-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : php5
Version : 5.4.45-0+deb7u9
CVE ID : CVE-2016-10397 CVE-2017-11143 CVE-2017-11144
CVE-2017-11145 CVE-2017-11147
Several issues have been discovered in PHP (recursive acronym for PHP:
Hypertext Preprocessor), a widely-used open source general-purpose
scripting language that is especially suited for web development and can
be embedded into HTML.
CVE-2016-10397
Incorrect handling of various URI components in the URL parser could
be used by attackers to bypass hostname-specific URL checks.
CVE-2017-11143
An invalid free in the WDDX deserialization of boolean parameters
could be used by attackers able to inject XML for deserialization to
crash the PHP interpreter.
CVE-2017-11144
The openssl extension PEM sealing code did not check the return value
of the OpenSSL sealing function, which could lead to a crash of the
PHP interpreter.
CVE-2017-11145
Lack of a bounds check in the date extension's timelib_meridian
parsing code could be used by attackers able to supply date strings to
leak information from the interpreter.
CVE-2017-11147
The PHAR archive handler could be used by attackers supplying
malicious archive files to crash the PHP interpreter or potentially
disclose information due to a buffer over-read in the
phar_parse_pharfile function in ext/phar/phar.c.
For Debian 7 "Wheezy", these problems have been fixed in version
5.4.45-0+deb7u9.
We recommend that you upgrade your php5 packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAllx6XVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeR/JRAAqbDotxgpXTpTLCB64hBkv9RAKoXT4O37Z30fj5N0BJz1lAfS3E/DxpU8
OYH8cguq5k6dp6lEdNDhx1w3AFwZ1wMvAx4HPvEf64k6ryW5bGfbZHmFOl1E8Hxk
ov/yQelLMzeb5BfyzDew2Q6Ssp5VM0+alZMTrjl9DS58i9IO2tN4xVYbcqXuOwQf
SQPHtbc/ov3QWobOs8v5D1ZO9Xcd5E4AsVuFz2Uesko6M42TNsFmtSLlGe4hrv2r
ATtWBe4B/10Es9MngdusYU3bQ6cThABH/nG8WGXscOZn6SPrD1fmyx/u3bPy8n0f
y4tc++/lZvjHpsozc903DxKoiNkhWJUNwnjmN5qIFJBgfXGjiw83I96MYxwyHi+U
7smpduYhKsH6Egzf81jRf8uLwBlfKAl0knNBgXKHRpyHcMAWwp2XPFEbRGrm809D
KF8YnxLKj+Wu9GLuWIxeHHR5c6b0hJKEg0DxELLngS2YJ+WGdPXE3QjccvuM/jtm
n6H/NhqyMH/hhuz5aaKWN7zCwUplDI/qhlurNijz0Myps5/gNf6IA6Bs5qVOIkum
/R3IznHXloAbh0LaFPeGdYHf/j3eRXrUAkWxjJCHDZwk343FQxRvV3K+ZYBUbDlr
JfqlIv+/6SF00YhyiJP+becMTRXk7Xc0VBAcQ/j4GKzdm6U3dDs=
=xHPR
-----END PGP SIGNATURE-----
