ID

VAR-201503-0206


CVE

CVE-2015-2301


TITLE

PHP ‘ phar_rename_archive 'Reuse the function after the release of the vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-201503-624

DESCRIPTION

Use-after-free vulnerability in the phar_rename_archive function in phar_object.c in PHP before 5.5.22 and 5.6.x before 5.6.6 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an attempted renaming of a Phar archive to the name of an existing file. PHP is prone to a denial-of-service vulnerability. Attackers can exploit this issue to crash the affected application, denying service to legitimate users. PHP (PHP: Hypertext Preprocessor, PHP: Hypertext Preprocessor) is an open source general-purpose computer scripting language jointly maintained by the PHP Group and the open source community. The language is mainly used for Web development and supports a variety of databases and operating systems. 6) - i386, x86_64 3. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/php-5.4.40-i486-1_slack14.1.txz: Upgraded. Please note that this package build also moves the configuration files from /etc/httpd to /etc, /etc/php.d, and /etc/php-fpm.d. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9709 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0231 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1351 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1352 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2301 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2305 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2331 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2783 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3330 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/php-5.4.40-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/php-5.4.40-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/php-5.4.40-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/php-5.4.40-x86_64-1_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-5.6.8-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/php-5.6.8-x86_64-1.txz MD5 signatures: +-------------+ Slackware 14.0 package: 2666059d6540b1b4385d25dfc5ebbe99 php-5.4.40-i486-1_slack14.0.txz Slackware x86_64 14.0 package: c146f500912ba9c7e5d652e5e3643c04 php-5.4.40-x86_64-1_slack14.0.txz Slackware 14.1 package: 9efc8a96f9a3f3261e5f640292b1b781 php-5.4.40-i486-1_slack14.1.txz Slackware x86_64 14.1 package: 2c95e077f314f1cfa3ee83b9aba90b91 php-5.4.40-x86_64-1_slack14.1.txz Slackware -current package: 30d14f237c71fada0d594c2360a58016 n/php-5.6.8-i486-1.txz Slackware x86_64 -current package: 1a0fcc590aa4dff5de5f08293936d0d9 n/php-5.6.8-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg php-5.4.40-i486-1_slack14.1.txz Then, restart Apache httpd: # /etc/rc.d/rc.httpd stop # /etc/rc.d/rc.httpd start +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. Summary: Updated php packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way the PHP module for the Apache httpd web server handled pipelined requests. (CVE-2015-3330) A flaw was found in the way PHP parsed multipart HTTP POST requests. (CVE-2014-8142, CVE-2015-0231, CVE-2015-0273, CVE-2015-2787, CVE-2015-4147, CVE-2015-4148, CVE-2015-4599, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602, CVE-2015-4603) It was found that certain PHP functions did not properly handle file names containing a NULL character. (CVE-2015-2348, CVE-2015-4025, CVE-2015-4026, CVE-2015-3411, CVE-2015-3412, CVE-2015-4598) Multiple flaws were found in the way the way PHP's Phar extension parsed Phar archives. (CVE-2014-9705) A buffer over-read flaw was found in the GD library used by the PHP gd extension. (CVE-2014-9709) This update also fixes the following bugs: * The libgmp library in some cases terminated unexpectedly with a segmentation fault when being used with other libraries that use the GMP memory management. With this update, PHP no longer changes libgmp memory allocators, which prevents the described crash from occurring. (BZ#1212305) * When using the Open Database Connectivity (ODBC) API, the PHP process in some cases terminated unexpectedly with a segmentation fault. The underlying code has been adjusted to prevent this crash. (BZ#1212299) * Previously, running PHP on a big-endian system sometimes led to memory corruption in the fileinfo module. This update adjusts the behavior of the PHP pointer so that it can be freed without causing memory corruption. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1175718 - CVE-2014-8142 php: use after free vulnerability in unserialize() 1185397 - CVE-2015-0231 php: use after free vulnerability in unserialize() (incomplete fix of CVE-2014-8142) 1185472 - CVE-2015-0232 php: Free called on unitialized pointer in exif.c 1188599 - CVE-2014-9652 file: out of bounds read in mconvert() 1188639 - CVE-2014-9709 gd: buffer read overflow in gd_gif_in.c 1194730 - CVE-2015-0273 php: use after free vulnerability in unserialize() with DateTimeZone 1194737 - CVE-2014-9705 php: heap buffer overflow in enchant_broker_request_dict() 1194747 - CVE-2015-2301 php: use after free in phar_object.c 1204868 - CVE-2015-4147 php: SoapClient's __call() type confusion through unserialize() 1207676 - CVE-2015-2787 php: use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re 1207682 - CVE-2015-2348 php: move_uploaded_file() NUL byte injection in file name 1213394 - CVE-2015-3330 php: pipelined request executed in deinitialized interpreter under httpd 2.4 1213407 - CVE-2015-3411 php: missing null byte checks for paths in various PHP extensions 1213442 - CVE-2015-4604 CVE-2015-4605 php: denial of service when processing a crafted file with Fileinfo 1213446 - CVE-2015-2783 php: buffer over-read in Phar metadata parsing 1213449 - CVE-2015-3329 php: buffer overflow in phar_set_inode() 1222485 - CVE-2015-4024 php: multipart/form-data request paring CPU usage DoS 1222538 - CVE-2015-4599 CVE-2015-4600 CVE-2015-4601 php: type confusion issue in unserialize() with various SOAP methods 1223408 - CVE-2015-4025 php: CVE-2006-7243 regressions in 5.4+ 1223412 - CVE-2015-4022 php: integer overflow leading to heap overflow when reading FTP file listing 1223422 - CVE-2015-4026 php: pcntl_exec() accepts paths with NUL character 1223425 - CVE-2015-4021 php: memory corruption in phar_parse_tarfile caused by empty entry file name 1223441 - CVE-2015-3307 php: invalid pointer free() in phar_tar_process_metadata() 1226916 - CVE-2015-4148 php: SoapClient's do_soap_call() type confusion after unserialize() 1232823 - CVE-2015-3412 php: missing null byte checks for paths in various PHP extensions 1232897 - CVE-2015-4598 php: missing null byte checks for paths in DOM and GD extensions 1232918 - CVE-2015-4603 php: exception::getTraceAsString type confusion issue after unserialize 1232923 - CVE-2015-4602 php: Incomplete Class unserialization type confusion 6. Package List: Red Hat Enterprise Linux Client Optional (v. 7): Source: php-5.4.16-36.el7_1.src.rpm x86_64: php-5.4.16-36.el7_1.x86_64.rpm php-bcmath-5.4.16-36.el7_1.x86_64.rpm php-cli-5.4.16-36.el7_1.x86_64.rpm php-common-5.4.16-36.el7_1.x86_64.rpm php-dba-5.4.16-36.el7_1.x86_64.rpm php-debuginfo-5.4.16-36.el7_1.x86_64.rpm php-devel-5.4.16-36.el7_1.x86_64.rpm php-embedded-5.4.16-36.el7_1.x86_64.rpm php-enchant-5.4.16-36.el7_1.x86_64.rpm php-fpm-5.4.16-36.el7_1.x86_64.rpm php-gd-5.4.16-36.el7_1.x86_64.rpm php-intl-5.4.16-36.el7_1.x86_64.rpm php-ldap-5.4.16-36.el7_1.x86_64.rpm php-mbstring-5.4.16-36.el7_1.x86_64.rpm php-mysql-5.4.16-36.el7_1.x86_64.rpm php-mysqlnd-5.4.16-36.el7_1.x86_64.rpm php-odbc-5.4.16-36.el7_1.x86_64.rpm php-pdo-5.4.16-36.el7_1.x86_64.rpm php-pgsql-5.4.16-36.el7_1.x86_64.rpm php-process-5.4.16-36.el7_1.x86_64.rpm php-pspell-5.4.16-36.el7_1.x86_64.rpm php-recode-5.4.16-36.el7_1.x86_64.rpm php-snmp-5.4.16-36.el7_1.x86_64.rpm php-soap-5.4.16-36.el7_1.x86_64.rpm php-xml-5.4.16-36.el7_1.x86_64.rpm php-xmlrpc-5.4.16-36.el7_1.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): Source: php-5.4.16-36.el7_1.src.rpm x86_64: php-5.4.16-36.el7_1.x86_64.rpm php-bcmath-5.4.16-36.el7_1.x86_64.rpm php-cli-5.4.16-36.el7_1.x86_64.rpm php-common-5.4.16-36.el7_1.x86_64.rpm php-dba-5.4.16-36.el7_1.x86_64.rpm php-debuginfo-5.4.16-36.el7_1.x86_64.rpm php-devel-5.4.16-36.el7_1.x86_64.rpm php-embedded-5.4.16-36.el7_1.x86_64.rpm php-enchant-5.4.16-36.el7_1.x86_64.rpm php-fpm-5.4.16-36.el7_1.x86_64.rpm php-gd-5.4.16-36.el7_1.x86_64.rpm php-intl-5.4.16-36.el7_1.x86_64.rpm php-ldap-5.4.16-36.el7_1.x86_64.rpm php-mbstring-5.4.16-36.el7_1.x86_64.rpm php-mysql-5.4.16-36.el7_1.x86_64.rpm php-mysqlnd-5.4.16-36.el7_1.x86_64.rpm php-odbc-5.4.16-36.el7_1.x86_64.rpm php-pdo-5.4.16-36.el7_1.x86_64.rpm php-pgsql-5.4.16-36.el7_1.x86_64.rpm php-process-5.4.16-36.el7_1.x86_64.rpm php-pspell-5.4.16-36.el7_1.x86_64.rpm php-recode-5.4.16-36.el7_1.x86_64.rpm php-snmp-5.4.16-36.el7_1.x86_64.rpm php-soap-5.4.16-36.el7_1.x86_64.rpm php-xml-5.4.16-36.el7_1.x86_64.rpm php-xmlrpc-5.4.16-36.el7_1.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: php-5.4.16-36.el7_1.src.rpm ppc64: php-5.4.16-36.el7_1.ppc64.rpm php-cli-5.4.16-36.el7_1.ppc64.rpm php-common-5.4.16-36.el7_1.ppc64.rpm php-debuginfo-5.4.16-36.el7_1.ppc64.rpm php-gd-5.4.16-36.el7_1.ppc64.rpm php-ldap-5.4.16-36.el7_1.ppc64.rpm php-mysql-5.4.16-36.el7_1.ppc64.rpm php-odbc-5.4.16-36.el7_1.ppc64.rpm php-pdo-5.4.16-36.el7_1.ppc64.rpm php-pgsql-5.4.16-36.el7_1.ppc64.rpm php-process-5.4.16-36.el7_1.ppc64.rpm php-recode-5.4.16-36.el7_1.ppc64.rpm php-soap-5.4.16-36.el7_1.ppc64.rpm php-xml-5.4.16-36.el7_1.ppc64.rpm php-xmlrpc-5.4.16-36.el7_1.ppc64.rpm s390x: php-5.4.16-36.el7_1.s390x.rpm php-cli-5.4.16-36.el7_1.s390x.rpm php-common-5.4.16-36.el7_1.s390x.rpm php-debuginfo-5.4.16-36.el7_1.s390x.rpm php-gd-5.4.16-36.el7_1.s390x.rpm php-ldap-5.4.16-36.el7_1.s390x.rpm php-mysql-5.4.16-36.el7_1.s390x.rpm php-odbc-5.4.16-36.el7_1.s390x.rpm php-pdo-5.4.16-36.el7_1.s390x.rpm php-pgsql-5.4.16-36.el7_1.s390x.rpm php-process-5.4.16-36.el7_1.s390x.rpm php-recode-5.4.16-36.el7_1.s390x.rpm php-soap-5.4.16-36.el7_1.s390x.rpm php-xml-5.4.16-36.el7_1.s390x.rpm php-xmlrpc-5.4.16-36.el7_1.s390x.rpm x86_64: php-5.4.16-36.el7_1.x86_64.rpm php-cli-5.4.16-36.el7_1.x86_64.rpm php-common-5.4.16-36.el7_1.x86_64.rpm php-debuginfo-5.4.16-36.el7_1.x86_64.rpm php-gd-5.4.16-36.el7_1.x86_64.rpm php-ldap-5.4.16-36.el7_1.x86_64.rpm php-mysql-5.4.16-36.el7_1.x86_64.rpm php-odbc-5.4.16-36.el7_1.x86_64.rpm php-pdo-5.4.16-36.el7_1.x86_64.rpm php-pgsql-5.4.16-36.el7_1.x86_64.rpm php-process-5.4.16-36.el7_1.x86_64.rpm php-recode-5.4.16-36.el7_1.x86_64.rpm php-soap-5.4.16-36.el7_1.x86_64.rpm php-xml-5.4.16-36.el7_1.x86_64.rpm php-xmlrpc-5.4.16-36.el7_1.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: php-5.4.16-36.ael7b_1.src.rpm ppc64le: php-5.4.16-36.ael7b_1.ppc64le.rpm php-cli-5.4.16-36.ael7b_1.ppc64le.rpm php-common-5.4.16-36.ael7b_1.ppc64le.rpm php-debuginfo-5.4.16-36.ael7b_1.ppc64le.rpm php-gd-5.4.16-36.ael7b_1.ppc64le.rpm php-ldap-5.4.16-36.ael7b_1.ppc64le.rpm php-mysql-5.4.16-36.ael7b_1.ppc64le.rpm php-odbc-5.4.16-36.ael7b_1.ppc64le.rpm php-pdo-5.4.16-36.ael7b_1.ppc64le.rpm php-pgsql-5.4.16-36.ael7b_1.ppc64le.rpm php-process-5.4.16-36.ael7b_1.ppc64le.rpm php-recode-5.4.16-36.ael7b_1.ppc64le.rpm php-soap-5.4.16-36.ael7b_1.ppc64le.rpm php-xml-5.4.16-36.ael7b_1.ppc64le.rpm php-xmlrpc-5.4.16-36.ael7b_1.ppc64le.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: php-bcmath-5.4.16-36.el7_1.ppc64.rpm php-dba-5.4.16-36.el7_1.ppc64.rpm php-debuginfo-5.4.16-36.el7_1.ppc64.rpm php-devel-5.4.16-36.el7_1.ppc64.rpm php-embedded-5.4.16-36.el7_1.ppc64.rpm php-enchant-5.4.16-36.el7_1.ppc64.rpm php-fpm-5.4.16-36.el7_1.ppc64.rpm php-intl-5.4.16-36.el7_1.ppc64.rpm php-mbstring-5.4.16-36.el7_1.ppc64.rpm php-mysqlnd-5.4.16-36.el7_1.ppc64.rpm php-pspell-5.4.16-36.el7_1.ppc64.rpm php-snmp-5.4.16-36.el7_1.ppc64.rpm s390x: php-bcmath-5.4.16-36.el7_1.s390x.rpm php-dba-5.4.16-36.el7_1.s390x.rpm php-debuginfo-5.4.16-36.el7_1.s390x.rpm php-devel-5.4.16-36.el7_1.s390x.rpm php-embedded-5.4.16-36.el7_1.s390x.rpm php-enchant-5.4.16-36.el7_1.s390x.rpm php-fpm-5.4.16-36.el7_1.s390x.rpm php-intl-5.4.16-36.el7_1.s390x.rpm php-mbstring-5.4.16-36.el7_1.s390x.rpm php-mysqlnd-5.4.16-36.el7_1.s390x.rpm php-pspell-5.4.16-36.el7_1.s390x.rpm php-snmp-5.4.16-36.el7_1.s390x.rpm x86_64: php-bcmath-5.4.16-36.el7_1.x86_64.rpm php-dba-5.4.16-36.el7_1.x86_64.rpm php-debuginfo-5.4.16-36.el7_1.x86_64.rpm php-devel-5.4.16-36.el7_1.x86_64.rpm php-embedded-5.4.16-36.el7_1.x86_64.rpm php-enchant-5.4.16-36.el7_1.x86_64.rpm php-fpm-5.4.16-36.el7_1.x86_64.rpm php-intl-5.4.16-36.el7_1.x86_64.rpm php-mbstring-5.4.16-36.el7_1.x86_64.rpm php-mysqlnd-5.4.16-36.el7_1.x86_64.rpm php-pspell-5.4.16-36.el7_1.x86_64.rpm php-snmp-5.4.16-36.el7_1.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64le: php-bcmath-5.4.16-36.ael7b_1.ppc64le.rpm php-dba-5.4.16-36.ael7b_1.ppc64le.rpm php-debuginfo-5.4.16-36.ael7b_1.ppc64le.rpm php-devel-5.4.16-36.ael7b_1.ppc64le.rpm php-embedded-5.4.16-36.ael7b_1.ppc64le.rpm php-enchant-5.4.16-36.ael7b_1.ppc64le.rpm php-fpm-5.4.16-36.ael7b_1.ppc64le.rpm php-intl-5.4.16-36.ael7b_1.ppc64le.rpm php-mbstring-5.4.16-36.ael7b_1.ppc64le.rpm php-mysqlnd-5.4.16-36.ael7b_1.ppc64le.rpm php-pspell-5.4.16-36.ael7b_1.ppc64le.rpm php-snmp-5.4.16-36.ael7b_1.ppc64le.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: php-5.4.16-36.el7_1.src.rpm x86_64: php-5.4.16-36.el7_1.x86_64.rpm php-cli-5.4.16-36.el7_1.x86_64.rpm php-common-5.4.16-36.el7_1.x86_64.rpm php-debuginfo-5.4.16-36.el7_1.x86_64.rpm php-gd-5.4.16-36.el7_1.x86_64.rpm php-ldap-5.4.16-36.el7_1.x86_64.rpm php-mysql-5.4.16-36.el7_1.x86_64.rpm php-odbc-5.4.16-36.el7_1.x86_64.rpm php-pdo-5.4.16-36.el7_1.x86_64.rpm php-pgsql-5.4.16-36.el7_1.x86_64.rpm php-process-5.4.16-36.el7_1.x86_64.rpm php-recode-5.4.16-36.el7_1.x86_64.rpm php-soap-5.4.16-36.el7_1.x86_64.rpm php-xml-5.4.16-36.el7_1.x86_64.rpm php-xmlrpc-5.4.16-36.el7_1.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-8142 https://access.redhat.com/security/cve/CVE-2014-9652 https://access.redhat.com/security/cve/CVE-2014-9705 https://access.redhat.com/security/cve/CVE-2014-9709 https://access.redhat.com/security/cve/CVE-2015-0231 https://access.redhat.com/security/cve/CVE-2015-0232 https://access.redhat.com/security/cve/CVE-2015-0273 https://access.redhat.com/security/cve/CVE-2015-2301 https://access.redhat.com/security/cve/CVE-2015-2348 https://access.redhat.com/security/cve/CVE-2015-2783 https://access.redhat.com/security/cve/CVE-2015-2787 https://access.redhat.com/security/cve/CVE-2015-3307 https://access.redhat.com/security/cve/CVE-2015-3329 https://access.redhat.com/security/cve/CVE-2015-3330 https://access.redhat.com/security/cve/CVE-2015-3411 https://access.redhat.com/security/cve/CVE-2015-3412 https://access.redhat.com/security/cve/CVE-2015-4021 https://access.redhat.com/security/cve/CVE-2015-4022 https://access.redhat.com/security/cve/CVE-2015-4024 https://access.redhat.com/security/cve/CVE-2015-4025 https://access.redhat.com/security/cve/CVE-2015-4026 https://access.redhat.com/security/cve/CVE-2015-4147 https://access.redhat.com/security/cve/CVE-2015-4148 https://access.redhat.com/security/cve/CVE-2015-4598 https://access.redhat.com/security/cve/CVE-2015-4599 https://access.redhat.com/security/cve/CVE-2015-4600 https://access.redhat.com/security/cve/CVE-2015-4601 https://access.redhat.com/security/cve/CVE-2015-4602 https://access.redhat.com/security/cve/CVE-2015-4603 https://access.redhat.com/security/cve/CVE-2015-4604 https://access.redhat.com/security/cve/CVE-2015-4605 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFViR1aXlSAg2UNWIIRAuxPAJ42GLQVzvzc9kje0VjDv8NZWcPv6QCbBL+O dtqycPWs+07GhjmZ6NNx5Bg= =FREZ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . For the stable distribution (wheezy), these problems have been fixed in version 5.4.39-0+deb7u1. This update also fixes a regression in the curl support introduced in DSA 3195. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your php5 packages. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04686230 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04686230 Version: 1 HPSBUX03337 SSRT102066 rev.1 - HP-UX Apache Web Server Suite running Apache Web Server, Tomcat v6.x, or PHP v5.4.x, Remote Denial of Service (DoS) and Other Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2015-06-10 Last Updated: 2015-06-10 Potential Security Impact: Remote denial of service (DoS), man-in-the-middle (MitM) attack, modification of data, local modification of data Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with the HP-UX Apache Web Server Suite, Tomcat Servlet Engine, and PHP. These could be exploited remotely to create a Denial of Service (DoS) and other vulnerabilities. HP-UX B.11.31 running HP-UX Apache Web Server Suite v4.04 or earlier HP-UX B.11.31 running HP-UX Apache Web Server v2.2.15.22 or earlier HP-UX B.11.31 running Tomcat Servlet Engine v6.0.39.03 or earlier HP-UX B.11.31 running PHP v5.4.11.04 or earlier BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2013-5704 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0 CVE-2014-0118 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2014-0226 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2014-0227 (AV:N/AC:L/Au:N/C:N/I:P/A:P) 6.4 CVE-2014-0231 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2014-8142 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2014-9709 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2015-0231 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2015-0273 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2015-1352 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2015-2301 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2015-2305 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2015-2331 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2015-2783 (AV:N/AC:M/Au:N/C:P/I:N/A:P) 5.8 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following software updates to resolve the vulnerabilities. The updates are available for download from http://software.hp.com NOTE: HP-UX Web Server Suite v4.05 HPUXWSATW405 contains Apache v2.2.29.01, Tomcat Servlet Engine 6.0.43.01, PHP 5.4.40.01, and Webmin v1.070.13 HP-UX 11i Release Apache Depot name B.11.31 (11i v3 32-bit) HP_UX_11.31_HPUXWS22ATW-B405-11-31-64.depot B.11.31 (11i v3 64-bit) HP_UX_11.31_HPUXWS22ATW-B405-11-31-64.depot MANUAL ACTIONS: Yes - Update Install HP-UX Web Server Suite v4.05 or subsequent PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.31 ================== hpuxws22APCH32.APACHE hpuxws22APCH32.APACHE2 hpuxws22APCH32.AUTH_LDAP hpuxws22APCH32.AUTH_LDAP2 hpuxws22APCH32.MOD_JK hpuxws22APCH32.MOD_JK2 hpuxws22APCH32.MOD_PERL hpuxws22APCH32.MOD_PERL2 hpuxws22APCH32.PHP hpuxws22APCH32.PHP2 hpuxws22APCH32.WEBPROXY hpuxws22APCH32.WEBPROXY2 hpuxws22APACHE.APACHE hpuxws22APACHE.APACHE2 hpuxws22APACHE.AUTH_LDAP hpuxws22APACHE.AUTH_LDAP2 hpuxws22APACHE.MOD_JK hpuxws22APACHE.MOD_JK2 hpuxws22APACHE.MOD_PERL hpuxws22APACHE.MOD_PERL2 hpuxws22APACHE.PHP hpuxws22APACHE.PHP2 hpuxws22APACHE.WEBPROXY hpuxws22APACHE.WEBPROXY2 action: install revision B.2.2.29.01 or subsequent hpuxws22TOMCAT.TOMCAT action: install revision C.6.0.43.01 or subsequent END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 10 June 2015 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2015 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:080 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : php Date : March 28, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been discovered and corrected in php: It was discovered that the file utility contains a flaw in the handling of indirect magic rules in the libmagic library, which leads to an infinite recursion when trying to determine the file type of certain files (CVE-2014-1943). A flaw was found in the way the file utility determined the type of Portable Executable (PE) format files, the executable format used on Windows. A malicious PE file could cause the file utility to crash or, potentially, execute arbitrary code (CVE-2014-2270). The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters (CVE-2013-7345). PHP FPM in PHP versions before 5.4.28 and 5.5.12 uses a UNIX domain socket with world-writable permissions by default, which allows any local user to connect to it and execute PHP scripts as the apache user (CVE-2014-0185). A flaw was found in the way file&#039;s Composite Document Files (CDF) format parser handle CDF files with many summary info entries. The cdf_unpack_summary_info() function unnecessarily repeatedly read the info from the same offset. This led to many file_printf() calls in cdf_file_property_info(), which caused file to use an excessive amount of CPU time when parsing a specially-crafted CDF file (CVE-2014-0237). A flaw was found in the way file parsed property information from Composite Document Files (CDF) files. A property entry with 0 elements triggers an infinite loop (CVE-2014-0238). The unserialize() function in PHP before 5.4.30 and 5.5.14 has a Type Confusion issue related to the SPL ArrayObject and SPLObjectStorage Types (CVE-2014-3515). It was discovered that PHP is vulnerable to a heap-based buffer overflow in the DNS TXT record parsing. A malicious server or man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as the PHP interpreter if a PHP application uses dns_get_record() to perform a DNS query (CVE-2014-4049). A flaw was found in the way file parsed property information from Composite Document Files (CDF) files, where the mconvert() function did not correctly compute the truncated pascal string size (CVE-2014-3478). Multiple flaws were found in the way file parsed property information from Composite Document Files (CDF) files, due to insufficient boundary checks on buffers (CVE-2014-0207, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487). The phpinfo() function in PHP before 5.4.30 and 5.5.14 has a Type Confusion issue that can cause it to leak arbitrary process memory (CVE-2014-4721). NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1571 (CVE-2014-3587). NOTE: this issue exists because of an incomplete fix for CVE-2014-4049 (CVE-2014-3597). An integer overflow flaw in PHP&#039;s unserialize() function was reported. If unserialize() were used on untrusted data, this issue could lead to a crash or potentially information disclosure (CVE-2014-3669). A heap corruption issue was reported in PHP&#039;s exif_thumbnail() function. A specially-crafted JPEG image could cause the PHP interpreter to crash or, potentially, execute arbitrary code (CVE-2014-3670). If client-supplied input was passed to PHP&#039;s cURL client as a URL to download, it could return local files from the server due to improper handling of null bytes (PHP#68089). An out-of-bounds read flaw was found in file&#039;s donote() function in the way the file utility determined the note headers of a elf file. This could possibly lead to file executable crash (CVE-2014-3710). A use-after-free flaw was found in PHP unserialize(). An untrusted input could cause PHP interpreter to crash or, possibly, execute arbitrary code when processed using unserialize() (CVE-2014-8142). sapi/cgi/cgi_main.c in the CGI component in PHP before 5.5.21, when mmap is used to read a .php file, does not properly consider the mapping&#039;s length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping (CVE-2014-9427). Free called on an uninitialized pointer in php-exif in PHP before 5.5.21 (CVE-2015-0232). The readelf.c source file has been removed from PHP&#039;s bundled copy of file&#039;s libmagic, eliminating exposure to denial of service issues in ELF file parsing such as CVE-2014-8116, CVE-2014-8117, CVE-2014-9620 and CVE-2014-9621 in PHP&#039;s fileinfo module. S. Paraschoudis discovered that PHP incorrectly handled memory in the enchant binding. Taoguang Chen discovered that PHP incorrectly handled unserializing objects. It was discovered that PHP incorrectly handled memory in the phar extension. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142 (CVE-2015-0231). An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way libzip, which is embedded in PHP, processed certain ZIP archives. If an attacker were able to supply a specially crafted ZIP archive to an application using libzip, it could cause the application to crash or, possibly, execute arbitrary code (CVE-2015-2331). It was discovered that the PHP opcache component incorrectly handled memory. It was discovered that the PHP PostgreSQL database extension incorrectly handled certain pointers. PHP contains a bundled copy of the file utility&#039;s libmagic library, so it was vulnerable to the libmagic issues. The updated php packages have been patched and upgraded to the 5.5.23 version which is not vulnerable to these issues. The libzip packages has been patched to address the CVE-2015-2331 flaw. A bug in the php zip extension that could cause a crash has been fixed (mga#13820) Additionally the jsonc and timezonedb packages has been upgraded to the latest versions and the PECL packages which requires so has been rebuilt for php-5.5.23. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0185 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0237 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0238 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1943 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2270 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3515 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3538 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3587 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3597 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3669 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3670 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4049 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4670 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4698 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4721 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8116 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8117 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8142 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9425 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9427 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9620 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9621 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9705 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0231 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0232 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0273 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1351 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1352 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2301 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2331 http://php.net/ChangeLog-5.php#5.5.9 http://php.net/ChangeLog-5.php#5.5.10 http://php.net/ChangeLog-5.php#5.5.11 http://php.net/ChangeLog-5.php#5.5.12 http://php.net/ChangeLog-5.php#5.5.13 http://php.net/ChangeLog-5.php#5.5.14 http://php.net/ChangeLog-5.php#5.5.15 http://php.net/ChangeLog-5.php#5.5.16 http://php.net/ChangeLog-5.php#5.5.17 http://php.net/ChangeLog-5.php#5.5.18 http://php.net/ChangeLog-5.php#5.5.19 http://php.net/ChangeLog-5.php#5.5.20 http://php.net/ChangeLog-5.php#5.5.21 http://php.net/ChangeLog-5.php#5.5.22 http://php.net/ChangeLog-5.php#5.5.22 http://php.net/ChangeLog-5.php#5.5.23 http://www.ubuntu.com/usn/usn-2535-1/ http://www.ubuntu.com/usn/usn-2501-1/ https://bugzilla.redhat.com/show_bug.cgi?id=1204676 http://advisories.mageia.org/MGASA-2014-0163.html http://advisories.mageia.org/MGASA-2014-0178.html http://advisories.mageia.org/MGASA-2014-0215.html http://advisories.mageia.org/MGASA-2014-0258.html http://advisories.mageia.org/MGASA-2014-0284.html http://advisories.mageia.org/MGASA-2014-0324.html http://advisories.mageia.org/MGASA-2014-0367.html http://advisories.mageia.org/MGASA-2014-0430.html http://advisories.mageia.org/MGASA-2014-0441.html http://advisories.mageia.org/MGASA-2014-0542.html http://advisories.mageia.org/MGASA-2015-0040.html https://bugs.mageia.org/show_bug.cgi?id=13820 _______________________________________________________________________ Updated Packages: Mandriva Business Server 2/X86_64: a4e09575e26b690bd44801a126795ce9 mbs2/x86_64/apache-mod_php-5.5.23-1.mbs2.x86_64.rpm e156aaf446f543279f758b767e5ce6f2 mbs2/x86_64/lib64php5_common5-5.5.23-1.mbs2.x86_64.rpm cf1653dd6b3606ff8983739fe7728502 mbs2/x86_64/lib64zip2-0.11.2-1.1.mbs2.x86_64.rpm 2ed6c588ca428a502ab995726d497527 mbs2/x86_64/lib64zip-devel-0.11.2-1.1.mbs2.x86_64.rpm 91fd4a50d38c904247519a34f71ac9a7 mbs2/x86_64/libzip-0.11.2-1.1.mbs2.x86_64.rpm 0fad2aa8ca3bed422588c7d7c349e3e7 mbs2/x86_64/php-bcmath-5.5.23-1.mbs2.x86_64.rpm b797a14554b170f1f2c307eebd5011ce mbs2/x86_64/php-bz2-5.5.23-1.mbs2.x86_64.rpm 83abadd87c78c719b585acbfcbf1f54a mbs2/x86_64/php-calendar-5.5.23-1.mbs2.x86_64.rpm 71b728b5c58335c37e9ee059a98179b5 mbs2/x86_64/php-cgi-5.5.23-1.mbs2.x86_64.rpm d6047e2545b396ad29b2619c3d811b49 mbs2/x86_64/php-cli-5.5.23-1.mbs2.x86_64.rpm 933344ca17f96bd844db47c993b8ce1a mbs2/x86_64/php-ctype-5.5.23-1.mbs2.x86_64.rpm 0278a991ed7a7ea1d51c6651b1157744 mbs2/x86_64/php-curl-5.5.23-1.mbs2.x86_64.rpm a3f172d95d061f6a2ba9ce562f1068ac mbs2/x86_64/php-dba-5.5.23-1.mbs2.x86_64.rpm d239cccc6594bfe8169c0b5300ca1dd0 mbs2/x86_64/php-devel-5.5.23-1.mbs2.x86_64.rpm 73a234b9c369a20c349fca7f425b405a mbs2/x86_64/php-doc-5.5.23-1.mbs2.noarch.rpm ab4caa5f1a397e2f267479f08616d027 mbs2/x86_64/php-dom-5.5.23-1.mbs2.x86_64.rpm 016b8d010a1866935f2a6889b712300c mbs2/x86_64/php-enchant-5.5.23-1.mbs2.x86_64.rpm f9bd5f358336ea8a997f85f4d690fd40 mbs2/x86_64/php-exif-5.5.23-1.mbs2.x86_64.rpm 9f0ef885d5e7abb84c1b0c6242bd1a54 mbs2/x86_64/php-fileinfo-5.5.23-1.mbs2.x86_64.rpm f551fc699944abdbd78cd1f74e1db713 mbs2/x86_64/php-filter-5.5.23-1.mbs2.x86_64.rpm 10c6ad89a0707acdff025ee0166b4361 mbs2/x86_64/php-fpm-5.5.23-1.mbs2.x86_64.rpm fad5946e3ff8bf1d3b7215fee229b934 mbs2/x86_64/php-ftp-5.5.23-1.mbs2.x86_64.rpm c74071a614cc4f8d5ac612736264aad2 mbs2/x86_64/php-gd-5.5.23-1.mbs2.x86_64.rpm 788e0972b5aa918a0c8ce2b0e30270a6 mbs2/x86_64/php-gettext-5.5.23-1.mbs2.x86_64.rpm 996120d4c1fa233bdb38aedf0718f593 mbs2/x86_64/php-gmp-5.5.23-1.mbs2.x86_64.rpm e032d9a3c8e078242347623f1ff51b5a mbs2/x86_64/php-hash-5.5.23-1.mbs2.x86_64.rpm c1da3a1898b05995091ad1c2237bdf6a mbs2/x86_64/php-iconv-5.5.23-1.mbs2.x86_64.rpm 37b4a5d86006024878d397a8478d5a42 mbs2/x86_64/php-imap-5.5.23-1.mbs2.x86_64.rpm bd10d9a55ee8db73b4d80dae1e14e4e0 mbs2/x86_64/php-ini-5.5.23-1.mbs2.x86_64.rpm 4cb54cd72bd26728bb29f5d00a5174af mbs2/x86_64/php-interbase-5.5.23-1.mbs2.x86_64.rpm 2713dca82ad94d88b379db3fa012ed2d mbs2/x86_64/php-intl-5.5.23-1.mbs2.x86_64.rpm f0a9187b81e038400dae4e01123b751c mbs2/x86_64/php-json-5.5.23-1.mbs2.x86_64.rpm c395a0cb573d9432c9e4c2a4b92d1d0f mbs2/x86_64/php-ldap-5.5.23-1.mbs2.x86_64.rpm f2374e34b874072d2268acf1c72b383a mbs2/x86_64/php-mbstring-5.5.23-1.mbs2.x86_64.rpm 7ca3ce3a9464933af1a147c206c25d0d mbs2/x86_64/php-mcrypt-5.5.23-1.mbs2.x86_64.rpm dbe828f1c2caa3eef932fc0c14a7e2e9 mbs2/x86_64/php-mssql-5.5.23-1.mbs2.x86_64.rpm 995e9f09906309252d850618c3fffaa6 mbs2/x86_64/php-mysql-5.5.23-1.mbs2.x86_64.rpm c474c1f1dc45f14ea5357092277d2f22 mbs2/x86_64/php-mysqli-5.5.23-1.mbs2.x86_64.rpm cdcb4872386b83ef3969f918bf99f941 mbs2/x86_64/php-mysqlnd-5.5.23-1.mbs2.x86_64.rpm cbb1652273fb07f216c50b8d1b5445c2 mbs2/x86_64/php-odbc-5.5.23-1.mbs2.x86_64.rpm 29ab61a3d1d00ad57c875d87b62d2e12 mbs2/x86_64/php-opcache-5.5.23-1.mbs2.x86_64.rpm 349f796a960ef2207b30a06e386f2653 mbs2/x86_64/php-openssl-5.5.23-1.mbs2.x86_64.rpm 7a7411900384da8741e32a3f6f8036c2 mbs2/x86_64/php-pcntl-5.5.23-1.mbs2.x86_64.rpm ba3b14e45177b257ada03f7ff4b16deb mbs2/x86_64/php-pdo-5.5.23-1.mbs2.x86_64.rpm ae5b57dbff67c7595e154313321ff693 mbs2/x86_64/php-pdo_dblib-5.5.23-1.mbs2.x86_64.rpm 8782f71797f7cb271a514b735b19621a mbs2/x86_64/php-pdo_firebird-5.5.23-1.mbs2.x86_64.rpm ac39db58d4100f3d2d24593d3b5907fc mbs2/x86_64/php-pdo_mysql-5.5.23-1.mbs2.x86_64.rpm 210b990793c2d616fb0aecc4fde28eb6 mbs2/x86_64/php-pdo_odbc-5.5.23-1.mbs2.x86_64.rpm 6ae4df7959ddd3a8a0724ddddbe41a71 mbs2/x86_64/php-pdo_pgsql-5.5.23-1.mbs2.x86_64.rpm 1f9bdab81fa668dd583abe873892993e mbs2/x86_64/php-pdo_sqlite-5.5.23-1.mbs2.x86_64.rpm f0cbb5dde255f5c8fa3e04e3a5314ab1 mbs2/x86_64/php-pgsql-5.5.23-1.mbs2.x86_64.rpm e46ac8c820911a6091540e135f103154 mbs2/x86_64/php-phar-5.5.23-1.mbs2.x86_64.rpm 5050a745bfc3b1f5eeced2dd85f79721 mbs2/x86_64/php-posix-5.5.23-1.mbs2.x86_64.rpm c9093134a518c07f4e8a188987f853d3 mbs2/x86_64/php-readline-5.5.23-1.mbs2.x86_64.rpm 2b48c3f35573e00b5ba4327e8edc05f2 mbs2/x86_64/php-recode-5.5.23-1.mbs2.x86_64.rpm ae2157230db4d6e28698db384c8f7fcb mbs2/x86_64/php-session-5.5.23-1.mbs2.x86_64.rpm 2610a739bfa29ff11e648c7baa1d8bc3 mbs2/x86_64/php-shmop-5.5.23-1.mbs2.x86_64.rpm b7999e11cf9d2ab510263e32cabaf312 mbs2/x86_64/php-snmp-5.5.23-1.mbs2.x86_64.rpm ab665c30f0d2f13baa1c6475b7df7cac mbs2/x86_64/php-soap-5.5.23-1.mbs2.x86_64.rpm f331837ba716316cef094765a1700101 mbs2/x86_64/php-sockets-5.5.23-1.mbs2.x86_64.rpm 134f8bb18790bd023e73919a794703a0 mbs2/x86_64/php-sqlite3-5.5.23-1.mbs2.x86_64.rpm 4b4aa44d0ac56629610bb0444f199df5 mbs2/x86_64/php-sybase_ct-5.5.23-1.mbs2.x86_64.rpm fc69f644f36308d81f37f356b76e40a1 mbs2/x86_64/php-sysvmsg-5.5.23-1.mbs2.x86_64.rpm 981b7ef6715aacfe9250b206dbbbad31 mbs2/x86_64/php-sysvsem-5.5.23-1.mbs2.x86_64.rpm 91c006555173d03f1d25899947702673 mbs2/x86_64/php-sysvshm-5.5.23-1.mbs2.x86_64.rpm 62e5fa5fa8b4d89d7835f2f68169af14 mbs2/x86_64/php-tidy-5.5.23-1.mbs2.x86_64.rpm 0c5a9237c710dd098c8bb56018f7a142 mbs2/x86_64/php-timezonedb-2015.1-1.mbs2.x86_64.rpm d94aa68a9ce76bce5c962c58f37ac5a5 mbs2/x86_64/php-tokenizer-5.5.23-1.mbs2.x86_64.rpm 317c7da32daa223560dc08bbae89d98d mbs2/x86_64/php-wddx-5.5.23-1.mbs2.x86_64.rpm 9b2cf90dfc6f6bdc0431a6f94d43a947 mbs2/x86_64/php-xml-5.5.23-1.mbs2.x86_64.rpm 0a1b6e0beeb36f24f9250a352fbff1e9 mbs2/x86_64/php-xmlreader-5.5.23-1.mbs2.x86_64.rpm 598925bc71347774e805b6fcfcbcf590 mbs2/x86_64/php-xmlrpc-5.5.23-1.mbs2.x86_64.rpm 49a1f8e773e98bb101488b805670651c mbs2/x86_64/php-xmlwriter-5.5.23-1.mbs2.x86_64.rpm 0b7c2f2fe7b3103631dd07d12d443e06 mbs2/x86_64/php-xsl-5.5.23-1.mbs2.x86_64.rpm 5cb68626d863213de934655dac8342c8 mbs2/x86_64/php-zip-5.5.23-1.mbs2.x86_64.rpm a27bab106c0ba87f220ff35937210a63 mbs2/x86_64/php-zlib-5.5.23-1.mbs2.x86_64.rpm 3dd6a6eeb12c7207446053e4785d6974 mbs2/SRPMS/libzip-0.11.2-1.1.mbs2.src.rpm 5d69769d822628a5bf1485eaa1251b8e mbs2/SRPMS/php-5.5.23-1.mbs2.src.rpm 0a629c11ca23ba56d57f61a754def293 mbs2/SRPMS/php-timezonedb-2015.1-1.mbs2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFVFlFxmqjQ0CJFipgRApIaAJ0TuOLlCRGmp4O6TdNSKUpeRBS2xACgzIEB yZuDdHZcMPOQTP7seWcvVWc= =esZS -----END PGP SIGNATURE----- . The php55 packages provide a recent stable release of PHP with the PEAR 1.9.4, memcache 3.0.8, and mongo 1.4.5 PECL extensions, and a number of additional utilities

Trust: 2.07

sources: NVD: CVE-2015-2301 // BID: 73037 // VULHUB: VHN-80262 // VULMON: CVE-2015-2301 // PACKETSTORM: 132161 // PACKETSTORM: 132618 // PACKETSTORM: 131577 // PACKETSTORM: 132406 // PACKETSTORM: 130940 // PACKETSTORM: 132263 // PACKETSTORM: 131082 // PACKETSTORM: 132158

AFFECTED PRODUCTS

vendor:phpmodel:phpscope:ltversion:5.4.40

Trust: 1.0

vendor:redhatmodel:enterprise linux desktopscope:eqversion:7.0

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:12.04

Trust: 1.0

vendor:phpmodel:phpscope:gteversion:5.6.0

Trust: 1.0

vendor:redhatmodel:enterprise linux hpc node eusscope:eqversion:7.1

Trust: 1.0

vendor:phpmodel:phpscope:gteversion:5.5.0

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:10.04

Trust: 1.0

vendor:phpmodel:phpscope:gteversion:5.4.0

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:14.10

Trust: 1.0

vendor:applemodel:mac os xscope:lteversion:10.10.4

Trust: 1.0

vendor:redhatmodel:enterprise linux serverscope:eqversion:7.0

Trust: 1.0

vendor:opensusemodel:opensusescope:eqversion:13.2

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:7.0

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:14.04

Trust: 1.0

vendor:redhatmodel:enterprise linux workstationscope:eqversion:7.0

Trust: 1.0

vendor:phpmodel:phpscope:ltversion:5.6.6

Trust: 1.0

vendor:redhatmodel:enterprise linux server eusscope:eqversion:7.1

Trust: 1.0

vendor:redhatmodel:enterprise linux hpc nodescope:eqversion:7.0

Trust: 1.0

vendor:opensusemodel:opensusescope:eqversion:13.1

Trust: 1.0

vendor:phpmodel:phpscope:ltversion:5.5.22

Trust: 1.0

vendor:phpmodel:phpscope:eqversion:5.5.18

Trust: 0.6

vendor:phpmodel:phpscope:eqversion:5.5.13

Trust: 0.6

vendor:phpmodel:phpscope:eqversion:5.5.20

Trust: 0.6

vendor:phpmodel:phpscope:eqversion:5.5.15

Trust: 0.6

vendor:phpmodel:phpscope:eqversion:5.5.16

Trust: 0.6

vendor:phpmodel:phpscope:eqversion:5.5.21

Trust: 0.6

vendor:phpmodel:phpscope:eqversion:5.5.19

Trust: 0.6

vendor:phpmodel:phpscope:eqversion:5.5.17

Trust: 0.6

vendor:phpmodel:phpscope:eqversion:5.5.14

Trust: 0.6

vendor:phpmodel:phpscope:eqversion:5.6.0

Trust: 0.6

vendor:ubuntumodel:linux lts i386scope:eqversion:12.04

Trust: 0.3

vendor:ubuntumodel:linux lts amd64scope:eqversion:12.04

Trust: 0.3

vendor:ubuntumodel:linux sparcscope:eqversion:10.04

Trust: 0.3

vendor:ubuntumodel:linux powerpcscope:eqversion:10.04

Trust: 0.3

vendor:ubuntumodel:linux i386scope:eqversion:10.04

Trust: 0.3

vendor:ubuntumodel:linux armscope:eqversion:10.04

Trust: 0.3

vendor:ubuntumodel:linux amd64scope:eqversion:10.04

Trust: 0.3

vendor:redmodel:hat enterprise linux workstation optionalscope:eqversion:6

Trust: 0.3

vendor:redmodel:hat enterprise linux workstationscope:eqversion:6

Trust: 0.3

vendor:redmodel:hat enterprise linux server optionalscope:eqversion:6

Trust: 0.3

vendor:redmodel:hat enterprise linux serverscope:eqversion:6

Trust: 0.3

vendor:redmodel:hat enterprise linux hpc node optionalscope:eqversion:6

Trust: 0.3

vendor:redmodel:hat enterprise linux hpc nodescope:eqversion:6

Trust: 0.3

vendor:redmodel:hat enterprise linux desktop optionalscope:eqversion:6

Trust: 0.3

vendor:oraclemodel:enterprise linuxscope:eqversion:6.2

Trust: 0.3

vendor:oraclemodel:enterprise linuxscope:eqversion:6

Trust: 0.3

vendor:hpmodel:virtual connect enterprise managerscope:eqversion:6.2

Trust: 0.3

vendor:hpmodel:virtual connect enterprise managerscope:eqversion:6.1

Trust: 0.3

vendor:hpmodel:virtual connect enterprise managerscope:eqversion:6.0

Trust: 0.3

vendor:hpmodel:version control agentscope:eqversion:2.1.5

Trust: 0.3

vendor:hpmodel:systems insight managerscope:eqversion:7.0

Trust: 0.3

vendor:hpmodel:systems insight managerscope:eqversion:6.3

Trust: 0.3

vendor:hpmodel:systems insight managerscope:eqversion:6.2

Trust: 0.3

vendor:hpmodel:systems insight managerscope:eqversion:6.1

Trust: 0.3

vendor:hpmodel:systems insight managerscope:eqversion:6.0

Trust: 0.3

vendor:hpmodel:systems insight managerscope:eqversion:5.3

Trust: 0.3

vendor:hpmodel:systems insight managerscope:eqversion:5.0

Trust: 0.3

vendor:hpmodel:systems insight managerscope:eqversion:4.2

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:6.2.27

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:3.0.2.77

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:3.0.68

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:3.0.64

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:2.2.9.1

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:2.2.8

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:2.2.6

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:2.1.12

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:2.1.11

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:2.1.10

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:2.1.9

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:2.1.8

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:2.1.7

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:2.1.6

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:2.1.5

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:2.1.4

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:2.1.3

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:2.1.2

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:2.1.1

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:2.1

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:2.0.2

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:2.0.1

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:2.0

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:7.0

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:6.3

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:6.2

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:6.0

Trust: 0.3

vendor:hpmodel:insight orchestrationscope:eqversion:6.2

Trust: 0.3

vendor:hpmodel:insight orchestrationscope:eqversion:6.1

Trust: 0.3

vendor:hpmodel:insight orchestrationscope:eqversion:6.0

Trust: 0.3

vendor:hpmodel:hp-ux b.11.31scope: - version: -

Trust: 0.3

vendor:debianmodel:linux sparcscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux s/390scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux powerpcscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux mipsscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux ia-64scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux ia-32scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux armscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux amd64scope:eqversion:6.0

Trust: 0.3

vendor:centosmodel:centosscope:eqversion:6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.7.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.7.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.7.1

Trust: 0.3

sources: BID: 73037 // CNNVD: CNNVD-201503-624 // NVD: CVE-2015-2301

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-2301
value: HIGH

Trust: 1.0

CNNVD: CNNVD-201503-624
value: HIGH

Trust: 0.6

VULHUB: VHN-80262
value: HIGH

Trust: 0.1

VULMON: CVE-2015-2301
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2015-2301
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

VULHUB: VHN-80262
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-80262 // VULMON: CVE-2015-2301 // CNNVD: CNNVD-201503-624 // NVD: CVE-2015-2301

PROBLEMTYPE DATA

problemtype:CWE-416

Trust: 1.0

sources: NVD: CVE-2015-2301

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 132406 // CNNVD: CNNVD-201503-624

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-201503-624

PATCH

title:php-src-php-5.6.6url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=54699

Trust: 0.6

title:php-src-php-5.6.6url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=54698

Trust: 0.6

title:php-src-php-5.5.22url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=54697

Trust: 0.6

title:php-src-php-5.5.22url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=54696

Trust: 0.6

title:php-src-php-5.4.38url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=54695

Trust: 0.6

title:php-src-php-5.4.38url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=54694

Trust: 0.6

title:Ubuntu Security Notice: php5 vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-2535-1

Trust: 0.1

title:Red Hat: CVE-2015-2301url:https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2015-2301

Trust: 0.1

title:Debian Security Advisories: DSA-3198-1 php5 -- security updateurl:https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=5c4d31fb1a942bdc1ee4d9ee7c751940

Trust: 0.1

title:Debian CVElist Bug Report Logs: php5: CVE-2015-2331url:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=ba7729d0dba9bfe30fe987c59a0c7f95

Trust: 0.1

title:Amazon Linux AMI: ALAS-2015-509url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2015-509

Trust: 0.1

title:Apple: OS X El Capitan v10.11url:https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories&qid=e88bab658248444f5dffc23fd95859e7

Trust: 0.1

title:Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - July 2015url:https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins&qid=8b701aba68029ec36b631a8e26157a22

Trust: 0.1

title:Oracle Linux Bulletins: Oracle Linux Bulletin - January 2016url:https://vulmon.com/vendoradvisory?qidtp=oracle_linux_bulletins&qid=8ad80411af3e936eb2998df70506cc71

Trust: 0.1

sources: VULMON: CVE-2015-2301 // CNNVD: CNNVD-201503-624

EXTERNAL IDS

db:NVDid:CVE-2015-2301

Trust: 2.9

db:BIDid:73037

Trust: 2.1

db:SECTRACKid:1031949

Trust: 1.8

db:OPENWALLid:OSS-SECURITY/2015/03/15/6

Trust: 1.8

db:CNNVDid:CNNVD-201503-624

Trust: 0.7

db:PACKETSTORMid:130940

Trust: 0.2

db:VULHUBid:VHN-80262

Trust: 0.1

db:VULMONid:CVE-2015-2301

Trust: 0.1

db:PACKETSTORMid:132161

Trust: 0.1

db:PACKETSTORMid:132618

Trust: 0.1

db:PACKETSTORMid:131577

Trust: 0.1

db:PACKETSTORMid:132406

Trust: 0.1

db:PACKETSTORMid:132263

Trust: 0.1

db:PACKETSTORMid:131082

Trust: 0.1

db:PACKETSTORMid:132158

Trust: 0.1

sources: VULHUB: VHN-80262 // VULMON: CVE-2015-2301 // BID: 73037 // PACKETSTORM: 132161 // PACKETSTORM: 132618 // PACKETSTORM: 131577 // PACKETSTORM: 132406 // PACKETSTORM: 130940 // PACKETSTORM: 132263 // PACKETSTORM: 131082 // PACKETSTORM: 132158 // CNNVD: CNNVD-201503-624 // NVD: CVE-2015-2301

REFERENCES

url:http://rhn.redhat.com/errata/rhsa-2015-1135.html

Trust: 2.2

url:http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html

Trust: 2.1

url:https://bugs.php.net/bug.php?id=68901

Trust: 2.1

url:http://www.securityfocus.com/bid/73037

Trust: 1.9

url:http://rhn.redhat.com/errata/rhsa-2015-1053.html

Trust: 1.9

url:http://rhn.redhat.com/errata/rhsa-2015-1066.html

Trust: 1.9

url:http://rhn.redhat.com/errata/rhsa-2015-1218.html

Trust: 1.9

url:http://lists.apple.com/archives/security-announce/2015/sep/msg00008.html

Trust: 1.8

url:http://php.net/changelog-5.php

Trust: 1.8

url:http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html

Trust: 1.8

url:https://bugzilla.redhat.com/show_bug.cgi?id=1194747

Trust: 1.8

url:https://support.apple.com/ht205267

Trust: 1.8

url:http://www.debian.org/security/2015/dsa-3198

Trust: 1.8

url:https://security.gentoo.org/glsa/201606-10

Trust: 1.8

url:http://www.mandriva.com/security/advisories?name=mdvsa-2015:079

Trust: 1.8

url:http://openwall.com/lists/oss-security/2015/03/15/6

Trust: 1.8

url:http://www.securitytracker.com/id/1031949

Trust: 1.8

url:http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00005.html

Trust: 1.8

url:http://lists.opensuse.org/opensuse-updates/2015-04/msg00002.html

Trust: 1.8

url:http://www.ubuntu.com/usn/usn-2535-1

Trust: 1.8

url:http://marc.info/?l=bugtraq&m=143403519711434&w=2

Trust: 1.7

url:http://marc.info/?l=bugtraq&m=143748090628601&w=2

Trust: 1.7

url:http://marc.info/?l=bugtraq&m=144050155601375&w=2

Trust: 1.7

url:http://git.php.net/?p=php-src.git;a=commit;h=b2cf3f064b8f5efef89bb084521b61318c71781b

Trust: 1.1

url:http://git.php.net/?p=php-src.git%3ba=commit%3bh=b2cf3f064b8f5efef89bb084521b61318c71781b

Trust: 1.0

url:https://nvd.nist.gov/vuln/detail/cve-2015-2301

Trust: 0.7

url:https://nvd.nist.gov/vuln/detail/cve-2014-9709

Trust: 0.6

url:https://access.redhat.com/security/cve/cve-2015-2301

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2014-8142

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2015-0231

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2015-0273

Trust: 0.5

url:http://php.net/changelog-5.php#5.5.22

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2015-4148

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2015-4147

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2015-4147

Trust: 0.4

url:https://access.redhat.com/articles/11258

Trust: 0.4

url:https://access.redhat.com/security/team/contact/

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2015-4148

Trust: 0.4

url:https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2014-9705

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2015-0232

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2015-0232

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2015-0273

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2014-9705

Trust: 0.4

url:https://bugzilla.redhat.com/):

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2015-2787

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2015-2787

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2015-2305

Trust: 0.4

url:https://access.redhat.com/security/team/key/

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2014-9709

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2015-2783

Trust: 0.4

url:http://php.net/changelog-5.php#5.6.6

Trust: 0.3

url:http://www.php.net/

Trust: 0.3

url:http://seclists.org/bugtraq/2015/apr/151

Trust: 0.3

url:https://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04746490

Trust: 0.3

url:http://seclists.org/bugtraq/2015/aug/135

Trust: 0.3

url:https://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04686230

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2015-2348

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2015-1351

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2014-9427

Trust: 0.3

url:https://access.redhat.com/security/updates/classification/#moderate

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2015-2348

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2014-8142

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2014-9652

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2014-9652

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2015-0231

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2015-2331

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2015-1352

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2015-1351

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2014-9427

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2015-2305

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2015-4601

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2015-3411

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2015-4600

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2015-4021

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2015-4603

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2015-4024

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2015-4021

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2015-4600

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2015-3307

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2015-3411

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2015-4022

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2015-2783

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2015-3412

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2015-4602

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2015-3307

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2015-4599

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2015-4026

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2015-3412

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2015-4598

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2015-4024

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2015-4602

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2015-4599

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2015-3329

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2015-4598

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2014-9425

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2015-4026

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2015-4601

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2015-4022

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2015-3329

Trust: 0.2

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2301

Trust: 0.2

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2331

Trust: 0.2

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-1351

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2015-3330

Trust: 0.2

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-0231

Trust: 0.2

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-1352

Trust: 0.2

url:http://www.debian.org/security/

Trust: 0.2

url:http://marc.info/?l=bugtraq&amp;m=143748090628601&amp;w=2

Trust: 0.1

url:http://marc.info/?l=bugtraq&amp;m=144050155601375&amp;w=2

Trust: 0.1

url:http://marc.info/?l=bugtraq&amp;m=143403519711434&amp;w=2

Trust: 0.1

url:https://cwe.mitre.org/data/definitions/.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://usn.ubuntu.com/2535-1/

Trust: 0.1

url:http://tools.cisco.com/security/center/viewalert.x?alertid=41307

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2014-9425

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-4603

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2305

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-3330

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-9709

Trust: 0.1

url:http://slackware.com

Trust: 0.1

url:http://slackware.com/gpg-key

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2783

Trust: 0.1

url:http://osuosl.org)

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2015-4604

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2015-3330

Trust: 0.1

url:https://access.redhat.com/security/updates/classification/#important

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-4025

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2015-4605

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2015-4025

Trust: 0.1

url:http://www.debian.org/security/faq

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-0118

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-0226

Trust: 0.1

url:http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Trust: 0.1

url:http://software.hp.com

Trust: 0.1

url:https://www.hp.com/go/swa

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-0227

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-5704

Trust: 0.1

url:https://h20564.www2.hp.com/portal/site/hpsc/public/kb/

Trust: 0.1

url:https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secbullarchive/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-0231

Trust: 0.1

url:http://advisories.mageia.org/mgasa-2014-0367.html

Trust: 0.1

url:http://php.net/changelog-5.php#5.5.13

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-0238

Trust: 0.1

url:http://php.net/changelog-5.php#5.5.17

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-0232

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3669

Trust: 0.1

url:http://php.net/changelog-5.php#5.5.20

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-1943

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-3538

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-4049

Trust: 0.1

url:http://php.net/changelog-5.php#5.5.14

Trust: 0.1

url:http://php.net/changelog-5.php#5.5.11

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0207

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-8117

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-4698

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-9427

Trust: 0.1

url:http://php.net/changelog-5.php#5.5.18

Trust: 0.1

url:http://advisories.mageia.org/mgasa-2014-0178.html

Trust: 0.1

url:http://advisories.mageia.org/mgasa-2014-0430.html

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3597

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0238

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-7345

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3479

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3487

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-7345

Trust: 0.1

url:https://bugs.mageia.org/show_bug.cgi?id=13820

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8142

Trust: 0.1

url:http://www.mandriva.com/en/support/security/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-3587

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0237

Trust: 0.1

url:http://php.net/changelog-5.php#5.5.9

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-4721

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-3515

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3587

Trust: 0.1

url:https://bugzilla.redhat.com/show_bug.cgi?id=1204676

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3480

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-4049

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3710

Trust: 0.1

url:http://advisories.mageia.org/mgasa-2014-0215.html

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8116

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-3597

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-3487

Trust: 0.1

url:http://advisories.mageia.org/mgasa-2014-0324.html

Trust: 0.1

url:http://advisories.mageia.org/mgasa-2014-0542.html

Trust: 0.1

url:http://www.ubuntu.com/usn/usn-2535-1/

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-4698

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-9425

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-1943

Trust: 0.1

url:http://advisories.mageia.org/mgasa-2014-0284.html

Trust: 0.1

url:http://php.net/changelog-5.php#5.5.10

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8117

Trust: 0.1

url:http://www.ubuntu.com/usn/usn-2501-1/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-3669

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3515

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-4670

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-8116

Trust: 0.1

url:http://www.mandriva.com/en/support/security/advisories/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-3480

Trust: 0.1

url:http://php.net/changelog-5.php#5.5.12

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-9621

Trust: 0.1

url:http://advisories.mageia.org/mgasa-2014-0441.html

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-3479

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-3478

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0185

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-4670

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2270

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-3670

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-4721

Trust: 0.1

url:http://advisories.mageia.org/mgasa-2015-0040.html

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-9705

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-0185

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3538

Trust: 0.1

url:http://php.net/changelog-5.php#5.5.16

Trust: 0.1

url:http://php.net/changelog-5.php#5.5.15

Trust: 0.1

url:http://php.net/changelog-5.php#5.5.21

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-0237

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-9620

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3670

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-9620

Trust: 0.1

url:http://php.net/changelog-5.php#5.5.23

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-2270

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-0207

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-3710

Trust: 0.1

url:http://php.net/changelog-5.php#5.5.19

Trust: 0.1

url:http://advisories.mageia.org/mgasa-2014-0163.html

Trust: 0.1

url:http://advisories.mageia.org/mgasa-2014-0258.html

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3478

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-0273

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2015-1352

Trust: 0.1

sources: VULHUB: VHN-80262 // VULMON: CVE-2015-2301 // BID: 73037 // PACKETSTORM: 132161 // PACKETSTORM: 132618 // PACKETSTORM: 131577 // PACKETSTORM: 132406 // PACKETSTORM: 130940 // PACKETSTORM: 132263 // PACKETSTORM: 131082 // PACKETSTORM: 132158 // CNNVD: CNNVD-201503-624 // NVD: CVE-2015-2301

CREDITS

Red Hat

Trust: 0.4

sources: PACKETSTORM: 132161 // PACKETSTORM: 132618 // PACKETSTORM: 132406 // PACKETSTORM: 132158

SOURCES

db:VULHUBid:VHN-80262
db:VULMONid:CVE-2015-2301
db:BIDid:73037
db:PACKETSTORMid:132161
db:PACKETSTORMid:132618
db:PACKETSTORMid:131577
db:PACKETSTORMid:132406
db:PACKETSTORMid:130940
db:PACKETSTORMid:132263
db:PACKETSTORMid:131082
db:PACKETSTORMid:132158
db:CNNVDid:CNNVD-201503-624
db:NVDid:CVE-2015-2301

LAST UPDATE DATE

2024-11-21T20:58:34.835000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-80262date:2019-10-09T00:00:00
db:VULMONid:CVE-2015-2301date:2019-10-09T00:00:00
db:BIDid:73037date:2016-07-05T21:28:00
db:CNNVDid:CNNVD-201503-624date:2022-08-17T00:00:00
db:NVDid:CVE-2015-2301date:2023-11-07T02:25:12.740

SOURCES RELEASE DATE

db:VULHUBid:VHN-80262date:2015-03-30T00:00:00
db:VULMONid:CVE-2015-2301date:2015-03-30T00:00:00
db:BIDid:73037date:2015-02-20T00:00:00
db:PACKETSTORMid:132161date:2015-06-04T16:15:24
db:PACKETSTORMid:132618date:2015-07-09T23:16:17
db:PACKETSTORMid:131577date:2015-04-22T20:14:00
db:PACKETSTORMid:132406date:2015-06-23T14:07:16
db:PACKETSTORMid:130940date:2015-03-23T23:35:38
db:PACKETSTORMid:132263date:2015-06-11T23:41:13
db:PACKETSTORMid:131082date:2015-03-30T21:16:44
db:PACKETSTORMid:132158date:2015-06-04T16:12:40
db:CNNVDid:CNNVD-201503-624date:2015-03-31T00:00:00
db:NVDid:CVE-2015-2301date:2015-03-30T10:59:10.630