Re: [SECURITY] [DSA 2974-1] php5 security update

[Jan Ingvoldstad <jan-debian-lts-2014@oyet.no>]

On 18. juli 2014, at 16:28, Marko Randjelovic <marko-r@sbb.rs> wrote:

> Hi,

Hi!

> 
> Some patches from 5.4.4-14+deb7u12 could be unmodified or with
> modifications applied to 5.3.3-7+squeeze20. Some of them may be
> relevant for security. Since I am not a DD, patches I found could be
> useful are attached with eventual my modifications. I don't know if
> they solve the problems nor if they do not make new bugs. 
> 
> patch                                                           affected solved
> --------------------------------------------------------------- -------- ------
> proc_open-separate-environment-values-that-arent-strings.patch  ?        ?
> Out-of-memory-on-command-stream_get_contents.patch              y        y
> stream_socket_server-creates-wrong-Abstract-Namespace-UNIX-sock y        y
> exit-in-stream-filter-produces-segfault.patch                   y        y
> fpassthru-broken.patch                                          partial  ?
> openssl_seal-memory-leak.patch                                  y        ?
> Segfault-in-mysqli_stmt-bind_result-when-link-closed.patch      ?        ?
> Segmentation-fault-after-memory_limit.patch                     ?        ?
> bug67498.patch                                                  y        ?
> CVE-2014-3480.patch                                             ?        ?

It's a bit hard for me to read this, but I assume you're referring to DSA 2974-1.

Several (if not all) of the issues in DSA 2974-1 are relevant to PHP 5.3.3.

Judging from the patch labels, I would say that these should be applied.
-- 
Cheers,
Jan