testing php5 for Squeeze LTS
Hi,
I uploaded version 5.3.3-7+squeeze24 of php5 to:
https://people.debian.org/~alteholz/packages/squeeze-lts/php5/amd64/
https://people.debian.org/~alteholz/packages/squeeze-lts/php5/i386/
Please give it a try and tell me about any problems you met. Especially I
am interested whether stuff that uses the Fileinfo component still works.
Changes:
php5 (5.3.3-7+squeeze24) squeeze-lts; urgency=high
* Non-maintainer upload by the Squeeze LTS Team.
* add patches provided by Univention (Janek Walkenhorst) for:
CVE-2014-0238:
The cdf_read_property_info function in cdf.c in the Fileinfo
component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows
remote attackers to cause a denial of service (infinite loop
or out-of-bounds memory access) via a vector that (1) has zero
length or (2) is too long.
CVE-2014-0237:
The cdf_unpack_summary_info function in cdf.c in the Fileinfo
component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows
remote attackers to cause a denial of service (performance
degradation) by triggering many file_printf calls.
CVE-2014-2270:
softmagic.c in file before 5.17 and libmagic allows context
dependent attackers to cause a denial of service (out-of-bounds
memory access and crash) via crafted offsets in the softmagic
of a PE executable.
* add patch for PHP bugs: 68739 68740
null pointer deference
(CVE-2015-TEMP-1, no official CVE number available yet)
* add patch for file bug: 398
out-of-bounds memory access
(CVE-2015-TEMP-2, no official CVE number available yet)
additional patches from CVE-2014-3478 added
* add patches for CVE-2014-8117
- Stop reporting bad capabilities after the first few.
- limit the number of program and section header number of sections
- limit recursion level
Thanks!
Thorsten
Reply to: