Debian 9821 Published by

A php7.0 security update has been released for Debian GNU/Linux 9 Extended LTS to address multiple security issues.

ELA-848-1 php7.0 security update

Package : php7.0
Version : 7.0.33-0+deb9u14 (stretch)

Related CVEs :

Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language, which could result in denial of
service or incorrect validation of BCrypt hashes.

Due to an uncaught integer overflow, `PDO::quote()` of PDO_SQLite
may return an improperly quoted string. The exact details likely
depend on the implementation of `sqlite3_snprintf()`, but with some
versions it is possible to force the function to return a single
apostrophe, if the function is called on user supplied input without
any length restrictions in place.

Tim Düsterhus discovered that malformed BCrypt hashes that include a
`$` within their salt part trigger a buffer overread and may
erroneously validate any password as valid. (`Password_verify()`
always return `true` with such inputs.)

1-byte array overrun when appending slash to paths during path

Jakob Ackermann discovered a Denial of Service vulnerability when
parsing multipart request body: the request body parsing in PHP
allows any unauthenticated attacker to consume a large amount of CPU
time and trigger excessive logging.

  ELA-848-1 php7.0 security update