[USN-3902-1] PHP vulnerabilities


This is an OpenPGP/MIME signed message (RFC 4880 and 3156)

protocol=”application/pgp-signature”;
boundary=”FPdosoh9uRSmuT2gxZf583Tkv0yWxToui”

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
–FPdosoh9uRSmuT2gxZf583Tkv0yWxToui

protected-headers=”v1″
From: Marc Deslauriers
Reply-To: Ubuntu Security
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID:
Subject: [USN-3902-1] PHP vulnerabilities

–0K9EcrcoKxX0L36DI1xqeIjf7eBb0MuS4

Content-Language: en-CA
Content-Transfer-Encoding: quoted-printable

=
=

Ubuntu Security Notice USN-3902-1
March 06, 2019

php5, php7.0 vulnerabilities
=
=

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 16.04 LTS
– Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in PHP.

Software Description:
– php7.0: HTML-embedded scripting language interpreter
– php5: HTML-embedded scripting language interpreter

Details:

It was discovered that the PHP XML-RPC module incorrectly handled decodin=
g
XML data. A remote attacker could possibly use this issue to cause PHP to=

crash, resulting in a denial of service. (CVE-2019-9020, CVE-2019-9024)

It was discovered that the PHP PHAR module incorrectly handled certain
filenames. A remote attacker could possibly use this issue to cause PHP t=
o
crash, resulting in a denial of service. (CVE-2019-9021)

It was discovered that PHP incorrectly parsed certain DNS responses. A
remote attacker could possibly use this issue to cause PHP to crash,
resulting in a denial of service. This issue only affected Ubuntu 16.04
LTS. (CVE-2019-9022)

It was discovered that PHP incorrectly handled mbstring regular
expressions. A remote attacker could possibly use this issue to cause PHP=

to crash, resulting in a denial of service. (CVE-2019-9023)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
libapache2-mod-php7.0 7.0.33-0ubuntu0.16.04.2
php7.0-cgi 7.0.33-0ubuntu0.16.04.2
php7.0-cli 7.0.33-0ubuntu0.16.04.2
php7.0-fpm 7.0.33-0ubuntu0.16.04.2
php7.0-mbstring 7.0.33-0ubuntu0.16.04.2
php7.0-xmlrpc 7.0.33-0ubuntu0.16.04.2

Ubuntu 14.04 LTS:
libapache2-mod-php5 5.5.9+dfsg-1ubuntu4.27
php5-cgi 5.5.9+dfsg-1ubuntu4.27
php5-cli 5.5.9+dfsg-1ubuntu4.27
php5-fpm 5.5.9+dfsg-1ubuntu4.27
php5-xmlrpc 5.5.9+dfsg-1ubuntu4.27

In general, a standard system update will make all the necessary changes.=

References:
https://usn.ubuntu.com/usn/usn-3902-1
CVE-2019-9020, CVE-2019-9021, CVE-2019-9022, CVE-2019-9023,
CVE-2019-9024

Package Information:
https://launchpad.net/ubuntu/+source/php7.0/7.0.33-0ubuntu0.16.04.2
https://launchpad.net/ubuntu/+source/php5/5.5.9+dfsg-1ubuntu4.27

–0K9EcrcoKxX0L36DI1xqeIjf7eBb0MuS4–

–FPdosoh9uRSmuT2gxZf583Tkv0yWxToui

Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename=”signature.asc”

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlx/7O0ACgkQZWnYVadE
vpM9kQ/+NRB5zcKftjydhYpG7jGi+5eO/4wlUSKh12PhwO2lC2Xwn5HLkmUNDCd+
57SoEAvsmTihQjUkLX/M+iYq/9HImVySDetP8NBlRk+8Bc2I9HddNSXSwO/nqbc7
ouNgToq5UN9LEmPrYt1btcJ2JuQHXVxZGwTEw7xzxMsLNwCW+SaFuct5Z9TFVcc0
k81iuVmoo6nUf9W9lFL7dk6Z7bBa04R4m2nHAuu0q/Zb78+9VdAlKBUkzMC9G9dT
sDH3hV5UDiCJFzJljD/rYA/DTuQhEGvzTdG7lfPOkZs/f7eqOhpwrO0ZV6MN6CAr
u9kSLUzKE+jGUlezTF8MmJGykf1D6iW0Dh6sj1RSqTimhSXvdhF3EPrqJ2RPzQOs
lA+U5ooVhKKE8ypWgDixE6q+hOanmleLCC36DDLMQMFEQoLWKg0zyt1W5QwmzFCw
H9s+s0/9Aj/uHAoOY0afK4pj0n2ngCwiGIbrP2uz3NXvuobqIl9uBkNKAHylGbzk
g7BpYG5g40j0xLTIljK6uVHL9gdOSPbY9OR0kBuwqec+ZStVyZwUqQsdqk5JjO5L
u7SHGFuSQzoJTOaQvGmSPK3wyKMciKAyYmeFIgKwSNkfWkdXOOpTmWmXajT+nzmK
ESsXInaDJ9fXQWYqU+rjTL+oKTbESOMCoPGDiqFvumoRM1ZrkR8=
=IUaL
—–END PGP SIGNATURE—–

–FPdosoh9uRSmuT2gxZf583Tkv0yWxToui–

MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5
LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl
IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj
dXJpdHktYW5ub3VuY2UK