Summary
It was discovered that PHP, a general-purpose scripting language commonly used for web application development, is vulnerable to a heap-based buffer overflow in the DNS TXT record parsing. A malicious server or man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as the PHP interpreter if a PHP application uses dns_get_record() to perform a DNS query.
Solution
For the stable distribution (wheezy), this problem has been fixed in version 5.4.4-14+deb7u11.
For the testing distribution (jessie), this problem has been fixed in version 5.6.0~beta4+dfsg-3.
For the unstable distribution (sid), this problem has been fixed in version 5.6.0~beta4+dfsg-3.
We recommend that you upgrade your php5 packages.
Insight
This package is a metapackage that, when installed, guarantees that you have at least one of the four server-side versions of the PHP5 interpreter installed. Removing this package won't remove PHP5 from your system, however it may remove other packages that depend on this one.
Affected
php5 on Debian Linux
Detection
This check tests the installed software version using the apt package manager.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2014-4049 -
CVSS Base Score: 5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P
Related Vulnerabilities