Launchpad CVE tracker

CVE 2013-6420

The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not properly parse (1) notBefore and (2) notAfter timestamps in X.509 certificates, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted certificate that is not properly handled by the openssl_x509_parse function.

Related bugs and status

CVE-2013-6420 (Candidate) is related to these bugs:

Bug #1242726: [MIR] php5-common is missing dependency on php5-json

		In	Importance	Status
1242726	[MIR] php5-common is missing dependency on php5-json	php5 (Ubuntu)	High	Fix Released
1242726	[MIR] php5-common is missing dependency on php5-json	php-json (Ubuntu)	High	Fix Released
1242726	[MIR] php5-common is missing dependency on php5-json	pkg-php-tools (Ubuntu)	Undecided	Fix Released

Bug #1244343: Regression in system fallback for date_default_timezone_get()

		In	Importance	Status
1244343	Regression in system fallback for date_default_timezone_get()	php5 (Ubuntu)	High	Fix Released
1244343	Regression in system fallback for date_default_timezone_get()	php5 (Debian)	Unknown	Fix Released
1244343	Regression in system fallback for date_default_timezone_get()	php5 (Ubuntu Trusty)	High	Fix Released

Bug #1260032: PHP Updates for CVE-2013-6420

Summary				In	Importance	Status
	1260032	PHP Updates for CVE-2013-6420		IUS Community Project	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2013-6420

References