Detections
Analytics

MiracleLinux 4 : php-5.3.3-27.AXS4.2 (AXSA:2014-571:03)

medium Nessus Plugin ID 291513

Synopsis

The remote MiracleLinux host is missing one or more security updates.

Description

The remote MiracleLinux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2014-571:03 advisory.

 Description :
 PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated webpages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts.
 The php package contains the module which adds support for the PHP language to Apache HTTP Server.
 Security issues fixed with this release:
 CVE-2014-2497 The gdImageCreateFromXpm function in gdxpm.c in libgd, as used in PHP 5.4.26 and earlier, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted color table in an XPM file.
 CVE-2014-3587 Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1571.
 CVE-2014-3597 Multiple buffer overflows in the php_parserr function in ext/standard/dns.c in PHP before 5.4.32 and 5.5.x before 5.5.16 allow remote DNS servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted DNS record, related to the dns_get_record function and the dn_expand function. NOTE: this issue exists because of an incomplete fix for CVE-2014-4049.
 CVE-2014-4670 Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted iterator usage within applications in certain web-hosting environments.
 CVE-2014-4698 Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted ArrayIterator usage within applications in certain web-hosting environments.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://tsn.miraclelinux.com/en/node/5027

Plugin Details

Severity: Medium

ID: 291513

File Name: miracle_linux_AXSA-2014-571.nasl

Version: 1.1

Type: local

Published: 1/19/2026

Updated: 1/19/2026

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

Vendor

Vendor Severity: Moderate

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2014-3597

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2014-2497

Vulnerability Information

CPE: p-cpe:/a:miracle:linux:php-odbc, p-cpe:/a:miracle:linux:php-pdo, p-cpe:/a:miracle:linux:php-pgsql, p-cpe:/a:miracle:linux:php-bcmath, p-cpe:/a:miracle:linux:php-soap, p-cpe:/a:miracle:linux:php-xml, p-cpe:/a:miracle:linux:php-mysql, p-cpe:/a:miracle:linux:php, p-cpe:/a:miracle:linux:php-common, p-cpe:/a:miracle:linux:php-xmlrpc, cpe:/o:miracle:linux:4, p-cpe:/a:miracle:linux:php-mbstring, p-cpe:/a:miracle:linux:php-ldap, p-cpe:/a:miracle:linux:php-cli, p-cpe:/a:miracle:linux:php-gd

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/MiracleLinux/release, Host/MiracleLinux/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/1/2014

Vulnerability Publication Date: 3/13/2014

Reference Information

CVE: CVE-2014-2497, CVE-2014-3587, CVE-2014-3597, CVE-2014-4670, CVE-2014-4698