Debian 10163 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-120-1 php5 security update

Debian GNU/Linux 8 LTS:
DLA 1803-1: php5 security update
DLA 1804-1: curl security update



ELA-120-1 php5 security update

Package: php5
Version: 5.4.45-0+deb7u22
Related CVE: CVE-2019-11036
A read past allocated buffer vulnerability was discovered in the PHP5 programming language within the Exif image module.

For Debian 7 Wheezy, these problems have been fixed in version 5.4.45-0+deb7u22.

We recommend that you upgrade your php5 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1803-1: php5 security update




Package : php5
Version : 5.6.40+dfsg-0+deb8u3
CVE ID : CVE-2019-11034 CVE-2019-11035 CVE-2019-11036


A read past allocated buffer vulnerability and two heap-buffer overflow
vulnerabilites were discovered in the PHP5 programming language within
the Exif image module.


For Debian 8 "Jessie", these problems have been fixed in version
5.6.40+dfsg-0+deb8u3.

We recommend that you upgrade your php5 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1804-1: curl security update




Package : curl
Version : 7.38.0-4+deb8u15
CVE ID : CVE-2019-5436
Debian Bug : 929351

cURL, an URL transfer library, contains a heap buffer overflow in the
function tftp_receive_packet() that receives data from a TFTP server.
It calls recvfrom() with the default size for the buffer rather than
with the size that was used to allocate it. Thus, the content that
might overwrite the heap memory is entirely controlled by the server.

For Debian 8 "Jessie", this problem has been fixed in version
7.38.0-4+deb8u15.

We recommend that you upgrade your curl packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS