Security Information / 2014 / Security Information -- DSA-3117-1 php5

Debian Security Advisory

DSA-3117-1 php5 -- security update

Date Reported:

31 Dec 2014

Affected Packages:

php5

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2014-8142.

More information:

Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development.

As announced in DSA 3064-1 it has been decided to follow the stable 5.4.x releases for the Wheezy php5 packages. Consequently the vulnerabilities are addressed by upgrading PHP to a new upstream version 5.4.36, which includes additional bug fixes, new features and possibly incompatible changes. Please refer to the upstream changelog for more information:

http://php.net/ChangeLog-5.php#5.4.36

Two additional patches were applied on top of the imported new upstream version. An out-of-bounds read flaw was fixed which could lead php5-cgi to crash. Moreover a bug with php5-pgsql in combination with PostgreSQL 9.1 was fixed (Debian Bug #773182).

For the stable distribution (wheezy), these problems have been fixed in version 5.4.36-0+deb7u1.

We recommend that you upgrade your php5 packages.