ELA-86-1 php5 security update

prohibit access to illegal memory

2019-02-27
Packagephp5
Version5.4.45-0+deb7u19
Related CVE CVE-2018-20783 CVE-2018-1000888 CVE-2019-9022

Several issues in php5 have been fixed to avoid access to illegal memory.

CVE-2019-9022: An issue during parsing of DNS responses allows a hostile DNS server to misuse memcpy, which leads to a read operation past an allocated buffer.

CVE-2018-1000888: Fix for a PHP object injection vulnerability in the PEAR Archive_tar code, potentially allowing a remote attacker to execute arbitrary code.

CVE-2018-20783: buffer over-read in PHAR reading functions may give an attacker access to memory past the actual data when trying to parse a .phar file

For Debian 7 Wheezy, these problems have been fixed in version 5.4.45-0+deb7u19.

We recommend that you upgrade your php5 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/