Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-announce

From: Kristian Fiskerstrand <k_f@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] [ GLSA 201408-11 ] PHP: Multiple vulnerabilities
Date: Fri, 29 Aug 2014 11:13:08
Message-Id: 54005CA9.9020706@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201408-11
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: PHP: Multiple vulnerabilities
9 Date: August 29, 2014
10 Bugs: #459904, #472204, #472558, #474656, #476570, #481004,
11 #483212, #485252, #492784, #493982, #501312, #503630,
12 #503670, #505172, #505712, #509132, #512288, #512492,
13 #513032, #516994, #519932, #520134, #520438
14 ID: 201408-11
15
16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18 Synopsis
19 ========
20
21 Multiple vulnerabilities have been discovered in PHP, the worst of
22 which could lead to remote execution of arbitrary code.
23
24 Background
25 ==========
26
27 PHP is a widely-used general-purpose scripting language that is
28 especially suited for Web development and can be embedded into HTML.
29
30 Affected packages
31 =================
32
33 -------------------------------------------------------------------
34 Package / Vulnerable / Unaffected
35 -------------------------------------------------------------------
36 1 dev-lang/php < 5.5.16 >= 5.5.16
37 *>= 5.4.32
38 *>= 5.3.29
39
40 Description
41 ===========
42
43 Multiple vulnerabilities have been discovered in PHP. Please review the
44 CVE identifiers referenced below for details.
45
46 Impact
47 ======
48
49 A context-dependent attacker can cause arbitrary code execution, create
50 a Denial of Service condition, read or write arbitrary files,
51 impersonate other servers, hijack a web session, or have other
52 unspecified impact. Additionally, a local attacker could gain escalated
53 privileges.
54
55 Workaround
56 ==========
57
58 There is no known workaround at this time.
59
60 Resolution
61 ==========
62
63 All PHP 5.5 users should upgrade to the latest version:
64
65 # emerge --sync
66 # emerge --ask --oneshot --verbose ">=dev-lang/php-5.5.16"
67
68 All PHP 5.4 users should upgrade to the latest version:
69
70 # emerge --sync
71 # emerge --ask --oneshot --verbose ">=dev-lang/php-5.4.32"
72
73 All PHP 5.3 users should upgrade to the latest version. This release
74 marks the end of life of the PHP 5.3 series. Future releases of this
75 series are not planned. All PHP 5.3 users are encouraged to upgrade to
76 the current stable version of PHP 5.5 or previous stable version of PHP
77 5.4, which are supported till at least 2016 and 2015 respectively.
78
79 # emerge --sync
80 # emerge --ask --oneshot --verbose ">=dev-lang/php-5.3.29"
81
82 References
83 ==========
84
85 [ 1 ] CVE-2011-4718
86 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4718
87 [ 2 ] CVE-2013-1635
88 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1635
89 [ 3 ] CVE-2013-1643
90 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1643
91 [ 4 ] CVE-2013-1824
92 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1824
93 [ 5 ] CVE-2013-2110
94 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2110
95 [ 6 ] CVE-2013-3735
96 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3735
97 [ 7 ] CVE-2013-4113
98 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4113
99 [ 8 ] CVE-2013-4248
100 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4248
101 [ 9 ] CVE-2013-4635
102 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4635
103 [ 10 ] CVE-2013-4636
104 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4636
105 [ 11 ] CVE-2013-6420
106 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6420
107 [ 12 ] CVE-2013-6712
108 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6712
109 [ 13 ] CVE-2013-7226
110 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7226
111 [ 14 ] CVE-2013-7327
112 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7327
113 [ 15 ] CVE-2013-7345
114 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7345
115 [ 16 ] CVE-2014-0185
116 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0185
117 [ 17 ] CVE-2014-0237
118 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0237
119 [ 18 ] CVE-2014-0238
120 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0238
121 [ 19 ] CVE-2014-1943
122 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1943
123 [ 20 ] CVE-2014-2270
124 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2270
125 [ 21 ] CVE-2014-2497
126 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2497
127 [ 22 ] CVE-2014-3597
128 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3597
129 [ 23 ] CVE-2014-3981
130 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3981
131 [ 24 ] CVE-2014-4049
132 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4049
133 [ 25 ] CVE-2014-4670
134 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4670
135 [ 26 ] CVE-2014-5120
136 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5120
137
138 Availability
139 ============
140
141 This GLSA and any updates to it are available for viewing at
142 the Gentoo Security Website:
143
144 http://security.gentoo.org/glsa/glsa-201408-11.xml
145
146 Concerns?
147 =========
148
149 Security is a primary focus of Gentoo Linux and ensuring the
150 confidentiality and security of our users' machines is of utmost
151 importance to us. Any security concerns should be addressed to
152 security@g.o or alternatively, you may file a bug at
153 https://bugs.gentoo.org.
154
155 License
156 =======
157
158 Copyright 2014 Gentoo Foundation, Inc; referenced text
159 belongs to its owner(s).
160
161 The contents of this document are licensed under the
162 Creative Commons - Attribution / Share Alike license.
163
164 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature
Report Message
Find on MARC Find on Google Groups