[SECURITY] [DLA 2261-1] php5 security update

Mon, 29 Jun 2020 14:05:59 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : php5
Version        : 5.6.40+dfsg-0+deb8u12
CVE ID         : CVE-2019-11048


It has been discovered, that a vulnerability in php5, a server-side,
HTML-embedded scripting language, could lead to exhausted disk space on
the server. When using overly long filenames or field names, a memory
limit could be hit which results in stopping the upload but not cleaning
up behind.

Further the embedded version of "file" is vulnerable to CVE-2019-18218.
As it can not be exploited the same in php5 as in file, this issue is not
handled as an own CVE but just as a bug, that has been fixed here
(restrict the number of CDF_VECTOR elements to prevent a heap-based
buffer overflow (4-byte out-of-bounds write)).


For Debian 8 "Jessie", this problem has been fixed in version
5.6.40+dfsg-0+deb8u12.

We recommend that you upgrade your php5 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAl76VnhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEeCwQ/+LBZgWuIUcl88/uXZd+9wq/LhI5KLz4emNb/ATkRsrnZy0T3wQ+YyKqP4
zXGCzLQeNnMtkqQUznDjbiezO1zycS5riZW0ZEGpvSEmvrSaXe+lDxj6qz6muuoF
oXWPZWh5qiqR7EAP2EVbhN4ywkQ9m6M+9CoQFmFXW95EqOc5miq1H8SLJerseJe3
GnYZbYpffd/s18sLFZrIQQvlaIp0tC6/bOryzJGJK6XM5PDW8uyktbnjiFNoxI4Z
9/d+eE6E3frbLbo+pf+CMldZwQrW5wTf4UxgMW7KeLcoLMihGt+wOMCKqYDruBro
gulkShsjyFQfQ5AAq79a/WwRWIXBaBi5ExH1u7vYGWM95r4Cb78z8vhpsqYsuFg0
H0qprM/bZHIa0HhAVsNyzoh+jRF90cNgg/TAJT6fMkat6p6ixhSY9jCAmUNRDdx/
Ah6hr3sU5EbQ2ACarT3e5NDjL0iS7r7OrwOH+anCT9Yug0wdQi9kwRZlHMdy+YBA
AFeIlHKw3Hz+Vi0pznhzpAAXgS1k8fDLuZjsb3kw+3m/z0kVMxdZUP7zod6AaQnC
mtYZQOtpI5jxTrWvjtx4T1KDAsKjj2FCFiHgluvJB1wgmhdg0WWi5kfI+BnK+eoM
/jO8NDhxwgD76Z4vSevtqtiNp6D4gOb8iysOcvwiOjZo542Pozo=
=ruTr
-----END PGP SIGNATURE-----

Reply via email to