https://security-tracker.debian.org/tracker/CVE-2017-11628

https://security-tracker.debian.org/tracker/CVE-2017-12933

https://security-tracker.debian.org/tracker/CVE-2017-16642

https://security-tracker.debian.org/tracker/CVE-2017-12932

https://security-tracker.debian.org/tracker/CVE-2017-12934

https://www.debian.org/security/2018/dsa-4080

Plugin Details

Severity: High

ID: 105663

File Name: debian_DSA-4080.nasl

Version: 3.5

Type: local

Agent: unix

Published: 1/9/2018

Updated: 4/5/2019

Dependencies: 12634

Risk Information

Risk Factor: High

VPR Score: 5.9

CVSS v2.0

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*, p-cpe:2.3:a:debian:debian_linux:php7.0:*:*:*:*:*:*:*

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/8/2018

Reference Information

CVE: CVE-2017-16642, CVE-2017-11144, CVE-2017-11145, CVE-2017-11628, CVE-2017-12933, CVE-2017-12932, CVE-2017-12934

DSA: 4080