Advisories » MGASA-2013-0379

Updated php packages fix multiple security vulnerabilities

Publication date: 19 Dec 2013
Modification date: 19 Dec 2013
Type: security
Affected Mageia releases : 3
CVE: CVE-2013-6420 , CVE-2013-6712

Description

Updated php packages fix security vulnerabilities:

Stefan Esser discovered that PHP incorrectly parsed certificates. An
attacker could use a malformed certificate to cause PHP to crash, resulting
in a denial of service, or possibly execute arbitrary code (CVE-2013-6420).

It was discovered that PHP incorrectly handled DateInterval objects. An
attacker could use this issue to cause PHP to crash, resulting in a denial
of service (CVE-2013-6712).
                

References

• http://www.php.net/ChangeLog-5.php#5.4.23
• http://www.ubuntu.com/usn/usn-2055-1/
• https://bugs.mageia.org/show_bug.cgi?id=11947
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6420
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6712

SRPMS

3/core

• php-5.4.23-1.mga3
• php-gd-bundled-5.4.23-1.mga3
• php-apc-3.1.14-7.5.mga3