[SECURITY] [DLA 1373-1] php5 security update

[Markus Koschany]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : php5
Version        : 5.4.45-0+deb7u14
CVE ID         : CVE-2018-10545 CVE-2018-10547 CVE-2018-10548

Several issues have been discovered in PHP (recursive acronym for PHP:
Hypertext Preprocessor), a widely-used open source general-purpose
scripting language that is especially suited for web development and can
be embedded into HTML.

CVE-2018-10545

  Dumpable FPM child processes allow bypassing opcache access
  controls because fpm_unix.c makes a PR_SET_DUMPABLE prctl call,
  allowing one user (in a multiuser environment) to obtain sensitive
  information from the process memory of a second user's PHP
  applications by running gcore on the PID of the PHP-FPM worker
  process.

CVE-2018-10547

  There is a reflected XSS on the PHAR 403 and 404 error pages via
  request data of a request for a .phar file. NOTE: this vulnerability
  exists because of an incomplete fix for CVE-2018-5712.

CVE-2018-10548

  ext/ldap/ldap.c allows remote LDAP servers to cause a denial of
  service (NULL pointer dereference and application crash) because of
  mishandling of the ldap_get_dn return value.

For Debian 7 "Wheezy", these problems have been fixed in version
5.4.45-0+deb7u14.

We recommend that you upgrade your php5 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlrzR2pfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeR+ChAAl5LhJcFCSBT4P9wWqM5Ktxt+qYy2EZxHDrLdfkCEB3wqo+Xf5MlewXCm
6FXa8U97F+HkO30WDA4BW1sEoxE6tqXi6lUIS/V9qNPPNVaK1tV927n5kvSFaBTP
AMWEdhtga1ebWEejFr3BVwyVbnzGHoRYSsPLclX1KK5bXNhLypFGysH75oarYDP9
kO+fuKbT4TczCzF9hcs+pO8h7+y9NTQ676TFH3yIYJVCTHz8YN+s46J3eW5Mztjy
uiYb19OWXbnagK3tcVI5nBk7grYbowpV7IoARQIeQ4+quPb4SUfIqCsFJc4vCRj/
rJEEmwkWNGXL457X7TQnEX6K1gp2Ymd+jGHSV4eTPBXXsMtvx4gCSndVlt4NLgm/
dd8C4vPEl/Trh4YJK4FgQSnho+9hyKKiiAi2jj6tT7ufc/0/TC8EsIVPWrlNsNj4
9kJXF6QiSEZTdHXxpJmq3z+SDOLfPGwQKuadTlkyv6+lfn6kGA9a2iDSwOi0kAHj
mrASBOcqsQGRhXF584QIriCeD25c6YyjUHBDME4SLNJhwVDLvBHifDM+RB105v1f
WlIt8I4gBUkM6PNCAHFHYNACsumUgSaCJ+1dQu9dryF5Q1+rB29sneVHu8LMRP5y
yBSrS47E3wNiw5V93ovuGBvFiRUz9ZlNLa4bSWluP6pzXezqnoY=
=x7Ew
-----END PGP SIGNATURE-----