Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 533
Alerts This Week
Warning Icon 1 533

Ubuntu 14.10 USN-2391-1 Critical: PHP5 Denial Of Service

ubuntu
Calendar Grey October 30, 2014
Scroller Ubuntu Esm H88
Explore the Ubuntu Security Announcement USN-2391-1 which outlines significant vulnerabilities found in php5, impacting various versions.
Several security issues were fixed in PHP.

Summary

Several security issues were fixed in PHP.

Software Description:

- php5: HTML-embedded scripting language interpreter

Details:

Symeon Paraschoudis discovered that PHP incorrectly handled the mkgmtime

function. A remote attacker could possibly use this issue to cause PHP to

crash, resulting in a denial of service. (CVE-2014-3668)

Symeon Paraschoudis discovered that PHP incorrectly handled unserializing

objects. A remote attacker could possibly use this issue to cause PHP to

crash, resulting in a denial of service. (CVE-2014-3669)

Otto Ebeling discovered that PHP incorrectly handled the exif_thumbnail

function. A remote attacker could use this issue to cause PHP to crash,

resulting in a denial of service, or possibly execute arbitrary code.

(CVE-2014-3670)

Francisco Alonso that PHP incorrectly handled ELF files in the fileinfo

extension. A remote attacker could possibly use this issue to cause PHP to

crash, resulting in a denial of service. (CVE-2014-3710)

...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.10:
  libapache2-mod-php5             5.5.12+dfsg-2ubuntu4.1
  php5-cgi                        5.5.12+dfsg-2ubuntu4.1
  php5-cli                        5.5.12+dfsg-2ubuntu4.1
  php5-curl                       5.5.12+dfsg-2ubuntu4.1
  php5-fpm                        5.5.12+dfsg-2ubuntu4.1
  php5-xmlrpc                     5.5.12+dfsg-2ubuntu4.1

Ubuntu 14.04 LTS:
  libapache2-mod-php5             5.5.9+dfsg-1ubuntu4.5
  php5-cgi                        5.5.9+dfsg-1ubuntu4.5
  php5-cli                        5.5.9+dfsg-1ubuntu4.5
  php5-curl                       5.5.9+dfsg-1ubuntu4.5
  php5-fpm                        5.5.9+dfsg-1ubuntu4.5
  php5-xmlrpc                     5.5.9+dfsg-1ubuntu4.5

Ubuntu 12.04 LTS:
  libapache2-mod-php5             5.3.10-1ubuntu3.15
  php5-cgi                        5.3.10-1ubuntu3.15
  php5-cli                        5.3.10-1ubuntu3.15
  php5-curl                       5.3.10-1ubuntu3.15
  php5-fpm                        5.3.10-1ubuntu3.15
  php5-xmlrpc                     5.3.10-1ubuntu3.15

Ubuntu 10.04 LTS:
  libapache2-mod-php5             5.3.2-1ubuntu4.28
  php5-cgi                        5.3.2-1ubuntu4.28
  php5-cli                        5.3.2-1ubuntu4.28
  php5-curl                       5.3.2-1ubuntu4.28
  php5-xmlrpc                     5.3.2-1ubuntu4.28

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-2391-1

CVE-2014-3668, CVE-2014-3669, CVE-2014-3670, CVE-2014-3710

Severity
critical
Lowest
Low
Medium
High
Critical

October 30, 2014

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.