Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 201408-11 ] PHP: Multiple vulnerabilities
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Advocate
Advocate


Joined: 12 May 2004
Posts: 2226

PostPosted: Fri Aug 29, 2014 12:26 pm    Post subject: [ GLSA 201408-11 ] PHP: Multiple vulnerabilities Reply with quote

Gentoo Linux Security Advisory

Title: PHP: Multiple vulnerabilities (GLSA 201408-11)
Severity: high
Exploitable: remote
Date: August 29, 2014
Updated: January 02, 2015
Bug(s): #459904, #472204, #472558, #474656, #476570, #481004, #483212, #485252, #492784, #493982, #501312, #503630, #503670, #505172, #505712, #509132, #512288, #512492, #513032, #516994, #519932, #520134, #520438
ID: 201408-11

Synopsis

Multiple vulnerabilities have been discovered in PHP, the worst of
which could lead to remote execution of arbitrary code.


Background

PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.


Affected Packages

Package: dev-lang/php
Vulnerable: < 5.5.16
Unaffected: >= 5.5.16
Unaffected: >= 5.4.32 < 5.4.33
Unaffected: >= 5.3.29 < 5.3.30
Unaffected: >= 5.4.34 < 5.4.35
Unaffected: >= 5.4.35 < 5.4.36
Unaffected: >= 5.4.36 < 5.4.37
Unaffected: >= 5.4.37 < 5.4.38
Unaffected: >= 5.4.38 < 5.4.39
Architectures: All supported architectures


Description

Multiple vulnerabilities have been discovered in PHP. Please review the
CVE identifiers referenced below for details.


Impact

A context-dependent attacker can cause arbitrary code execution, create
a Denial of Service condition, read or write arbitrary files, impersonate
other servers, hijack a web session, or have other unspecified impact.
Additionally, a local attacker could gain escalated privileges.


Workaround

There is no known workaround at this time.

Resolution

All PHP 5.5 users should upgrade to the latest version:
Code:
# emerge --sync
      # emerge --ask --oneshot --verbose ">=dev-lang/php-5.5.16"
   
All PHP 5.4 users should upgrade to the latest version:
Code:
# emerge --sync
      # emerge --ask --oneshot --verbose ">=dev-lang/php-5.4.32"
   
All PHP 5.3 users should upgrade to the latest version. This release
marks the end of life of the PHP 5.3 series. Future releases of this
series are not planned. All PHP 5.3 users are encouraged to upgrade to
the current stable version of PHP 5.5 or previous stable version of PHP
5.4, which are supported till at least 2016 and 2015 respectively.
Code:
# emerge --sync
      # emerge --ask --oneshot --verbose ">=dev-lang/php-5.3.29"
   


References

CVE-2011-4718
CVE-2013-1635
CVE-2013-1643
CVE-2013-1824
CVE-2013-2110
CVE-2013-3735
CVE-2013-4113
CVE-2013-4248
CVE-2013-4635
CVE-2013-4636
CVE-2013-6420
CVE-2013-6712
CVE-2013-7226
CVE-2013-7327
CVE-2013-7345
CVE-2014-0185
CVE-2014-0237
CVE-2014-0238
CVE-2014-1943
CVE-2014-2270
CVE-2014-2497
CVE-2014-3597
CVE-2014-3981
CVE-2014-4049
CVE-2014-4670
CVE-2014-5120


Last edited by GLSA on Sat Jan 03, 2015 4:32 am; edited 2 times in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum