Debian 9858 Published by

The following updates has been released for Debian 6 LTS:

[SECURITY] [DLA 340-1] krb5 security update
[SECURITY] [DLA 341-1] php5 security update



[DLA 340-1] krb5 security update

Package : krb5
Version : 1.8.3+dfsg-4squeeze10
CVE ID : CVE-2015-2695 CVE-2015-2697

Several vulnerabilities were discovered in krb5, the MIT implementation
of Kerberos. The Common Vulnerabilities and Exposures project identifies
the following problems:

CVE-2015-2695

It was discovered that applications which call gss_inquire_context()
on a partially-established SPNEGO context can cause the GSS-API
library to read from a pointer using the wrong type, leading to a
process crash.

CVE-2015-2697

It was discovered that the build_principal_va() function incorrectly
handles input strings. An authenticated attacker can take advantage
of this flaw to cause a KDC to crash using a TGS request with a
large realm field beginning with a null byte.

For the oldoldstable distribution (squeeze), these problems have been
fixed in version 1.8.3+dfsg-4squeeze10.

We recommend that you upgrade your krb5 packages.



[DLA 341-1] php5 security update

Package : php5
Version : 5.3.3.1-7+squeeze28
CVE ID : CVE-2015-6831 CVE-2015-6832 CVE-2015-6833 CVE-2015-6834
CVE-2015-6836 CVE-2015-6837 CVE-2015-6838 CVE-2015-7803
CVE-2015-7804

* CVE-2015-6831
Use after free vulnerability was found in unserialize() function.
We can create ZVAL and free it via Serializable::unserialize.
However the unserialize() will still allow to use R: or r: to set
references to that already freed memory. It is possible to
use-after-free attack and execute arbitrary code remotely.
* CVE-2015-6832
Dangling pointer in the unserialization of ArrayObject items.
* CVE-2015-6833
Files extracted from archive may be placed outside of destination
directory
* CVE-2015-6834
Use after free vulnerability was found in unserialize() function.
We can create ZVAL and free it via Serializable::unserialize.
However the unserialize() will still allow to use R: or r: to set
references to that already freed memory. It is possible to
use-after-free attack and execute arbitrary code remotely.
* CVE-2015-6836
A type confusion occurs within SOAP serialize_function_call due
to an insufficient validation of the headers field.
In the SoapClient's __call method, the verify_soap_headers_array
check is applied only to headers retrieved from
zend_parse_parameters; problem is that a few lines later,
soap_headers could be updated or even replaced with values from
the __default_headers object fields.
* CVE-2015-6837
The XSLTProcessor class misses a few checks on the input from the
libxslt library. The valuePop() function call is able to return
NULL pointer and php does not check that.
* CVE-2015-6838
The XSLTProcessor class misses a few checks on the input from the
libxslt library. The valuePop() function call is able to return
NULL pointer and php does not check that.
* CVE-2015-7803
A NULL pointer dereference flaw was found in the way PHP's Phar
extension parsed Phar archives. A specially crafted archive could
cause PHP to crash.
* CVE-2015-7804
An uninitialized pointer use flaw was found in the
phar_make_dirstream() function of PHP's Phar extension.
A specially crafted phar file in the ZIP format with a directory
entry with a file name "/ZIP" could cause a PHP application
function to crash.