The PHP development team has released new versions in order to fix three security vulnerabilities -one of them is said to be a critical one and leads to remote code execution.
The vulnerability identified as "CVE-2014-3669" can cause an integer overflow when parsing specially crafted serialized data with the unserialize ().The vulnerability is only a 32-bit system, but the danger is caused by the breach and that the serialized data often come from user-controlled channels.
In addition, the updates have been corrected errors associated with the introduction of a null byte in the library cURL, calling the damage dynamic memory during processing of the modified data as a function of exif_thumbnail () in image processing (CVE-2014-3670), as well as buffer overflow in the function mkgmtime () from the module XMLRPC (CVE-2014-3668).
These vulnerabilities were discovered by the Research lab of IT security company High-Tech Bridge.
The new versions 5.6.2,5.5.18 and 5.4.34 address these three vulnerabilities.