Summary
It was discovered that PHP, a general-purpose scripting language commonly used for web application development, did not properly process embedded NUL characters in the subjectAltName extension of X.509 certificates. Depending on the application and with insufficient CA-level checks, this could be abused for impersonating other users.
Solution
For the oldstable distribution (squeeze), this problem has been fixed in version 5.3.3-7+squeeze17.
For the stable distribution (wheezy), this problem has been fixed in version 5.4.4-14+deb7u4.
For the unstable distribution (sid), this problem has been fixed in version 5.5.3+dfsg-1.
We recommend that you upgrade your php5 packages.
Insight
This package is a metapackage that, when installed, guarantees that you have at least one of the three server-side versions of the PHP5 interpreter installed. Removing this package won't remove PHP5 from your system, however it may remove other packages that depend on this one.
Affected
php5 on Debian Linux
Detection
This check tests the installed software version using the apt package manager.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2013-4248 -
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Related Vulnerabilities