Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 531
Alerts This Week
Warning Icon 1 531

Ubuntu 15.04 LTS: USN-2658-1 Critical: PHP Denial of Service & Code Exec

ubuntu
Calendar Grey July 6, 2015
Scroller Ubuntu Esm H88
Recent PHP vulnerabilities have been identified, necessitating immediate updates for affected Ubuntu systems. Here's an overview and update guide to ensure security
Several security issues were fixed in PHP.

Summary

Several security issues were fixed in PHP.

Software Description:

- php5: HTML-embedded scripting language interpreter

Details:

Neal Poole and Tomas Hoger discovered that PHP incorrectly handled NULL

bytes in file paths. A remote attacker could possibly use this issue to

bypass intended restrictions and create or obtain access to sensitive

files. (CVE-2015-3411, CVE-2015-3412, CVE-2015-4025, CVE-2015-4026,

CVE-2015-4598)

Emmanuel Law discovered that the PHP phar extension incorrectly handled

filenames starting with a NULL byte. A remote attacker could use this issue

with a crafted tar archive to cause a denial of service. (CVE-2015-4021)

Max Spelsberg discovered that PHP incorrectly handled the LIST command

when connecting to remote FTP servers. A malicious FTP server could

possibly use this issue to execute arbitrary code. (CVE-2015-4022,

CVE-2015-4643)

Shusheng Liu discovered that PHP incorrectly handled certain malformed form

data. A remote attacker ...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 15.04:
  libapache2-mod-php5             5.6.4+dfsg-4ubuntu6.2
  php5-cgi                        5.6.4+dfsg-4ubuntu6.2
  php5-cli                        5.6.4+dfsg-4ubuntu6.2
  php5-fpm                        5.6.4+dfsg-4ubuntu6.2

Ubuntu 14.10:
  libapache2-mod-php5             5.5.12+dfsg-2ubuntu4.6
  php5-cgi                        5.5.12+dfsg-2ubuntu4.6
  php5-cli                        5.5.12+dfsg-2ubuntu4.6
  php5-fpm                        5.5.12+dfsg-2ubuntu4.6

Ubuntu 14.04 LTS:
  libapache2-mod-php5             5.5.9+dfsg-1ubuntu4.11
  php5-cgi                        5.5.9+dfsg-1ubuntu4.11
  php5-cli                        5.5.9+dfsg-1ubuntu4.11
  php5-fpm                        5.5.9+dfsg-1ubuntu4.11

Ubuntu 12.04 LTS:
  libapache2-mod-php5             5.3.10-1ubuntu3.19
  php5-cgi                        5.3.10-1ubuntu3.19
  php5-cli                        5.3.10-1ubuntu3.19
  php5-fpm                        5.3.10-1ubuntu3.19

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-2658-1

CVE-2015-3411, CVE-2015-3412, CVE-2015-4021, CVE-2015-4022,

CVE-2015-4024, CVE-2015-4025, CVE-2015-4026, CVE-2015-4147,

CVE-2015-4148, CVE-2015-4598, CVE-2015-4599, CVE-2015-4600,

CVE-2015-4601, CVE-2015-4602, CVE-2015-4603, CVE-2015-4604,

CVE-2015-4605, CVE-2015-4643, CVE-2015-4644

Severity
critical
Lowest
Low
Medium
High
Critical

July 06, 2015

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.