Debian DSA-3074-1 : php5 - security update

medium Nessus Plugin ID 79339
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote Debian host is missing a security-related update.

Description

Francisco Alonso of Red Hat Product Security found an issue in the file utility, whose code is embedded in PHP, a general-purpose scripting language. When checking ELF files, note headers are incorrectly checked, thus potentially allowing attackers to cause a denial of service (out-of-bounds read and application crash) by supplying a specially crafted ELF file.

As announced in DSA-3064-1 it has been decided to follow the stable 5.4.x releases for the Wheezy php5 packages. Consequently the vulnerability is addressed by upgrading PHP to a new upstream version 5.4.35, which includes additional bug fixes, new features and possibly incompatible changes. Please refer to the upstream changelog for more information :

Solution

Upgrade the php5 packages.

For the stable distribution (wheezy), this problem has been fixed in version 5.4.35-0+deb7u1.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768807

https://packages.debian.org/source/wheezy/php5

https://www.debian.org/security/2014/dsa-3074

Plugin Details

Severity: Medium

ID: 79339

File Name: debian_DSA-3074.nasl

Version: 1.8

Type: local

Agent: unix

Published: 11/20/2014

Updated: 1/11/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Temporal Vector: E:U/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:php5, cpe:/o:debian:debian_linux:7.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 11/18/2014

Reference Information

CVE: CVE-2014-3710

BID: 70807

DSA: 3074