-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3280-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff June 07, 2015 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : php5 CVE ID : CVE-2015-2783 CVE-2015-3329 CVE-2015-4021 CVE-2015-4022 CVE-2015-4024 CVE-2015-4025 CVE-2015-4026 Multiple vulnerabilities have been discovered in PHP: CVE-2015-4025 / CVE-2015-4026 Multiple function didn't check for NULL bytes in path names. CVE-2015-4024 Denial of service when processing multipart/form-data requests. CVE-2015-4022 Integer overflow in the ftp_genlist() function may result in denial of service or potentially the execution of arbitrary code. CVE-2015-4021 CVE-2015-3329 CVE-2015-2783 Multiple vulnerabilities in the phar extension may result in denial of service or potentially the execution of arbitrary code when processing malformed archives. For the oldstable distribution (wheezy), these problems have been fixed in version 5.4.41-0+deb7u1. For the stable distribution (jessie), these problems have been fixed in version 5.6.9+dfsg-0+deb8u1. For the testing distribution (stretch), these problems have been fixed in version 5.6.9+dfsg-1. For the unstable distribution (sid), these problems have been fixed in version 5.6.9+dfsg-1. We recommend that you upgrade your php5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org