| Package | php5 |
|---|---|
| Version | 5.6.40+dfsg-0+deb8u14 |
| Related CVEs | CVE-2019-9675 CVE-2020-7068 CVE-2020-7071 CVE-2021-21702 CVE-2021-21704 CVE-2021-21705 |
Several vulnerabilities were discovered in php5, a server-side, HTML-embedded scripting language. An attacker could cause denial of service (DoS), memory corruption and potentially execution of arbitrary code, and server-side request forgery (SSRF) bypass.
-
CVE-2019-9675
phar_tar_writeheaders_int in ext/phar/tar.c has a buffer overflow via a long link value.
-
CVE-2020-7068
While processing PHAR files using phar extension, phar_parse_zipfile could be tricked into accessing freed memory, which could lead to a crash or information disclosure.
-
CVE-2020-7071
When validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL.
-
CVE-2021-21702
When using SOAP extension to connect to a SOAP server, a malicious SOAP server could return malformed XML data as a response that would cause PHP to access a null pointer and thus cause a crash.
-
CVE-2021-21704
Multiple firebird issues.
-
CVE-2021-21705
SSRF bypass in FILTER_VALIDATE_URL.
For Debian 8 jessie, these problems have been fixed in version 5.6.40+dfsg-0+deb8u14.
We recommend that you upgrade your php5 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.