| Description: | Summary:
The remote host is missing an update for the Debian 'php5' package(s) announced via the DLA-145-1 advisory.
Vulnerability Insight:
Brief introduction
CVE-2014-0237
The cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (performance degradation) by triggering many file_printf calls.
CVE-2014-0238
The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (infinite loop or out-of-bounds memory access) via a vector that (1) has zero length or (2) is too long.
CVE-2014-2270
softmagic.c in file before 5.17 and libmagic allows context dependent attackers to cause a denial of service (out-of-bounds memory access and crash) via crafted offsets in the softmagic of a PE executable.
CVE-2014-8117
Stop reporting bad capabilities after the first few.
limit the number of program and section header number of sections
limit recursion level
CVE-2015-TEMP (no official CVE number available yet) null pointer deference (PHP bugs: 68739 68740) out-of-bounds memory access (file bug: 398) additional patches from CVE-2014-3478 added
For Debian 6 Squeeze, these issues have been fixed in php5 version 5.3.3-7+squeeze24
Affected Software/OS:
'php5' package(s) on Debian 6.
Solution:
Please install the updated package(s).
CVSS Score:
5.0
CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P
|
