As I've not received any feedback on the below RFC, I intend to make the upload in ~12 hours.
Regards, -Roberto On Fri, Feb 03, 2017 at 06:57:13PM -0500, Roberto C. Sánchez wrote: > Greetings all, > > I have finished preparing an LTS upload of php5 (5.4.45-0+deb7u7) and > your assistance with testing these packages before upload would be most > welcome. Please try these out and let me know if you encounter any > issues. > > Here are the relevant links: > > .changes file: > https://people.debian.org/~roberto/php5_5.4.45-0+deb7u7_amd64.changes > > build log: > https://people.debian.org/~roberto/php5_5.4.45-0+deb7u7_amd64.build > > source: > https://people.debian.org/~roberto/php5_5.4.45-0+deb7u7.dsc > > debdiff against previous version: > https://people.debian.org/~roberto/php5_5.4.45-0+deb7u6_5.4.45-0+deb7u7.diff > > Here is the advisory text I plan to publish after the upload: > > ********************************************************************** > *DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT* > ********************************************************************** > > Package : php5 > Version : 5.4.45-0+deb7u7 > CVE ID : CVE-2016-2554 CVE-2016-3141 CVE-2016-3142 CVE-2016-4342 > CVE-2016-9934 CVE-2016-9935 CVE-2016-10158 > CVE-2016-10159 CVE-2016-10160 CVE-2016-10161 > PHP-Bugs : 71323 70979 71039 71459 71391 71335 > > > Several issues have been discovered in PHP (recursive acronym for PHP: > Hypertext Preprocessor), a widely-used open source general-purpose > scripting language that is especially suited for web development and can > be embedded into HTML. > > * CVE-2016-2554 > Stack-based buffer overflow in ext/phar/tar.c allows remote > attackers to cause a denial of service (application crash) or > possibly have unspecified other impact via a crafted TAR archive. > * CVE-2016-3141 > Use-after-free vulnerability in wddx.c in the WDDX extension allows > remote attackers to cause a denial of service (memory corruption and > application crash) or possibly have unspecified other impact by > triggering a wddx_deserialize call on XML data containing a crafted > var element. > * CVE-2016-3142 > The phar_parse_zipfile function in zip.c in the PHAR extension in > PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to > obtain sensitive information from process memory or cause a denial > of service (out-of-bounds read and application crash) by placing a > PK\x05\x06 signature at an invalid location. > * CVE-2016-4342 > ext/phar/phar_object.c in PHP before 5.5.32, 5.6.x before 5.6.18, > and 7.x before 7.0.3 mishandles zero-length uncompressed data, which > allows remote attackers to cause a denial of service (heap memory > corruption) or possibly have unspecified other impact via a crafted > (1) TAR, (2) ZIP, or (3) PHAR archive. > * CVE-2016-9934 > ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows > remote attackers to cause a denial of service (NULL pointer > dereference) via crafted serialized data in a wddxPacket XML > document, as demonstrated by a PDORow string. > * CVE-2016-9935 > The php_wddx_push_element function in ext/wddx/wddx.c in PHP before > 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a > denial of service (out-of-bounds read and memory corruption) or > possibly have unspecified other impact via an empty boolean element > in a wddxPacket XML document. > * CVE-2016-10158 > The exif_convert_any_to_int function in ext/exif/exif.c in PHP > before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows > remote attackers to cause a denial of service (application crash) > via crafted EXIF data that triggers an attempt to divide the minimum > representable negative integer by -1. > * CVE-2016-10159 > Integer overflow in the phar_parse_pharfile function in > ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows > remote attackers to cause a denial of service (memory consumption or > application crash) via a truncated manifest entry in a PHAR archive. > * CVE-2016-10160 > Off-by-one error in the phar_parse_pharfile function in > ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows > remote attackers to cause a denial of service (memory corruption) or > possibly execute arbitrary code via a crafted PHAR archive with an > alias mismatch. > * CVE-2016-10161 > The object_common1 function in ext/standard/var_unserializer.c in > PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 > allows remote attackers to cause a denial of service (buffer > over-read and application crash) via crafted serialized data that is > mishandled in a finish_nested_data call. > * BUG-71323.patch > Output of stream_get_meta_data can be falsified by its input > * BUG-70979.patch > Crash on bad SOAP request > * BUG-71039.patch > exec functions ignore length but look for NULL termination > * BUG-71459.patch > Integer overflow in iptcembed() > * BUG-71391.patch > NULL Pointer Dereference in phar_tar_setupmetadata() > * BUG-71335.patch > Type confusion vulnerability in WDDX packet deserialization > > > For Debian 7 "Wheezy", these problems have been fixed in version > 5.4.45-0+deb7u7. > > We recommend that you upgrade your php5 packages. > > Further information about Debian LTS security advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://wiki.debian.org/LTS > > ********************************************************************** > *DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT* > ********************************************************************** > > -- > Roberto C. Sánchez > http://people.connexer.com/~roberto > http://www.connexer.com -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
