Debian LTS Advisory ([SECURITY] [DLA 1373-1] php5 security update)

Several issues have been discovered in PHP (recursive acronym for PHP: Hypertext Preprocessor), a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. CVE-2018-10545 Dumpable FPM child processes allow bypassing opcache access controls because fpm_unix.c makes a PR_SET_DUMPABLE prctl call, allowing one user (in a multiuser environment) to obtain sensitive information from the process memory of a second user's PHP applications by running gcore on the PID of the PHP-FPM worker process. CVE-2018-10547 There is a reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712. CVE-2018-10548 ext/ldap/ldap.c allows remote LDAP servers to cause a denial of service (NULL pointer dereference and application crash) because of mishandling of the ldap_get_dn return value.

php5 on Debian Linux

This check tests the installed software version using the apt package manager.

For Debian 7 'Wheezy', these problems have been fixed in version 5.4.45-0+deb7u14. We recommend that you upgrade your php5 packages.