PublicDateAtUSN: 2013-12-11
Candidate: CVE-2013-6420
PublicDate: 2013-12-17 04:46:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6420
 https://ubuntu.com/security/notices/USN-2055-1
Description:
 The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP before
 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not properly parse
 (1) notBefore and (2) notAfter timestamps in X.509 certificates, which
 allows remote attackers to execute arbitrary code or cause a denial of
 service (memory corruption) via a crafted certificate that is not properly
 handled by the openssl_x509_parse function.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731895
Priority: medium
Discovered-by: Stefan Esser
Assigned-to: mdeslaur
CVSS: 

Patches_php5:
 upstream: http://git.php.net/?p=php-src.git;a=commit;h=c1224573c773b6845e83505f717fbf820fc18415
 upstream: http://git.php.net/?p=php-src.git;a=commit;h=6f739318fd3dc04a01aec762d449949db481bf5d
upstream_php5: needs-triage
lucid_php5: released (5.3.2-1ubuntu4.22)
precise_php5: released (5.3.10-1ubuntu3.9)
quantal_php5: released (5.4.6-1ubuntu1.5)
raring_php5: released (5.4.9-4ubuntu2.4)
saucy_php5: released (5.5.3+dfsg-1ubuntu2.1)
devel_php5: released (5.5.6+dfsg-1ubuntu1)