DSA-2943-1

Details

Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development:

CVE-2014-0185

The default PHP FPM socket permission has been changed from 0666
to 0660 to mitigate a security vulnerability (CVE-2014-0185) in PHP
FPM that allowed any local user to run a PHP code under the active
user of FPM process via crafted FastCGI client.

The default Debian setup now correctly sets the listen.owner and
listen.group to www-data:www-data in default php-fpm.conf.  If you
have more FPM instances or a webserver not running under www-data
user you need to adjust the configuration of FPM pools in
/etc/php5/fpm/pool.d/ so the accessing process has rights to
access the socket.

CVE-2014-0237 / CVE-2014-0238:

Denial of service in the CDF parser of the fileinfo module.

CVE-2014-2270

Denial of service in the fileinfo module.

Affected Packages

php5

Debian 7

Fixed in:

5.4.4-14+deb7u10

References

ADVISORY

https://security-tracker.debian.org/tracker/DSA-2943-1