ID

VAR-201607-0657


CVE

CVE-2016-5385


TITLE

CGI web servers assign Proxy header values from client requests to internal HTTP_PROXY environment variables

Trust: 0.8

sources: CERT/CC: VU#797896

DESCRIPTION

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue. Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTP_PROXY environment variables. This vulnerability can be leveraged to conduct man-in-the-middle (MITM) attacks on internal subrequests or to direct the server to initiate connections to arbitrary hosts. This vulnerability "httpoxy" Is called a problem. PHP is prone to a security-bypass vulnerability. Successfully exploiting this issue may allow attackers to perform unauthorized actions. This may lead to other attacks. PHP (PHP: Hypertext Preprocessor, PHP: Hypertext Preprocessor) is an open source general-purpose computer scripting language jointly maintained by the PHP Group and the open source community. The language is mainly used for Web development and supports a variety of databases and operating systems. There is a security vulnerability in PHP 7.0.8 and earlier versions, the vulnerability stems from the fact that the program does not resolve namespace conflicts in RFC 3875 mode. The program does not properly handle data from untrusted client applications in the HTTP_PROXY environment variable. A remote attacker uses the specially crafted Proxy header message in the HTTP request to exploit this vulnerability to implement a man-in-the-middle attack, directing the server to send a connection to any host. Here are the details from the Slackware 14.2 ChangeLog: +--------------------------+ patches/packages/php-5.6.24-i586-1_slack14.2.txz: Upgraded. For more information, see: http://php.net/ChangeLog-5.php#5.6.24 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5385 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6207 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/php-5.6.24-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/php-5.6.24-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/php-5.6.24-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/php-5.6.24-x86_64-1_slack14.1.txz Updated package for Slackware 14.2: ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/php-5.6.24-i586-1_slack14.2.txz Updated package for Slackware x86_64 14.2: ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/php-5.6.24-x86_64-1_slack14.2.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-5.6.24-i586-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/php-5.6.24-x86_64-1.txz MD5 signatures: +-------------+ Slackware 14.0 package: 712cc177c9ac10f3d58e871ff27260dc php-5.6.24-i486-1_slack14.0.txz Slackware x86_64 14.0 package: 47f6ad4a81517f5b2959abc73475742b php-5.6.24-x86_64-1_slack14.0.txz Slackware 14.1 package: aea6a8869946186781e55c5ecec952b0 php-5.6.24-i486-1_slack14.1.txz Slackware x86_64 14.1 package: ab16db742762605b9b219b37cdd7e8db php-5.6.24-x86_64-1_slack14.1.txz Slackware 14.2 package: c88a731667e741443712267d9b30286a php-5.6.24-i586-1_slack14.2.txz Slackware x86_64 14.2 package: ed5b31c94e2fb91f0e6c40051f51da1c php-5.6.24-x86_64-1_slack14.2.txz Slackware -current package: c25a85fece34101d35b8785022cef94d n/php-5.6.24-i586-1.txz Slackware x86_64 -current package: 17f8886fc0901cea6d593170ea00fe7b n/php-5.6.24-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg php-5.6.24-i586-1_slack14.2.txz Then, restart Apache httpd: # /etc/rc.d/rc.httpd stop # /etc/rc.d/rc.httpd start +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. 6) - i386, x86_64 3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: rh-php56-php security update Advisory ID: RHSA-2016:1612-01 Product: Red Hat Software Collections Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-1612.html Issue date: 2016-08-11 CVE Names: CVE-2016-5385 ===================================================================== 1. Summary: An update for rh-php56-php is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6) - x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7) - x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1) - x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.2) - x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. (CVE-2016-5385) Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the updated packages, the httpd daemon must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1353794 - CVE-2016-5385 PHP: sets environmental variable based on user supplied Proxy request header 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6): Source: rh-php56-php-5.6.5-9.el6.src.rpm x86_64: rh-php56-php-5.6.5-9.el6.x86_64.rpm rh-php56-php-bcmath-5.6.5-9.el6.x86_64.rpm rh-php56-php-cli-5.6.5-9.el6.x86_64.rpm rh-php56-php-common-5.6.5-9.el6.x86_64.rpm rh-php56-php-dba-5.6.5-9.el6.x86_64.rpm rh-php56-php-dbg-5.6.5-9.el6.x86_64.rpm rh-php56-php-debuginfo-5.6.5-9.el6.x86_64.rpm rh-php56-php-devel-5.6.5-9.el6.x86_64.rpm rh-php56-php-embedded-5.6.5-9.el6.x86_64.rpm rh-php56-php-enchant-5.6.5-9.el6.x86_64.rpm rh-php56-php-fpm-5.6.5-9.el6.x86_64.rpm rh-php56-php-gd-5.6.5-9.el6.x86_64.rpm rh-php56-php-gmp-5.6.5-9.el6.x86_64.rpm rh-php56-php-imap-5.6.5-9.el6.x86_64.rpm rh-php56-php-intl-5.6.5-9.el6.x86_64.rpm rh-php56-php-ldap-5.6.5-9.el6.x86_64.rpm rh-php56-php-mbstring-5.6.5-9.el6.x86_64.rpm rh-php56-php-mysqlnd-5.6.5-9.el6.x86_64.rpm rh-php56-php-odbc-5.6.5-9.el6.x86_64.rpm rh-php56-php-opcache-5.6.5-9.el6.x86_64.rpm rh-php56-php-pdo-5.6.5-9.el6.x86_64.rpm rh-php56-php-pgsql-5.6.5-9.el6.x86_64.rpm rh-php56-php-process-5.6.5-9.el6.x86_64.rpm rh-php56-php-pspell-5.6.5-9.el6.x86_64.rpm rh-php56-php-recode-5.6.5-9.el6.x86_64.rpm rh-php56-php-snmp-5.6.5-9.el6.x86_64.rpm rh-php56-php-soap-5.6.5-9.el6.x86_64.rpm rh-php56-php-tidy-5.6.5-9.el6.x86_64.rpm rh-php56-php-xml-5.6.5-9.el6.x86_64.rpm rh-php56-php-xmlrpc-5.6.5-9.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6): Source: rh-php56-php-5.6.5-9.el6.src.rpm x86_64: rh-php56-php-5.6.5-9.el6.x86_64.rpm rh-php56-php-bcmath-5.6.5-9.el6.x86_64.rpm rh-php56-php-cli-5.6.5-9.el6.x86_64.rpm rh-php56-php-common-5.6.5-9.el6.x86_64.rpm rh-php56-php-dba-5.6.5-9.el6.x86_64.rpm rh-php56-php-dbg-5.6.5-9.el6.x86_64.rpm rh-php56-php-debuginfo-5.6.5-9.el6.x86_64.rpm rh-php56-php-devel-5.6.5-9.el6.x86_64.rpm rh-php56-php-embedded-5.6.5-9.el6.x86_64.rpm rh-php56-php-enchant-5.6.5-9.el6.x86_64.rpm rh-php56-php-fpm-5.6.5-9.el6.x86_64.rpm rh-php56-php-gd-5.6.5-9.el6.x86_64.rpm rh-php56-php-gmp-5.6.5-9.el6.x86_64.rpm rh-php56-php-imap-5.6.5-9.el6.x86_64.rpm rh-php56-php-intl-5.6.5-9.el6.x86_64.rpm rh-php56-php-ldap-5.6.5-9.el6.x86_64.rpm rh-php56-php-mbstring-5.6.5-9.el6.x86_64.rpm rh-php56-php-mysqlnd-5.6.5-9.el6.x86_64.rpm rh-php56-php-odbc-5.6.5-9.el6.x86_64.rpm rh-php56-php-opcache-5.6.5-9.el6.x86_64.rpm rh-php56-php-pdo-5.6.5-9.el6.x86_64.rpm rh-php56-php-pgsql-5.6.5-9.el6.x86_64.rpm rh-php56-php-process-5.6.5-9.el6.x86_64.rpm rh-php56-php-pspell-5.6.5-9.el6.x86_64.rpm rh-php56-php-recode-5.6.5-9.el6.x86_64.rpm rh-php56-php-snmp-5.6.5-9.el6.x86_64.rpm rh-php56-php-soap-5.6.5-9.el6.x86_64.rpm rh-php56-php-tidy-5.6.5-9.el6.x86_64.rpm rh-php56-php-xml-5.6.5-9.el6.x86_64.rpm rh-php56-php-xmlrpc-5.6.5-9.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7): Source: rh-php56-php-5.6.5-9.el6.src.rpm x86_64: rh-php56-php-5.6.5-9.el6.x86_64.rpm rh-php56-php-bcmath-5.6.5-9.el6.x86_64.rpm rh-php56-php-cli-5.6.5-9.el6.x86_64.rpm rh-php56-php-common-5.6.5-9.el6.x86_64.rpm rh-php56-php-dba-5.6.5-9.el6.x86_64.rpm rh-php56-php-dbg-5.6.5-9.el6.x86_64.rpm rh-php56-php-debuginfo-5.6.5-9.el6.x86_64.rpm rh-php56-php-devel-5.6.5-9.el6.x86_64.rpm rh-php56-php-embedded-5.6.5-9.el6.x86_64.rpm rh-php56-php-enchant-5.6.5-9.el6.x86_64.rpm rh-php56-php-fpm-5.6.5-9.el6.x86_64.rpm rh-php56-php-gd-5.6.5-9.el6.x86_64.rpm rh-php56-php-gmp-5.6.5-9.el6.x86_64.rpm rh-php56-php-imap-5.6.5-9.el6.x86_64.rpm rh-php56-php-intl-5.6.5-9.el6.x86_64.rpm rh-php56-php-ldap-5.6.5-9.el6.x86_64.rpm rh-php56-php-mbstring-5.6.5-9.el6.x86_64.rpm rh-php56-php-mysqlnd-5.6.5-9.el6.x86_64.rpm rh-php56-php-odbc-5.6.5-9.el6.x86_64.rpm rh-php56-php-opcache-5.6.5-9.el6.x86_64.rpm rh-php56-php-pdo-5.6.5-9.el6.x86_64.rpm rh-php56-php-pgsql-5.6.5-9.el6.x86_64.rpm rh-php56-php-process-5.6.5-9.el6.x86_64.rpm rh-php56-php-pspell-5.6.5-9.el6.x86_64.rpm rh-php56-php-recode-5.6.5-9.el6.x86_64.rpm rh-php56-php-snmp-5.6.5-9.el6.x86_64.rpm rh-php56-php-soap-5.6.5-9.el6.x86_64.rpm rh-php56-php-tidy-5.6.5-9.el6.x86_64.rpm rh-php56-php-xml-5.6.5-9.el6.x86_64.rpm rh-php56-php-xmlrpc-5.6.5-9.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6): Source: rh-php56-php-5.6.5-9.el6.src.rpm x86_64: rh-php56-php-5.6.5-9.el6.x86_64.rpm rh-php56-php-bcmath-5.6.5-9.el6.x86_64.rpm rh-php56-php-cli-5.6.5-9.el6.x86_64.rpm rh-php56-php-common-5.6.5-9.el6.x86_64.rpm rh-php56-php-dba-5.6.5-9.el6.x86_64.rpm rh-php56-php-dbg-5.6.5-9.el6.x86_64.rpm rh-php56-php-debuginfo-5.6.5-9.el6.x86_64.rpm rh-php56-php-devel-5.6.5-9.el6.x86_64.rpm rh-php56-php-embedded-5.6.5-9.el6.x86_64.rpm rh-php56-php-enchant-5.6.5-9.el6.x86_64.rpm rh-php56-php-fpm-5.6.5-9.el6.x86_64.rpm rh-php56-php-gd-5.6.5-9.el6.x86_64.rpm rh-php56-php-gmp-5.6.5-9.el6.x86_64.rpm rh-php56-php-imap-5.6.5-9.el6.x86_64.rpm rh-php56-php-intl-5.6.5-9.el6.x86_64.rpm rh-php56-php-ldap-5.6.5-9.el6.x86_64.rpm rh-php56-php-mbstring-5.6.5-9.el6.x86_64.rpm rh-php56-php-mysqlnd-5.6.5-9.el6.x86_64.rpm rh-php56-php-odbc-5.6.5-9.el6.x86_64.rpm rh-php56-php-opcache-5.6.5-9.el6.x86_64.rpm rh-php56-php-pdo-5.6.5-9.el6.x86_64.rpm rh-php56-php-pgsql-5.6.5-9.el6.x86_64.rpm rh-php56-php-process-5.6.5-9.el6.x86_64.rpm rh-php56-php-pspell-5.6.5-9.el6.x86_64.rpm rh-php56-php-recode-5.6.5-9.el6.x86_64.rpm rh-php56-php-snmp-5.6.5-9.el6.x86_64.rpm rh-php56-php-soap-5.6.5-9.el6.x86_64.rpm rh-php56-php-tidy-5.6.5-9.el6.x86_64.rpm rh-php56-php-xml-5.6.5-9.el6.x86_64.rpm rh-php56-php-xmlrpc-5.6.5-9.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-php56-php-5.6.5-9.el7.src.rpm x86_64: rh-php56-php-5.6.5-9.el7.x86_64.rpm rh-php56-php-bcmath-5.6.5-9.el7.x86_64.rpm rh-php56-php-cli-5.6.5-9.el7.x86_64.rpm rh-php56-php-common-5.6.5-9.el7.x86_64.rpm rh-php56-php-dba-5.6.5-9.el7.x86_64.rpm rh-php56-php-dbg-5.6.5-9.el7.x86_64.rpm rh-php56-php-debuginfo-5.6.5-9.el7.x86_64.rpm rh-php56-php-devel-5.6.5-9.el7.x86_64.rpm rh-php56-php-embedded-5.6.5-9.el7.x86_64.rpm rh-php56-php-enchant-5.6.5-9.el7.x86_64.rpm rh-php56-php-fpm-5.6.5-9.el7.x86_64.rpm rh-php56-php-gd-5.6.5-9.el7.x86_64.rpm rh-php56-php-gmp-5.6.5-9.el7.x86_64.rpm rh-php56-php-intl-5.6.5-9.el7.x86_64.rpm rh-php56-php-ldap-5.6.5-9.el7.x86_64.rpm rh-php56-php-mbstring-5.6.5-9.el7.x86_64.rpm rh-php56-php-mysqlnd-5.6.5-9.el7.x86_64.rpm rh-php56-php-odbc-5.6.5-9.el7.x86_64.rpm rh-php56-php-opcache-5.6.5-9.el7.x86_64.rpm rh-php56-php-pdo-5.6.5-9.el7.x86_64.rpm rh-php56-php-pgsql-5.6.5-9.el7.x86_64.rpm rh-php56-php-process-5.6.5-9.el7.x86_64.rpm rh-php56-php-pspell-5.6.5-9.el7.x86_64.rpm rh-php56-php-recode-5.6.5-9.el7.x86_64.rpm rh-php56-php-snmp-5.6.5-9.el7.x86_64.rpm rh-php56-php-soap-5.6.5-9.el7.x86_64.rpm rh-php56-php-xml-5.6.5-9.el7.x86_64.rpm rh-php56-php-xmlrpc-5.6.5-9.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1): Source: rh-php56-php-5.6.5-9.el7.src.rpm x86_64: rh-php56-php-5.6.5-9.el7.x86_64.rpm rh-php56-php-bcmath-5.6.5-9.el7.x86_64.rpm rh-php56-php-cli-5.6.5-9.el7.x86_64.rpm rh-php56-php-common-5.6.5-9.el7.x86_64.rpm rh-php56-php-dba-5.6.5-9.el7.x86_64.rpm rh-php56-php-dbg-5.6.5-9.el7.x86_64.rpm rh-php56-php-debuginfo-5.6.5-9.el7.x86_64.rpm rh-php56-php-devel-5.6.5-9.el7.x86_64.rpm rh-php56-php-embedded-5.6.5-9.el7.x86_64.rpm rh-php56-php-enchant-5.6.5-9.el7.x86_64.rpm rh-php56-php-fpm-5.6.5-9.el7.x86_64.rpm rh-php56-php-gd-5.6.5-9.el7.x86_64.rpm rh-php56-php-gmp-5.6.5-9.el7.x86_64.rpm rh-php56-php-intl-5.6.5-9.el7.x86_64.rpm rh-php56-php-ldap-5.6.5-9.el7.x86_64.rpm rh-php56-php-mbstring-5.6.5-9.el7.x86_64.rpm rh-php56-php-mysqlnd-5.6.5-9.el7.x86_64.rpm rh-php56-php-odbc-5.6.5-9.el7.x86_64.rpm rh-php56-php-opcache-5.6.5-9.el7.x86_64.rpm rh-php56-php-pdo-5.6.5-9.el7.x86_64.rpm rh-php56-php-pgsql-5.6.5-9.el7.x86_64.rpm rh-php56-php-process-5.6.5-9.el7.x86_64.rpm rh-php56-php-pspell-5.6.5-9.el7.x86_64.rpm rh-php56-php-recode-5.6.5-9.el7.x86_64.rpm rh-php56-php-snmp-5.6.5-9.el7.x86_64.rpm rh-php56-php-soap-5.6.5-9.el7.x86_64.rpm rh-php56-php-xml-5.6.5-9.el7.x86_64.rpm rh-php56-php-xmlrpc-5.6.5-9.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.2): Source: rh-php56-php-5.6.5-9.el7.src.rpm x86_64: rh-php56-php-5.6.5-9.el7.x86_64.rpm rh-php56-php-bcmath-5.6.5-9.el7.x86_64.rpm rh-php56-php-cli-5.6.5-9.el7.x86_64.rpm rh-php56-php-common-5.6.5-9.el7.x86_64.rpm rh-php56-php-dba-5.6.5-9.el7.x86_64.rpm rh-php56-php-dbg-5.6.5-9.el7.x86_64.rpm rh-php56-php-debuginfo-5.6.5-9.el7.x86_64.rpm rh-php56-php-devel-5.6.5-9.el7.x86_64.rpm rh-php56-php-embedded-5.6.5-9.el7.x86_64.rpm rh-php56-php-enchant-5.6.5-9.el7.x86_64.rpm rh-php56-php-fpm-5.6.5-9.el7.x86_64.rpm rh-php56-php-gd-5.6.5-9.el7.x86_64.rpm rh-php56-php-gmp-5.6.5-9.el7.x86_64.rpm rh-php56-php-intl-5.6.5-9.el7.x86_64.rpm rh-php56-php-ldap-5.6.5-9.el7.x86_64.rpm rh-php56-php-mbstring-5.6.5-9.el7.x86_64.rpm rh-php56-php-mysqlnd-5.6.5-9.el7.x86_64.rpm rh-php56-php-odbc-5.6.5-9.el7.x86_64.rpm rh-php56-php-opcache-5.6.5-9.el7.x86_64.rpm rh-php56-php-pdo-5.6.5-9.el7.x86_64.rpm rh-php56-php-pgsql-5.6.5-9.el7.x86_64.rpm rh-php56-php-process-5.6.5-9.el7.x86_64.rpm rh-php56-php-pspell-5.6.5-9.el7.x86_64.rpm rh-php56-php-recode-5.6.5-9.el7.x86_64.rpm rh-php56-php-snmp-5.6.5-9.el7.x86_64.rpm rh-php56-php-soap-5.6.5-9.el7.x86_64.rpm rh-php56-php-xml-5.6.5-9.el7.x86_64.rpm rh-php56-php-xmlrpc-5.6.5-9.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-php56-php-5.6.5-9.el7.src.rpm x86_64: rh-php56-php-5.6.5-9.el7.x86_64.rpm rh-php56-php-bcmath-5.6.5-9.el7.x86_64.rpm rh-php56-php-cli-5.6.5-9.el7.x86_64.rpm rh-php56-php-common-5.6.5-9.el7.x86_64.rpm rh-php56-php-dba-5.6.5-9.el7.x86_64.rpm rh-php56-php-dbg-5.6.5-9.el7.x86_64.rpm rh-php56-php-debuginfo-5.6.5-9.el7.x86_64.rpm rh-php56-php-devel-5.6.5-9.el7.x86_64.rpm rh-php56-php-embedded-5.6.5-9.el7.x86_64.rpm rh-php56-php-enchant-5.6.5-9.el7.x86_64.rpm rh-php56-php-fpm-5.6.5-9.el7.x86_64.rpm rh-php56-php-gd-5.6.5-9.el7.x86_64.rpm rh-php56-php-gmp-5.6.5-9.el7.x86_64.rpm rh-php56-php-intl-5.6.5-9.el7.x86_64.rpm rh-php56-php-ldap-5.6.5-9.el7.x86_64.rpm rh-php56-php-mbstring-5.6.5-9.el7.x86_64.rpm rh-php56-php-mysqlnd-5.6.5-9.el7.x86_64.rpm rh-php56-php-odbc-5.6.5-9.el7.x86_64.rpm rh-php56-php-opcache-5.6.5-9.el7.x86_64.rpm rh-php56-php-pdo-5.6.5-9.el7.x86_64.rpm rh-php56-php-pgsql-5.6.5-9.el7.x86_64.rpm rh-php56-php-process-5.6.5-9.el7.x86_64.rpm rh-php56-php-pspell-5.6.5-9.el7.x86_64.rpm rh-php56-php-recode-5.6.5-9.el7.x86_64.rpm rh-php56-php-snmp-5.6.5-9.el7.x86_64.rpm rh-php56-php-soap-5.6.5-9.el7.x86_64.rpm rh-php56-php-xml-5.6.5-9.el7.x86_64.rpm rh-php56-php-xmlrpc-5.6.5-9.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXrPTMXlSAg2UNWIIRAiQCAJ0dfYfBJiwAbTVStw+pFUwIMP5jhwCgi+MO fr/VPvwdPqG/A0DnoFIO9PE= =7VKA -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . ========================================================================= Ubuntu Security Notice USN-3045-1 August 02, 2016 php5, php7.0 vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Several security issues were fixed in PHP. Software Description: - php7.0: HTML-embedded scripting language interpreter - php5: HTML-embedded scripting language interpreter Details: It was discovered that PHP incorrectly handled certain SplMinHeap::compar e operations. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. Thi s issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-4116 ) It was discovered that PHP incorrectly handled recursive method calls. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8873) It was discovered that PHP incorrectly validated certain Exception object s when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.0 4 LTS. (CVE-2015-8876) It was discovered that PHP header() function performed insufficient filtering for Internet Explorer. A remote attacker could possibly use thi s issue to perform a XSS attack. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8935) It was discovered that PHP incorrectly handled certain locale operations. An attacker could use this issue to cause PHP to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5093) It was discovered that the PHP php_html_entities() function incorrectly handled certain string lengths. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.0 4 LTS. (CVE-2016-5094, CVE-2016-5095) It was discovered that the PHP fread() function incorrectly handled certa in lengths. An attacker could use this issue to cause PHP to crash, resultin g in a denial of service, or possibly execute arbitrary code. This issue on ly affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5096) It was discovered that the PHP FastCGI Process Manager (FPM) SAPI incorrectly handled memory in the access logging feature. An attacker cou ld use this issue to cause PHP to crash, resulting in a denial of service, o r possibly expose sensitive information. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5114) It was discovered that PHP would not protect applications from contents o f the HTTP_PROXY environment variable when based on the contents of the Pro xy header from HTTP requests. A remote attacker could possibly use this issu e in combination with scripts that honour the HTTP_PROXY variable to redire ct outgoing HTTP requests. (CVE-2016-5385) Hans Jerry Illikainen discovered that the PHP bzread() function incorrect ly performed error handling. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-5399) It was discovered that certain PHP multibyte string functions incorrectly handled memory. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-5768) It was discovered that the PHP Mcrypt extension incorrectly handled memor y. A remote attacker could use this issue to cause PHP to crash, resulting i n a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5769) It was discovered that the PHP garbage collector incorrectly handled certain objects when unserializing malicious data. A remote attacker coul d use this issue to cause PHP to crash, resulting in a denial of service, o r possibly execute arbitrary code. This issue was only addressed in Ubuntu Ubuntu 14.04 LTS. (CVE-2016-5771, CVE-2016-5773) It was discovered that PHP incorrectly handled memory when unserializing malicious xml data. A remote attacker could use this issue to cause PHP t o crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5772) It was discovered that the PHP php_url_parse_ex() function incorrectly handled string termination. A remote attacker could use this issue to cau se PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.0 4 LTS. (CVE-2016-6288) It was discovered that PHP incorrectly handled path lengths when extracti ng certain Zip archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6289) It was discovered that PHP incorrectly handled session deserialization. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6290) It was discovered that PHP incorrectly handled exif headers when processi ng certain JPEG images. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6291, CVE-2016-6292) It was discovered that PHP incorrectly handled certain locale operations. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6294) It was discovered that the PHP garbage collector incorrectly handled certain objects when unserializing SNMP data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LT S and Ubuntu 16.04 LTS. (CVE-2016-6295) It was discovered that the PHP xmlrpc_encode_request() function incorrect ly handled certain lengths. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6296) It was discovered that the PHP php_stream_zip_opener() function incorrect ly handled memory. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6297) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: libapache2-mod-php7.0 7.0.8-0ubuntu0.16.04.2 php7.0-cgi 7.0.8-0ubuntu0.16.04.2 php7.0-cli 7.0.8-0ubuntu0.16.04.2 php7.0-fpm 7.0.8-0ubuntu0.16.04.2 Ubuntu 14.04 LTS: libapache2-mod-php5 5.5.9+dfsg-1ubuntu4.19 php5-cgi 5.5.9+dfsg-1ubuntu4.19 php5-cli 5.5.9+dfsg-1ubuntu4.19 php5-fpm 5.5.9+dfsg-1ubuntu4.19 Ubuntu 12.04 LTS: libapache2-mod-php5 5.3.10-1ubuntu3.24 php5-cgi 5.3.10-1ubuntu3.24 php5-cli 5.3.10-1ubuntu3.24 php5-fpm 5.3.10-1ubuntu3.24 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-3045-1 CVE-2015-4116, CVE-2015-8873, CVE-2015-8876, CVE-2015-8935, CVE-2016-5093, CVE-2016-5094, CVE-2016-5095, CVE-2016-5096, CVE-2016-5114, CVE-2016-5385, CVE-2016-5399, CVE-2016-5768, CVE-2016-5769, CVE-2016-5771, CVE-2016-5772, CVE-2016-5773, CVE-2016-6288, CVE-2016-6289, CVE-2016-6290, CVE-2016-6291, CVE-2016-6292, CVE-2016-6294, CVE-2016-6295, CVE-2016-6296, CVE-2016-6297 Package Information: https://launchpad.net/ubuntu/+source/php7.0/7.0.8-0ubuntu0.16.04.2 https://launchpad.net/ubuntu/+source/php5/5.5.9+dfsg-1ubuntu4.19 https://launchpad.net/ubuntu/+source/php5/5.3.10-1ubuntu3.24 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05320149 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c05320149 Version: 1 HPSBMU03653 rev.1 - HPE System Management Homepage (SMH), Remote Arbitrary Code Execution, Cross-Site Scripting (XSS), Denial of Service (DoS), Unauthorized Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2016-10-26 Last Updated: 2016-10-26 Potential Security Impact: Remote: Arbitrary Code Execution, Cross-Site Scripting (XSS), Denial of Service (DoS), Unauthorized Disclosure of Information Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY Multiple potential security vulnerabilities have been identified in HPE System Management Homepage (SMH) on Windows and Linux. References: - CVE-2016-2107 - OpenSSL, Unauthorized disclosure of information - CVE-2016-2106 - OpenSSL, Denial of Service (DoS) - CVE-2016-2109 - OpenSSL, Denial of Service (DoS) - CVE-2016-2105 - OpenSSL, Denial of Service (DoS) - CVE-2016-3739 - cURL and libcurl, Remote code execution - CVE-2016-5388 - "HTTPoxy", Apache Tomcat - CVE-2016-5387 - "HTTPoxy", Apache HTTP Server - CVE-2016-5385 - "HTTPoxy", PHP - CVE-2016-4543 - PHP, multiple impact - CVE-2016-4071 - PHP, multiple impact - CVE-2016-4072 - PHP, multiple impact - CVE-2016-4542 - PHP, multiple impact - CVE-2016-4541 - PHP, multiple impact - CVE-2016-4540 - PHP, multiple impact - CVE-2016-4539 - PHP, multiple impact - CVE-2016-4538 - PHP, multiple impact - CVE-2016-4537 - PHP, multiple impact - CVE-2016-4343 - PHP, multiple impact - CVE-2016-4342 - PHP, multiple impact - CVE-2016-4070 - PHP, Denial of Service (DoS) - CVE-2016-4393 - PSRT110263, XSS vulnerability - CVE-2016-4394 - PSRT110263, HSTS vulnerability - CVE-2016-4395 - ZDI-CAN-3722, PSRT110115, Buffer Overflow - CVE-2016-4396 - ZDI-CAN-3730, PSRT110116, Buffer Overflow - PSRT110145 - PSRT110263 - PSRT110115 - PSRT110116 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. - HPE System Management Homepage - all versions prior to v7.6 BACKGROUND CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector CVE-2016-2105 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE-2016-2106 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE-2016-2107 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N) CVE-2016-2109 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) CVE-2016-3739 5.3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N) CVE-2016-4070 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE-2016-4071 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4072 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4342 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 8.3 (AV:N/AC:M/Au:N/C:P/I:P/A:C) CVE-2016-4343 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-4393 4.2 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N) CVE-2016-4394 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P) CVE-2016-4395 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 7.8 (AV:N/AC:L/Au:N/C:N/I:C/A:N) CVE-2016-4396 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 7.8 (AV:N/AC:L/Au:N/C:N/I:C/A:N) CVE-2016-4537 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4538 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4539 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4540 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4541 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4542 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4543 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-5385 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P) CVE-2016-5387 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P) CVE-2016-5388 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P) Information on CVSS is documented in HPE Customer Notice HPSN-2008-002 here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499 * Hewlett Packard Enterprise thanks Tenable Network Security for working with Trend Micro's Zero Day Initiative (ZDI) for reporting CVE-2016-4395 and CVE-2016-4396 to security-alert@hpe.com RESOLUTION HPE has made the following software updates available to resolve the vulnerabilities for the impacted versions of System Management Homepage (SMH). Please download and install HPE System Management Homepage (SMH) v7.6.0 from the following locations: * <https://www.hpe.com/us/en/product-catalog/detail/pip.344313.html> HISTORY Version:1 (rev.1) - 26 October 2016 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2016 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. Please note that the Management Interface cannot access data stored on tape media, so this vulnerability does not allow for remote unauthorized disclosure of data stored on tape media or remote denial of service. References: - CVE-2016-5385 - PHP, HTTPoxy - CVE-2016-3074 - PHP - CVE-2013-7456 - PHP - CVE-2016-5093 - PHP - CVE-2016-5094 - PHP - CVE-2016-5096 - PHP - CVE-2016-5766 - PHP - CVE-2016-5767 - PHP - CVE-2016-5768 - PHP - CVE-2016-5769 - PHP - CVE-2016-5770 - PHP - CVE-2016-5771 - PHP - CVE-2016-5772 - PHP - CVE-2016-5773 - PHP - CVE-2016-6207 - GD Graphics Library - CVE-2016-6289 - PHP - CVE-2016-6290 - PHP - CVE-2016-6291 - PHP - CVE-2016-6292 - PHP - CVE-2016-6293 - PHP - CVE-2016-6294 - PHP - CVE-2016-6295 - PHP - CVE-2016-6296 - PHP - CVE-2016-6297 - PHP - CVE-2016-5399 - PHP SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed

Trust: 3.33

sources: NVD: CVE-2016-5385 // CERT/CC: VU#797896 // JVNDB: JVNDB-2016-003800 // BID: 91821 // VULHUB: VHN-94204 // VULMON: CVE-2016-5385 // PACKETSTORM: 138014 // PACKETSTORM: 138295 // PACKETSTORM: 138298 // PACKETSTORM: 138136 // PACKETSTORM: 139379 // PACKETSTORM: 140515

AFFECTED PRODUCTS

vendor:hewlett packardmodel:storeever msl6480 tape libraryscope: - version: -

Trust: 1.6

vendor:oraclemodel:linuxscope:eqversion:6

Trust: 1.3

vendor:oraclemodel:linuxscope:eqversion:7

Trust: 1.3

vendor:oraclemodel:communications user data repositoryscope:eqversion:10.0.1

Trust: 1.3

vendor:opensusemodel:leapscope:eqversion:42.1

Trust: 1.0

vendor:drupalmodel:drupalscope:ltversion:8.1.7

Trust: 1.0

vendor:redhatmodel:enterprise linux serverscope:eqversion:6.0

Trust: 1.0

vendor:phpmodel:phpscope:gteversion:5.5.0

Trust: 1.0

vendor:hpmodel:system management homepagescope:lteversion:7.5.5.0

Trust: 1.0

vendor:hpmodel:storeever msl6480 tape libraryscope:lteversion:5.09

Trust: 1.0

vendor:oraclemodel:enterprise manager ops centerscope:eqversion:12.2.2

Trust: 1.0

vendor:phpmodel:phpscope:gteversion:7.0.0

Trust: 1.0

vendor:drupalmodel:drupalscope:gteversion:8.0.0

Trust: 1.0

vendor:oraclemodel:enterprise manager ops centerscope:eqversion:12.3.2

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:8.0

Trust: 1.0

vendor:phpmodel:phpscope:ltversion:5.6.24

Trust: 1.0

vendor:phpmodel:phpscope:lteversion:7.0.8

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:23

Trust: 1.0

vendor:oraclemodel:communications user data repositoryscope:eqversion:10.0.0

Trust: 1.0

vendor:phpmodel:phpscope:gteversion:5.6.0

Trust: 1.0

vendor:oraclemodel:communications user data repositoryscope:eqversion:12.0.0

Trust: 1.0

vendor:redhatmodel:enterprise linux workstationscope:eqversion:6.0

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:24

Trust: 1.0

vendor:phpmodel:phpscope:ltversion:5.5.38

Trust: 1.0

vendor:redhatmodel:enterprise linux desktopscope:eqversion:6.0

Trust: 1.0

vendor:apache http servermodel: - scope: - version: -

Trust: 0.8

vendor:go programming languagemodel: - scope: - version: -

Trust: 0.8

vendor:haproxymodel: - scope: - version: -

Trust: 0.8

vendor:hhvmmodel: - scope: - version: -

Trust: 0.8

vendor:microsoftmodel: - scope: - version: -

Trust: 0.8

vendor:pythonmodel: - scope: - version: -

Trust: 0.8

vendor:the php groupmodel: - scope: - version: -

Trust: 0.8

vendor:lighttpdmodel: - scope: - version: -

Trust: 0.8

vendor:nginxmodel: - scope: - version: -

Trust: 0.8

vendor:fedoramodel:fedorascope: - version: -

Trust: 0.8

vendor:the php groupmodel:phpscope:lteversion:7.0.8

Trust: 0.8

vendor:oraclemodel:linuxscope: - version: -

Trust: 0.8

vendor:hewlett packardmodel:system management homepagescope: - version: -

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:enterprise edition v4.1 to v6.5

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:standard edition v4.1 to v6.5

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:standard-j edition v4.1 to v6.5

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:web edition v4.1 to v6.5

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:development environment v6.1 to v6.5

Trust: 0.8

vendor:necmodel:webotx application serverscope:eqversion:enterprise v8.2 to v9.4

Trust: 0.8

vendor:necmodel:webotx application serverscope:eqversion:express v8.2 to v9.4

Trust: 0.8

vendor:necmodel:webotx application serverscope:eqversion:foundation v8.2 to v8.5

Trust: 0.8

vendor:necmodel:webotx application serverscope:eqversion:standard v8.2 to v9.4

Trust: 0.8

vendor:necmodel:webotx application serverscope:eqversion:standard-j edition v7.1 to v8.1

Trust: 0.8

vendor:necmodel:webotx application serverscope:eqversion:web edition v7.1 to v8.1

Trust: 0.8

vendor:necmodel:webotx developerscope:eqversion:"(with developers studio) v8.2 to v9.4"

Trust: 0.8

vendor:necmodel:webotx developerscope:eqversion:v7.1 to v8.1

Trust: 0.8

vendor:necmodel:webotx enterprise service busscope:eqversion:v6.4 to v9.3

Trust: 0.8

vendor:necmodel:webotx portalscope:eqversion:v8.2 to v9.3

Trust: 0.8

vendor:necmodel:webotx sip application serverscope:eqversion:standard edition v7.1 to v8.1

Trust: 0.8

vendor:hpmodel:storeever msl6480 tape libraryscope:eqversion:0

Trust: 0.3

vendor:hpmodel:storeever msl6480 tape libraryscope:eqversion:4.90

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:7.2

Trust: 0.3

vendor:ibmmodel:tealeaf customer experience on cloud network capture add-onscope:eqversion:16.1.01

Trust: 0.3

vendor:typo3model:typo3scope:eqversion:8.1

Trust: 0.3

vendor:ibmmodel:api connectscope:eqversion:5.0.3.0

Trust: 0.3

vendor:ibmmodel:smartcloud entryscope:eqversion:2.3.0

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.6.1

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.6.8

Trust: 0.3

vendor:ibmmodel:powerkvmscope:neversion:2.1.1.3-65.12

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.6.20

Trust: 0.3

vendor:ibmmodel:powerkvm updatescope:neversion:3.1.0.22

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:7.0

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:7.0.6

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.6.23

Trust: 0.3

vendor:ibmmodel:smartcloud entry appliance fpscope:eqversion:3.1.0.4

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.6.5

Trust: 0.3

vendor:phpmodel:phpscope:neversion:7.0.9

Trust: 0.3

vendor:ibmmodel:powerkvmscope:eqversion:3.1

Trust: 0.3

vendor:ibmmodel:powerkvm buildscope:eqversion:3.13

Trust: 0.3

vendor:typo3model:typo3scope:neversion:8.2.1

Trust: 0.3

vendor:hpmodel:system management homepagescope:neversion:7.6

Trust: 0.3

vendor:ibmmodel:smartcloud entry appliance fix packscope:eqversion:2.24

Trust: 0.3

vendor:hpmodel:storeever msl6480 tape libraryscope:eqversion:4.40

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.6.14

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.6

Trust: 0.3

vendor:drupalmodel:drupalscope:eqversion:8.0.1

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.6.4

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:7.5

Trust: 0.3

vendor:ibmmodel:powerkvm sp3scope:eqversion:2.1.1

Trust: 0.3

vendor:ibmmodel:powerkvm buildscope:eqversion:2.1.165.4

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.6.2

Trust: 0.3

vendor:ibmmodel:powerkvm buildscope:eqversion:2.1.165.6

Trust: 0.3

vendor:drupalmodel:drupalscope:eqversion:8.1.0

Trust: 0.3

vendor:ibmmodel:powerkvmscope:eqversion:2.1.1.3-65

Trust: 0.3

vendor:ibmmodel:smartcloud entry appliance fiscope:eqversion:2.2.0.4

Trust: 0.3

vendor:typo3model:typo3scope:eqversion:8.1.1

Trust: 0.3

vendor:ibmmodel:powerkvm sp2scope:eqversion:3.1

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:7.0.5

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:7.0

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.6.13

Trust: 0.3

vendor:drupalmodel:drupalscope:eqversion:8.1.5

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:7.0.1

Trust: 0.3

vendor:guzzlemodel:guzzlescope:neversion:6.2.1

Trust: 0.3

vendor:oraclemodel:communications user data repositoryscope:eqversion:10.2

Trust: 0.3

vendor:ibmmodel:powerkvm buildscope:eqversion:2.1.165.1

Trust: 0.3

vendor:ibmmodel:smartcloud entry appliance fix packscope:eqversion:2.36

Trust: 0.3

vendor:oraclemodel:solarisscope:eqversion:11.3

Trust: 0.3

vendor:drupalmodel:drupalscope:eqversion:8.1.4

Trust: 0.3

vendor:ibmmodel:powerkvm buildscope:eqversion:2.1.157

Trust: 0.3

vendor:guzzlemodel:guzzlescope:eqversion:5

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:7.0.8

Trust: 0.3

vendor:ibmmodel:powerkvm updatescope:eqversion:3.1.0.21

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.6.7

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.6.21

Trust: 0.3

vendor:drupalmodel:drupalscope:eqversion:8.1.3

Trust: 0.3

vendor:typo3model:typo3scope:eqversion:8.0.1

Trust: 0.3

vendor:ibmmodel:powerkvm buildscope:eqversion:3.12

Trust: 0.3

vendor:drupalmodel:drupalscope:eqversion:8.0

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:7.4

Trust: 0.3

vendor:gentoomodel:linuxscope: - version: -

Trust: 0.3

vendor:ibmmodel:powerkvm buildscope:eqversion:2.1.165.5

Trust: 0.3

vendor:ibmmodel:powerkvmscope:eqversion:3.1.0.2

Trust: 0.3

vendor:ibmmodel:api connectscope:eqversion:5.0.1.0

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:7.0.2

Trust: 0.3

vendor:drupalmodel:drupalscope:eqversion:8.0.3

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.6.10

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.6.6

Trust: 0.3

vendor:drupalmodel:drupalscope:eqversion:8.0.2

Trust: 0.3

vendor:ibmmodel:api connectscope:eqversion:5.0.2.0

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:7.0.3

Trust: 0.3

vendor:ibmmodel:powerkvm sp1scope:eqversion:3.1

Trust: 0.3

vendor:guzzlemodel:guzzlescope:eqversion:6

Trust: 0.3

vendor:ibmmodel:smartcloud entryscope:eqversion:2.4.0

Trust: 0.3

vendor:phpmodel:phpscope:neversion:5.6.24

Trust: 0.3

vendor:hpmodel:storeever msl6480 tape libraryscope:neversion:5.10

Trust: 0.3

vendor:ibmmodel:smartcloud entry appliance fix packscope:eqversion:2.34

Trust: 0.3

vendor:typo3model:typo3scope:eqversion:8.0.0

Trust: 0.3

vendor:drupalmodel:drupalscope:neversion:8.1.7

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.6.9

Trust: 0.3

vendor:guzzlemodel:4.0.0-rc2scope: - version: -

Trust: 0.3

vendor:ibmmodel:smartcloud entry appliance fix packscope:eqversion:2.26

Trust: 0.3

vendor:ibmmodel:powerkvm buildscope:eqversion:2.1.165.7

Trust: 0.3

vendor:drupalmodel:drupalscope:eqversion:8.0.4

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:6.0

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.6.19

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.6.3

Trust: 0.3

vendor:ibmmodel:smartcloud entryscope:eqversion:3.2

Trust: 0.3

vendor:ibmmodel:smartcloud entry appliance fiscope:eqversion:2.4.0.4

Trust: 0.3

vendor:ibmmodel:smartcloud entryscope:eqversion:2.2

Trust: 0.3

vendor:hpmodel:storeever msl6480 tape libraryscope:eqversion:4.10

Trust: 0.3

vendor:typo3model:typo3scope:eqversion:8.2

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:7.0.4

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.6.11

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:7.3

Trust: 0.3

vendor:ibmmodel:smartcloud entry appliance fpscope:eqversion:3.2.0.4

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.6.18

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.6.17

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.6.22

Trust: 0.3

vendor:ibmmodel:api connectscope:eqversion:5.0.0.1

Trust: 0.3

vendor:hpmodel:system management homepagescope:eqversion:7.1

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:7.0.7

Trust: 0.3

vendor:ibmmodel:smartcloud entryscope:eqversion:3.1

Trust: 0.3

vendor:oraclemodel:communications user data repositoryscope:eqversion:12.0

Trust: 0.3

vendor:ibmmodel:smartcloud entry appliance fiscope:eqversion:2.3.0.4

Trust: 0.3

vendor:ibmmodel:powerkvmscope:eqversion:2.1.1.3-65.11

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.6.12

Trust: 0.3

vendor:guzzlemodel:guzzlescope:eqversion:5.3

Trust: 0.3

vendor:drupalmodel:drupalscope:eqversion:8.1.6

Trust: 0.3

vendor:oraclemodel:communications user data repositoryscope:eqversion:10.0

Trust: 0.3

vendor:ibmmodel:powerkvm buildscope:eqversion:2.1.158

Trust: 0.3

vendor:ibmmodel:powerkvmscope:eqversion:2.1.1.3-65.10

Trust: 0.3

sources: CERT/CC: VU#797896 // BID: 91821 // JVNDB: JVNDB-2016-003800 // NVD: CVE-2016-5385

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-5385
value: HIGH

Trust: 1.0

NVD: CVE-2016-5385
value: HIGH

Trust: 0.8

VULHUB: VHN-94204
value: MEDIUM

Trust: 0.1

VULMON: CVE-2016-5385
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2016-5385
severity: MEDIUM
baseScore: 5.1
vectorString: AV:N/AC:H/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 4.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-94204
severity: MEDIUM
baseScore: 5.1
vectorString: AV:N/AC:H/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 4.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-5385
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.2
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2016-5385
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-94204 // VULMON: CVE-2016-5385 // JVNDB: JVNDB-2016-003800 // NVD: CVE-2016-5385

PROBLEMTYPE DATA

problemtype:CWE-601

Trust: 1.1

problemtype:CWE-Other

Trust: 0.8

problemtype:CWE-284

Trust: 0.1

sources: VULHUB: VHN-94204 // JVNDB: JVNDB-2016-003800 // NVD: CVE-2016-5385

THREAT TYPE

remote

Trust: 0.4

sources: PACKETSTORM: 138295 // PACKETSTORM: 138298 // PACKETSTORM: 138136 // PACKETSTORM: 140515

TYPE

Unknown

Trust: 0.3

sources: BID: 91821

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-003800

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-94204

PATCH

title:FEDORA-2016-4e7db3d437url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KZOIUYZDBWNDDHC6XTOLZYRMRXZWTJCP/

Trust: 0.8

title:FEDORA-2016-8eb11666aaurl:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7RMYXAVNYL2MOBJTFATE73TOVOEZYC5R/

Trust: 0.8

title:FEDORA-2016-9c8cf5912curl:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GXFEIMZPSVGZQQAYIQ7U7DFVX3IBSDLF/

Trust: 0.8

title:HPSBMU03653url:https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05320149

Trust: 0.8

title:HPSBST03671url:https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05333297

Trust: 0.8

title:NV16-020url:http://jpn.nec.com/security-info/secinfo/nv16-020.html

Trust: 0.8

title:Oracle Linux Bulletin - July 2016url:http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html

Trust: 0.8

title:Bug 1353794url:https://bugzilla.redhat.com/show_bug.cgi?id=1353794

Trust: 0.8

title:RHSA-2016:1609url:http://rhn.redhat.com/errata/RHSA-2016-1609.html

Trust: 0.8

title:RHSA-2016:1610url:http://rhn.redhat.com/errata/RHSA-2016-1610.html

Trust: 0.8

title:RHSA-2016:1611url:http://rhn.redhat.com/errata/RHSA-2016-1611.html

Trust: 0.8

title:RHSA-2016:1612url:http://rhn.redhat.com/errata/RHSA-2016-1612.html

Trust: 0.8

title:RHSA-2016:1613url:http://rhn.redhat.com/errata/RHSA-2016-1613.html

Trust: 0.8

title:Top Pageurl:http://php.net/

Trust: 0.8

title:TLSA-2016-19url:http://www.turbolinux.co.jp/security/2016/TLSA-2016-19j.html

Trust: 0.8

title:The Registerurl:https://www.theregister.co.uk/2016/07/18/httpoxy_hole/

Trust: 0.2

title:Amazon Linux AMI: ALAS-2016-728url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2016-728

Trust: 0.1

title:Ubuntu Security Notice: php5, php7.0 vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-3045-1

Trust: 0.1

title:Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - July 2017url:https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins&qid=a22ad41e97bbfc5abb0bb927bf43089c

Trust: 0.1

title:Forcepoint Security Advisories: HTTPoxy CGI HTTP_PROXY Variable Multiple Vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=forcepoint_security_advisories&qid=47734ce563632c9864b0b698ae37ddf9

Trust: 0.1

title:Oracle: Oracle Critical Patch Update Advisory - July 2017url:https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=2f446a7e1ea263c0c3a365776c6713f2

Trust: 0.1

title:Oracle Linux Bulletins: Oracle Linux Bulletin - July 2016url:https://vulmon.com/vendoradvisory?qidtp=oracle_linux_bulletins&qid=0bd8c924b56aac98dda0f5b45f425f38

Trust: 0.1

title:Oracle: Oracle Critical Patch Update Advisory - January 2018url:https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=e2a7f287e9acc8c64ab3df71130bc64d

Trust: 0.1

title:bachurl:https://github.com/sonatype-nexus-community/bach

Trust: 0.1

title:bachurl:https://github.com/OSSIndex/bach

Trust: 0.1

title: - url:https://github.com/Live-Hack-CVE/CVE-2016-5385

Trust: 0.1

title:jboturl:https://github.com/jschauma/jbot

Trust: 0.1

title:CVE-2016-5385url:https://github.com/AIPOCAI/CVE-2016-5385

Trust: 0.1

title:nginx-proxyurl:https://github.com/chaplean/nginx-proxy

Trust: 0.1

title:nginx-proxy2url:https://github.com/corzel/nginx-proxy2

Trust: 0.1

title:Testurl:https://github.com/Abhinav4git/Test

Trust: 0.1

title:nginx-proxyurl:https://github.com/jwilder/nginx-proxy

Trust: 0.1

title: - url:https://github.com/GloveofGames/hehe

Trust: 0.1

title: - url:https://github.com/jquepi/nginx-proxy-2

Trust: 0.1

title: - url:https://github.com/lemonhope-mz/replica_nginx-proxy

Trust: 0.1

title:reto-ejercicio1url:https://github.com/QuirianCordova/reto-ejercicio1

Trust: 0.1

title:nginxurl:https://github.com/ratika-web/nginx

Trust: 0.1

title:docker-nginx-proxyurl:https://github.com/CodeKoalas/docker-nginx-proxy

Trust: 0.1

title:jwilder-nginx-proxyurl:https://github.com/linguamerica/jwilder-nginx-proxy

Trust: 0.1

title:nginx-proxyurl:https://github.com/abhi1693/nginx-proxy

Trust: 0.1

title:DockerProjecturl:https://github.com/antoinechab/DockerProject

Trust: 0.1

title:plonevhosturl:https://github.com/alteroo/plonevhost

Trust: 0.1

title:nginx-proxy-docker-image-builderurl:https://github.com/expoli/nginx-proxy-docker-image-builder

Trust: 0.1

title:reto-ejercicio3url:https://github.com/QuirianCordova/reto-ejercicio3

Trust: 0.1

title:nginxurl:https://github.com/isaiahweeks/nginx

Trust: 0.1

title:docker-dev-tools-proxyurl:https://github.com/antimatter-studios/docker-dev-tools-proxy

Trust: 0.1

title:nginx-proxyurl:https://github.com/nginx-proxy/nginx-proxy

Trust: 0.1

title:nginx-proxyurl:https://github.com/bfirestone/nginx-proxy

Trust: 0.1

title:nginx-oidc-proxyurl:https://github.com/garnser/nginx-oidc-proxy

Trust: 0.1

title:nginx-proxyurl:https://github.com/VitasL/nginx-proxy

Trust: 0.1

title:nginx-proxy-docker-image-builderurl:https://github.com/expoli/nginx-proxy-docker-image

Trust: 0.1

title:docker-proxyurl:https://github.com/antimatter-studios/docker-proxy

Trust: 0.1

title:nginx-proxyurl:https://github.com/junkl-solbox/nginx-proxy

Trust: 0.1

title:nginxProxyurl:https://github.com/moewsystem/nginxProxy

Trust: 0.1

title:kube-active-proxyurl:https://github.com/adi90x/kube-active-proxy

Trust: 0.1

title:nginx-proxyurl:https://github.com/antimatter-studios/nginx-proxy

Trust: 0.1

title: - url:https://github.com/6d617274696e73/nginx-waf-proxy

Trust: 0.1

title: - url:https://github.com/mikediamanto/nginx-proxy

Trust: 0.1

title:rancher-active-proxyurl:https://github.com/adi90x/rancher-active-proxy

Trust: 0.1

title:algm-php-vulnerability-checkerurl:https://github.com/timclifford/algm-php-vulnerability-checker

Trust: 0.1

title: - url:https://github.com/t0m4too/t0m4to

Trust: 0.1

title:github_aquasecurity_trivyurl:https://github.com/back8/github_aquasecurity_trivy

Trust: 0.1

title:TrivyWeburl:https://github.com/KorayAgaya/TrivyWeb

Trust: 0.1

title:Vulnerability-Scanner-for-Containersurl:https://github.com/t31m0/Vulnerability-Scanner-for-Containers

Trust: 0.1

title:securityurl:https://github.com/umahari/security

Trust: 0.1

title: - url:https://github.com/Mohzeela/external-secret

Trust: 0.1

title:trivyurl:https://github.com/simiyo/trivy

Trust: 0.1

title:trivyurl:https://github.com/aquasecurity/trivy

Trust: 0.1

title:trivyurl:https://github.com/knqyf263/trivy

Trust: 0.1

title:trivyurl:https://github.com/siddharthraopotukuchi/trivy

Trust: 0.1

title:Threatposturl:https://threatpost.com/cgi-script-vulnerability-httpoxy-allows-man-in-the-middle-attacks/119345/

Trust: 0.1

sources: VULMON: CVE-2016-5385 // JVNDB: JVNDB-2016-003800

EXTERNAL IDS

db:CERT/CCid:VU#797896

Trust: 3.1

db:NVDid:CVE-2016-5385

Trust: 2.9

db:BIDid:91821

Trust: 1.5

db:SECTRACKid:1036335

Trust: 1.2

db:JVNid:JVNVU91485132

Trust: 0.8

db:JVNDBid:JVNDB-2016-003800

Trust: 0.8

db:PACKETSTORMid:138295

Trust: 0.2

db:PACKETSTORMid:138298

Trust: 0.2

db:PACKETSTORMid:138014

Trust: 0.2

db:PACKETSTORMid:143933

Trust: 0.1

db:PACKETSTORMid:139744

Trust: 0.1

db:PACKETSTORMid:138299

Trust: 0.1

db:PACKETSTORMid:138297

Trust: 0.1

db:PACKETSTORMid:138296

Trust: 0.1

db:PACKETSTORMid:138070

Trust: 0.1

db:CNNVDid:CNNVD-201607-538

Trust: 0.1

db:VULHUBid:VHN-94204

Trust: 0.1

db:VULMONid:CVE-2016-5385

Trust: 0.1

db:PACKETSTORMid:138136

Trust: 0.1

db:PACKETSTORMid:139379

Trust: 0.1

db:PACKETSTORMid:140515

Trust: 0.1

sources: CERT/CC: VU#797896 // VULHUB: VHN-94204 // VULMON: CVE-2016-5385 // BID: 91821 // JVNDB: JVNDB-2016-003800 // PACKETSTORM: 138014 // PACKETSTORM: 138295 // PACKETSTORM: 138298 // PACKETSTORM: 138136 // PACKETSTORM: 139379 // PACKETSTORM: 140515 // NVD: CVE-2016-5385

REFERENCES

url:http://www.kb.cert.org/vuls/id/797896

Trust: 2.4

url:https://httpoxy.org/

Trust: 2.0

url:https://www.apache.org/security/asf-httpoxy-response.txt

Trust: 1.6

url:http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Trust: 1.5

url:http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html

Trust: 1.5

url:https://bugzilla.redhat.com/show_bug.cgi?id=1353794

Trust: 1.5

url:https://www.drupal.org/sa-core-2016-003

Trust: 1.5

url:http://rhn.redhat.com/errata/rhsa-2016-1609.html

Trust: 1.3

url:http://rhn.redhat.com/errata/rhsa-2016-1612.html

Trust: 1.3

url:http://www.securitytracker.com/id/1036335

Trust: 1.2

url:http://www.securityfocus.com/bid/91821

Trust: 1.2

url:http://www.debian.org/security/2016/dsa-3631

Trust: 1.2

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/kzoiuyzdbwnddhc6xtolzyrmrxzwtjcp/

Trust: 1.2

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7rmyxavnyl2mobjtfate73tovoezyc5r/

Trust: 1.2

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/gxfeimzpsvgzqqayiq7u7dfvx3ibsdlf/

Trust: 1.2

url:https://security.gentoo.org/glsa/201611-22

Trust: 1.2

url:http://rhn.redhat.com/errata/rhsa-2016-1610.html

Trust: 1.2

url:http://rhn.redhat.com/errata/rhsa-2016-1611.html

Trust: 1.2

url:http://rhn.redhat.com/errata/rhsa-2016-1613.html

Trust: 1.2

url:http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

Trust: 1.2

url:https://github.com/guzzle/guzzle/releases/tag/6.2.1

Trust: 1.2

url:https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05320149

Trust: 1.2

url:https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05333297

Trust: 1.2

url:https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05390722

Trust: 1.2

url:http://lists.opensuse.org/opensuse-updates/2016-08/msg00003.html

Trust: 1.2

url:https://h20566.www2.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-hpesbhf03770en_us

Trust: 1.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-5385

Trust: 0.9

url:https://tools.ietf.org/html/rfc3875

Trust: 0.8

url:https://httpoxy.org

Trust: 0.8

url:https://cwe.mitre.org/data/definitions/807.html

Trust: 0.8

url:https://cwe.mitre.org/data/definitions/454.html

Trust: 0.8

url:http://jvn.jp/cert/jvnvu91485132

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-5385

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2016-5385

Trust: 0.6

url:https://h20564.www2.hpe.com/hpsc/doc/public/display?docid=emr_na-c05320149

Trust: 0.4

url:https://h20564.www2.hpe.com/hpsc/doc/public/display?docid=emr_na-c05333297

Trust: 0.4

url:https://github.com/friendsofphp/security-advisories/commit/7ed8f8e3a87f7be13dd70cccd54f8701be1be6e0

Trust: 0.3

url:http://www.php.net/

Trust: 0.3

url:http://www-01.ibm.com/support/docview.wss?uid=isg3t1024261

Trust: 0.3

url:http://www-01.ibm.com/support/docview.wss?uid=isg3t1024735

Trust: 0.3

url:https://www.oracle.com/technetwork/topics/security/bulletinjul2017-3814622.html

Trust: 0.3

url:http://www-01.ibm.com/support/docview.wss?uid=swg21993929

Trust: 0.3

url:http://www.ibm.com/support/docview.wss?uid=swg21994534

Trust: 0.3

url:https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-019/

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2016-6207

Trust: 0.2

url:https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2016-5385

Trust: 0.2

url:https://bugzilla.redhat.com/):

Trust: 0.2

url:https://access.redhat.com/security/team/key/

Trust: 0.2

url:https://access.redhat.com/articles/11258

Trust: 0.2

url:https://access.redhat.com/security/updates/classification/#moderate

Trust: 0.2

url:https://access.redhat.com/security/team/contact/

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-5093

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-6297

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-5772

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-6292

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-5771

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-5768

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-6289

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-5094

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-6295

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-5769

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-5773

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-5096

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-6290

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-5399

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-6291

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-6294

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-6296

Trust: 0.2

url:http://www.hpe.com/support/security_bulletin_archive

Trust: 0.2

url:http://www.hpe.com/support/subscriber_choice

Trust: 0.2

url:https://h20564.www2.hpe.com/hpsc/doc/public/display?docid=emr_na-c01345499

Trust: 0.2

url:https://www.hpe.com/info/report-security-vulnerability

Trust: 0.2

url:https://h20566.www2.hpe.com/hpsc/doc/public/display?doclocale=en_us&amp;docid=emr_na-hpesbhf03770en_us

Trust: 0.1

url:https://cwe.mitre.org/data/definitions/601.html

Trust: 0.1

url:https://github.com/sonatype-nexus-community/bach

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:http://php.net/changelog-5.php#5.6.24

Trust: 0.1

url:http://slackware.com

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-6207

Trust: 0.1

url:http://osuosl.org)

Trust: 0.1

url:http://slackware.com/gpg-key

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/php5/5.3.10-1ubuntu3.24

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-6288

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/php7.0/7.0.8-0ubuntu0.16.04.2

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-8935

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-5114

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-4116

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-8876

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/php5/5.5.9+dfsg-1ubuntu4.19

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-5095

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-8873

Trust: 0.1

url:http://www.ubuntu.com/usn/usn-3045-1

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-5387

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-4393

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-4396

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-2107

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-4537

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-2109

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-3739

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-2106

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-4395

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-4542

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-4538

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-4070

Trust: 0.1

url:https://www.hpe.com/us/en/product-catalog/detail/pip.344313.html>

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-4072

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-4071

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-4343

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-4543

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-4541

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-2105

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-4394

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-4539

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-4540

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-5388

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-4342

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-7456

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-5770

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-3074

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-5767

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-6293

Trust: 0.1

url:http://www.hpe.com/support/msl6480>

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-5766

Trust: 0.1

sources: CERT/CC: VU#797896 // VULHUB: VHN-94204 // VULMON: CVE-2016-5385 // BID: 91821 // JVNDB: JVNDB-2016-003800 // PACKETSTORM: 138014 // PACKETSTORM: 138295 // PACKETSTORM: 138298 // PACKETSTORM: 138136 // PACKETSTORM: 139379 // PACKETSTORM: 140515 // NVD: CVE-2016-5385

CREDITS

Scott Geary (VendHQ)

Trust: 0.3

sources: BID: 91821

SOURCES

db:CERT/CCid:VU#797896
db:VULHUBid:VHN-94204
db:VULMONid:CVE-2016-5385
db:BIDid:91821
db:JVNDBid:JVNDB-2016-003800
db:PACKETSTORMid:138014
db:PACKETSTORMid:138295
db:PACKETSTORMid:138298
db:PACKETSTORMid:138136
db:PACKETSTORMid:139379
db:PACKETSTORMid:140515
db:NVDid:CVE-2016-5385

LAST UPDATE DATE

2024-11-20T21:36:40.475000+00:00


SOURCES UPDATE DATE

db:CERT/CCid:VU#797896date:2016-07-19T00:00:00
db:VULHUBid:VHN-94204date:2023-02-12T00:00:00
db:VULMONid:CVE-2016-5385date:2023-02-12T00:00:00
db:BIDid:91821date:2018-01-18T09:00:00
db:JVNDBid:JVNDB-2016-003800date:2016-12-27T00:00:00
db:NVDid:CVE-2016-5385date:2023-02-12T23:23:28.023

SOURCES RELEASE DATE

db:CERT/CCid:VU#797896date:2016-07-18T00:00:00
db:VULHUBid:VHN-94204date:2016-07-19T00:00:00
db:VULMONid:CVE-2016-5385date:2016-07-19T00:00:00
db:BIDid:91821date:2016-07-18T00:00:00
db:JVNDBid:JVNDB-2016-003800date:2016-07-25T00:00:00
db:PACKETSTORMid:138014date:2016-07-22T22:42:48
db:PACKETSTORMid:138295date:2016-08-12T18:02:52
db:PACKETSTORMid:138298date:2016-08-12T18:03:22
db:PACKETSTORMid:138136date:2016-08-02T22:59:53
db:PACKETSTORMid:139379date:2016-10-27T19:22:00
db:PACKETSTORMid:140515date:2017-01-15T23:24:00
db:NVDid:CVE-2016-5385date:2016-07-19T02:00:17.773