Security Information / 2014 / Security Information -- DSA-2943-1 php5

Debian Security Advisory

DSA-2943-1 php5 -- security update

Date Reported:

01 Jun 2014

Affected Packages:

php5

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2014-0185, CVE-2014-0237, CVE-2014-0238, CVE-2014-2270.

More information:

Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development:

• CVE-2014-0185

  The default PHP FPM socket permission has been changed from 0666 to 0660 to mitigate a security vulnerability (CVE-2014-0185) in PHP FPM that allowed any local user to run a PHP code under the active user of FPM process via crafted FastCGI client.

  The default Debian setup now correctly sets the listen.owner and listen.group to www-data:www-data in default php-fpm.conf. If you have more FPM instances or a webserver not running under www-data user you need to adjust the configuration of FPM pools in /etc/php5/fpm/pool.d/ so the accessing process has rights to access the socket.

• CVE-2014-0237 / CVE-2014-0238

  Denial of service in the CDF parser of the fileinfo module.

• CVE-2014-2270

  Denial of service in the fileinfo module.

For the stable distribution (wheezy), these problems have been fixed in version 5.4.4-14+deb7u10.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your php5 packages.