The PHP developers have eliminated four vulnerabilities in their products
The update fixed a vulnerability that could lead to an integer overflow.
PHP developers have released a patches 5.6.2, 5.5.18 and 5.4.34 for your scripting language that eliminates four vulnerabilities, including CVE-2014-1668, CVE-2014-3669 and CVE-2014-3670.
All holes were discovered in September of this year. The most dangerous of the patched vulnerabilities is CVE-2014-3669. It can cause an integer overflow when parsing specially designed serialize data using the unserialize () function.
This vulnerability affected only 32-bit systems, but the danger of breaches caused by the fact that the serialized data often come from user-controlled channels.
In addition, in the updates has been corrected errors, what allows to substitute the null character in the CURL, to cause damage to the pile during the processing of the modified data in exif_thumbnail (), and a buffer overflow the mkgmtime () function of the XMLRPC module.
Multiple vulnerabilities in PHP
Danger level: High
Availability Corrections: Yes
Quantity of vulnerabilities: 3
CVSSv2 Rating: (AV: L / AC: M / Au: N / C: N / I: N / A: C / E: U / RL: W / RC: C) = Base: 4.7 / Temporal: 3.8
(AV: L / AC: L / Au: N / C: C / I: C / A: C / E: U / RL: W / RC: C) = Base: 7.2 / Temporal: 5.8
(AV: L / AC: L / Au: N / C: N / I: N / A: C / E: U / RL: W / RC: C) = Base: 4.9 / Temporal: 4
CVE ID:
CVE-2014-3668
CVE-2014-3669
CVE-2014-3670
Vector of operation: Remote
Impact: Denial of service, Disclosure of sensitive data, system compromise
Affected products: PHP 5.4.x
Affected versions: PHP versions prior to 5.6.2, PHP versions prior to 5.5.18, PHP versions prior to 5.4.34
Description:
The vulnerability allows a remote user to cause a denial of service or compromise a vulnerable system.
1. An unknown errors in the “mkgmtime ()”. A remote user can cause denial of service.
2. An unknown errors in the “unserialize ()”. This can be exploited to compromise a target system.
3. An unknown errorsin the “exif_thumbnail ()”. A remote user can cause denial of service.
Solution: Install the latest version 5.5.18, 5.6.2 or 5.4.34 with the manufacturer’s website.
Link: http://php.net/ChangeLog-5.php#5.4.34
Manufacturer URL: https://php.net/