[gentoo-announce] [ GLSA 201503-03 ] PHP: Multiple vulnerabilities - gentoo-announce

From:	Kristian Fiskerstrand <k_f@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201503-03 ] PHP: Multiple vulnerabilities
Date:	Sun, 08 Mar 2015 14:33:23
Message-Id:	`54FC5A58.4070102@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA512

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 201503-03

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

 Severity: Normal

11

    Title: PHP: Multiple vulnerabilities

12

     Date: March 08, 2015

13

     Bugs: #530820, #532914, #533998

14

       ID: 201503-03

15

16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

17

18

Synopsis

19

========

20

21

Multiple vulnerabilities have been discovered in PHP, the worst of

22

which could lead to remote execution of arbitrary code.

23

24

Background

25

==========

26

27

PHP is a widely-used general-purpose scripting language that is

28

especially suited for Web development and can be embedded into HTML.

29

30

Affected packages

31

=================

32

33

    -------------------------------------------------------------------

34

     Package              /     Vulnerable     /            Unaffected

35

    -------------------------------------------------------------------

36

  1  dev-lang/php                 < 5.5.21                  >= 5.5.21

37

                                                           *>= 5.4.37

38

                                                           *>= 5.4.38

39

                                                           *>= 5.4.39

40

41

Description

42

===========

43

44

Multiple vulnerabilities have been discovered in PHP. Please review the

45

CVE identifiers referenced below for details.

46

47

Impact

48

======

49

50

A remote attacker can leverage these vulnerabilities to execute

51

arbitrary code or cause Denial of Service.

52

53

Workaround

54

==========

55

56

There is no known workaround at this time.

57

58

Resolution

59

==========

60

61

All PHP 5.5 users should upgrade to the latest version:

62

63

  # emerge --sync

64

  # emerge --ask --oneshot --verbose ">=dev-lang/php-5.5.21"

65

66

All PHP 5.4 users should upgrade to the latest version:

67

68

  # emerge --sync

69

  # emerge --ask --oneshot --verbose ">=dev-lang/php-5.4.37"

70

71

All PHP 5.3 users should upgrade to the latest version. This branch is

72

currently past the end of life and it will no longer receive security

73

fixes. All PHP 5.3 users are strongly recommended to upgrade to the

74

current stable version of PHP 5.5 or previous stable version of PHP

75

5.4, which are supported till at least 2016 and 2015 respectively.

76

77

References

78

==========

79

80

[ 1 ] CVE-2014-3710

81

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3710

82

[ 2 ] CVE-2014-8142

83

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8142

84

[ 3 ] CVE-2014-9425

85

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9425

86

[ 4 ] CVE-2014-9427

87

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9427

88

[ 5 ] CVE-2015-0231

89

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0231

90

[ 6 ] CVE-2015-0232

91

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0232

92

93

Availability

94

============

95

96

This GLSA and any updates to it are available for viewing at

97

the Gentoo Security Website:

98

99

 http://security.gentoo.org/glsa/glsa-201503-03.xml

100

101

Concerns?

102

=========

103

104

Security is a primary focus of Gentoo Linux and ensuring the

105

confidentiality and security of our users' machines is of utmost

106

importance to us. Any security concerns should be addressed to

107

security@g.o or alternatively, you may file a bug at

108

https://bugs.gentoo.org.

109

110

License

111

=======

112

113

Copyright 2015 Gentoo Foundation, Inc; referenced text

114

belongs to its owner(s).

115

116

The contents of this document are licensed under the

117

Creative Commons - Attribution / Share Alike license.

118

119

http://creativecommons.org/licenses/by-sa/2.5

120

121

-----BEGIN PGP SIGNATURE-----

122

123

iQEcBAEBCgAGBQJU/FpSAAoJEP7VAChXwav6P5oIALiem7pEiyKdkqLu2Q4eFn1l

124

od5NHFmgNmMO4NMirLo3RtTVjNZr/RRa/JZy/cB6923o277P60Wd8JE/Jm5BeYeE

125

Xtg5WeIA3spGAwxtfMh6HfDT3YURnVCUDCcalmDBKWOCxf0bymPMz7B924BZKexO

126

b0DkIJppzdD0wakKv2p5+EkD9IJx9p34UDnFN5rKpw+uJUaHqMNJBT8zqLT6ECKX

127

K2ynGtuxeZMXjd6JYs1Yeal90f8ONeLL0HiRWuS9EDFk7qRA4uYnuV4MlTmb85Nq

128

kPuVdt1mNBds6iozK67nyOrsbLgKOQ7lKKzclVnTzHbiioH2y4p7jusx2dCgq/E=

129

=/CaR

130

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA512
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 201503-03
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: Normal
11	Title: PHP: Multiple vulnerabilities
12	Date: March 08, 2015
13	Bugs: #530820, #532914, #533998
14	ID: 201503-03
15
16	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18	Synopsis
19	========
20
21	Multiple vulnerabilities have been discovered in PHP, the worst of
22	which could lead to remote execution of arbitrary code.
23
24	Background
25	==========
26
27	PHP is a widely-used general-purpose scripting language that is
28	especially suited for Web development and can be embedded into HTML.
29
30	Affected packages
31	=================
32
33	-------------------------------------------------------------------
34	Package / Vulnerable / Unaffected
35	-------------------------------------------------------------------
36	1 dev-lang/php < 5.5.21 >= 5.5.21
37	*>= 5.4.37
38	*>= 5.4.38
39	*>= 5.4.39
40
41	Description
42	===========
43
44	Multiple vulnerabilities have been discovered in PHP. Please review the
45	CVE identifiers referenced below for details.
46
47	Impact
48	======
49
50	A remote attacker can leverage these vulnerabilities to execute
51	arbitrary code or cause Denial of Service.
52
53	Workaround
54	==========
55
56	There is no known workaround at this time.
57
58	Resolution
59	==========
60
61	All PHP 5.5 users should upgrade to the latest version:
62
63	# emerge --sync
64	# emerge --ask --oneshot --verbose ">=dev-lang/php-5.5.21"
65
66	All PHP 5.4 users should upgrade to the latest version:
67
68	# emerge --sync
69	# emerge --ask --oneshot --verbose ">=dev-lang/php-5.4.37"
70
71	All PHP 5.3 users should upgrade to the latest version. This branch is
72	currently past the end of life and it will no longer receive security
73	fixes. All PHP 5.3 users are strongly recommended to upgrade to the
74	current stable version of PHP 5.5 or previous stable version of PHP
75	5.4, which are supported till at least 2016 and 2015 respectively.
76
77	References
78	==========
79
80	[ 1 ] CVE-2014-3710
81	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3710
82	[ 2 ] CVE-2014-8142
83	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8142
84	[ 3 ] CVE-2014-9425
85	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9425
86	[ 4 ] CVE-2014-9427
87	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9427
88	[ 5 ] CVE-2015-0231
89	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0231
90	[ 6 ] CVE-2015-0232
91	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0232
92
93	Availability
94	============
95
96	This GLSA and any updates to it are available for viewing at
97	the Gentoo Security Website:
98
99	http://security.gentoo.org/glsa/glsa-201503-03.xml
100
101	Concerns?
102	=========
103
104	Security is a primary focus of Gentoo Linux and ensuring the
105	confidentiality and security of our users' machines is of utmost
106	importance to us. Any security concerns should be addressed to
107	security@g.o or alternatively, you may file a bug at
108	https://bugs.gentoo.org.
109
110	License
111	=======
112
113	Copyright 2015 Gentoo Foundation, Inc; referenced text
114	belongs to its owner(s).
115
116	The contents of this document are licensed under the
117	Creative Commons - Attribution / Share Alike license.
118
119	http://creativecommons.org/licenses/by-sa/2.5
120
121	-----BEGIN PGP SIGNATURE-----
122
123	iQEcBAEBCgAGBQJU/FpSAAoJEP7VAChXwav6P5oIALiem7pEiyKdkqLu2Q4eFn1l
124	od5NHFmgNmMO4NMirLo3RtTVjNZr/RRa/JZy/cB6923o277P60Wd8JE/Jm5BeYeE
125	Xtg5WeIA3spGAwxtfMh6HfDT3YURnVCUDCcalmDBKWOCxf0bymPMz7B924BZKexO
126	b0DkIJppzdD0wakKv2p5+EkD9IJx9p34UDnFN5rKpw+uJUaHqMNJBT8zqLT6ECKX
127	K2ynGtuxeZMXjd6JYs1Yeal90f8ONeLL0HiRWuS9EDFk7qRA4uYnuV4MlTmb85Nq
128	kPuVdt1mNBds6iozK67nyOrsbLgKOQ7lKKzclVnTzHbiioH2y4p7jusx2dCgq/E=
129	=/CaR
130	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-announce