logo
 
  1. Server >
  2. Unix Server >
  3. USN-3045-1: PHP vulnerabilities


ArabicEnglishFrenchGermanGreekItalianJapaneseKoreanPersianPolishPortugueseRussianSpanishTurkishVietnamese

USN-3045-1: PHP vulnerabilities


Unix Server vom | Direktlink: ubuntu.com Nachrichten Bewertung

Ubuntu Security Notice USN-3045-1

2nd August, 2016

php5, php7.0 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in PHP.

Software description

  • php5 - HTML-embedded scripting language interpreter
  • php7.0 - HTML-embedded scripting language interpreter

Details

It was discovered that PHP incorrectly handled certain SplMinHeap::compare
operations. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code. This
issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-4116)

It was discovered that PHP incorrectly handled recursive method calls. A
remote attacker could use this issue to cause PHP to crash, resulting in a
denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu
14.04 LTS. (CVE-2015-8873)

It was discovered that PHP incorrectly validated certain Exception objects
when unserializing data. A remote attacker could use this issue to cause
PHP to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04
LTS. (CVE-2015-8876)

It was discovered that PHP header() function performed insufficient
filtering for Internet Explorer. A remote attacker could possibly use this
issue to perform a XSS attack. This issue only affected Ubuntu 12.04 LTS
and Ubuntu 14.04 LTS. (CVE-2015-8935)

It was discovered that PHP incorrectly handled certain locale operations.
An attacker could use this issue to cause PHP to crash, resulting in a
denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu
14.04 LTS. (CVE-2016-5093)

It was discovered that the PHP php_html_entities() function incorrectly
handled certain string lengths. A remote attacker could use this issue to
cause PHP to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04
LTS. (CVE-2016-5094, CVE-2016-5095)

It was discovered that the PHP fread() function incorrectly handled certain
lengths. An attacker could use this issue to cause PHP to crash, resulting
in a denial of service, or possibly execute arbitrary code. This issue only
affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5096)

It was discovered that the PHP FastCGI Process Manager (FPM) SAPI
incorrectly handled memory in the access logging feature. An attacker could
use this issue to cause PHP to crash, resulting in a denial of service, or
possibly expose sensitive information. This issue only affected Ubuntu
12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5114)

It was discovered that PHP would not protect applications from contents of
the HTTP_PROXY environment variable when based on the contents of the Proxy
header from HTTP requests. A remote attacker could possibly use this issue
in combination with scripts that honour the HTTP_PROXY variable to redirect
outgoing HTTP requests. (CVE-2016-5385)

Hans Jerry Illikainen discovered that the PHP bzread() function incorrectly
performed error handling. A remote attacker could use this issue to cause
PHP to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2016-5399)

It was discovered that certain PHP multibyte string functions incorrectly
handled memory. A remote attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-5768)

It was discovered that the PHP Mcrypt extension incorrectly handled memory.
A remote attacker could use this issue to cause PHP to crash, resulting in
a denial of service, or possibly execute arbitrary code. This issue only
affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5769)

It was discovered that the PHP garbage collector incorrectly handled
certain objects when unserializing malicious data. A remote attacker could
use this issue to cause PHP to crash, resulting in a denial of service, or
possibly execute arbitrary code. This issue was only addressed in Ubuntu
Ubuntu 14.04 LTS. (CVE-2016-5771, CVE-2016-5773)

It was discovered that PHP incorrectly handled memory when unserializing
malicious xml data. A remote attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
(CVE-2016-5772)

It was discovered that the PHP php_url_parse_ex() function incorrectly
handled string termination. A remote attacker could use this issue to cause
PHP to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04
LTS. (CVE-2016-6288)

It was discovered that PHP incorrectly handled path lengths when extracting
certain Zip archives. A remote attacker could use this issue to cause PHP
to crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2016-6289)

It was discovered that PHP incorrectly handled session deserialization. A
remote attacker could use this issue to cause PHP to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2016-6290)

It was discovered that PHP incorrectly handled exif headers when processing
certain JPEG images. A remote attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2016-6291, CVE-2016-6292)

It was discovered that PHP incorrectly handled certain locale operations. A
remote attacker could use this issue to cause PHP to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2016-6294)

It was discovered that the PHP garbage collector incorrectly handled
certain objects when unserializing SNMP data. A remote attacker could use
this issue to cause PHP to crash, resulting in a denial of service, or
possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS
and Ubuntu 16.04 LTS. (CVE-2016-6295)

It was discovered that the PHP xmlrpc_encode_request() function incorrectly
handled certain lengths. An attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2016-6296)

It was discovered that the PHP php_stream_zip_opener() function incorrectly
handled memory. An attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2016-6297)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
php7.0-fpm 7.0.8-0ubuntu0.16.04.2
libapache2-mod-php7.0 7.0.8-0ubuntu0.16.04.2
php7.0-cli 7.0.8-0ubuntu0.16.04.2
php7.0-cgi 7.0.8-0ubuntu0.16.04.2
Ubuntu 14.04 LTS:
php5-cli 5.5.9+dfsg-1ubuntu4.19
php5-cgi 5.5.9+dfsg-1ubuntu4.19
libapache2-mod-php5 5.5.9+dfsg-1ubuntu4.19
php5-fpm 5.5.9+dfsg-1ubuntu4.19
Ubuntu 12.04 LTS:
php5-cli 5.3.10-1ubuntu3.24
php5-cgi 5.3.10-1ubuntu3.24
libapache2-mod-php5 5.3.10-1ubuntu3.24
php5-fpm 5.3.10-1ubuntu3.24

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-4116, CVE-2015-8873, CVE-2015-8876, CVE-2015-8935, CVE-2016-5093, CVE-2016-5094, CVE-2016-5095, CVE-2016-5096, CVE-2016-5114, CVE-2016-5385, CVE-2016-5399, CVE-2016-5768, CVE-2016-5769, CVE-2016-5771, CVE-2016-5772, CVE-2016-5773, CVE-2016-6288, CVE-2016-6289, CVE-2016-6290, CVE-2016-6291, CVE-2016-6292, CVE-2016-6294, CVE-2016-6295, CVE-2016-6296, CVE-2016-6297

...

http://www.ubuntu.com/usn/usn-3045-1/

Externe Webseite mit kompletten Inhalt öffnen

Kommentiere zu USN-3045-1: PHP vulnerabilities






➤ Ähnliche Beiträge von Team IT Security

  • 1.

    IBM Security Access Manager For Web URL Parameter Information Disclosure

    vom 154.87 Punkte ic_school_black_18dp
    Es wurde eine problematische Schwachstelle in IBM Security Access Manager For Web - die betroffene Version ist unbekannt - ausgemacht. Hiervon betroffen ist eine unbekannte Funktion der Komponente URL Parameter Handler. Durch die Manipulation mit einer u
  • 2.

    HPR2696: HPR Community News for November 2018

    vom 118.19 Punkte ic_school_black_18dp
    New hosts Welcome to our new host: desearcher. Last Month's Shows Id Day Date Title Host 2674 Thu 2018-11-01 Raspberry pi3 open media server JWP 2675 Fri 2018-11-02 YouTube Playlists Ahuka
  • 3.

    HPR2696: HPR Community News for November 2018

    vom 118.19 Punkte ic_school_black_18dp
    New hosts Welcome to our new host: desearcher. Last Month's Shows Id Day Date Title Host 2674 Thu 2018-11-01 Raspberry pi3 open media server JWP 2675 Fri 2018-11-02 YouTube Playlists Ahuka
  • 4.

    HPR2806: HPR Community News for April 2019

    vom 111.47 Punkte ic_school_black_18dp
    New hosts There were no new hosts this month. Last Month's Shows Id Day Date Title Host 2781 Mon 2019-04-01 HPR Community News for March 2019 HPR Volunteers 2782 Tue 2019-04-02 Never stop gaming klaatu 2783 Wed 2019-04-03 The Windows "Shutdown.exe" Command Explained Claudio Miranda 2784
  • 5.

    HPR2806: HPR Community News for April 2019

    vom 111.47 Punkte ic_school_black_18dp
    New hosts There were no new hosts this month. Last Month's Shows Id Day Date Title Host 2781 Mon 2019-04-01 HPR Community News for March 2019 HPR Volunteers 2782 Tue 2019-04-02 Never stop gaming klaatu 2783 Wed 2019-04-03 The Windows "Shutdown.exe" Command Explained Claudio Miranda 2784
  • 6.

    USN-3045-1: PHP vulnerabilities

    vom 109.8 Punkte ic_school_black_18dp
    Ubuntu Security Notice USN-3045-1 2nd August, 2016 php5, php7.0 vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary Several security issues were fixe
  • 7.

    USN-3045-1: PHP vulnerabilities

    vom 109.8 Punkte ic_school_black_18dp
    Ubuntu Security Notice USN-3045-1 2nd August, 2016 php5, php7.0 vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary Several security issues were fixe
  • 8.

    HPR2891: HPR Community News for August 2019

    vom 106.66 Punkte ic_school_black_18dp
    New hosts There were no new hosts this month. Last Month's Shows Id Day Date Title Host 2869 Thu 2019-08-01 building a bike, following in John Kulp's footsteps Brian in Ohio 2870 Fri 2019-08-02 Hierarchy of Evidence Ahuka 2871 Mon 2019-08-0
  • 9.

    HPR2916: HPR Community News for September 2019

    vom 104.74 Punkte ic_school_black_18dp
    New hosts There were no new hosts this month. Last Month's Shows Id Day Date Title Host 2891 Mon 2019-09-02 HPR Community News for August 2019 HPR Volunteers 2892 Tue 2019-09-03 Stardrifter RPG Playtest Part 02 lostnbronx 2893 Wed 2019-09-0
  • 10.

    HPR2936: HPR Community News for October 2019

    vom 103.78 Punkte ic_school_black_18dp
    New hosts Welcome to our new host: Carl. Last Month's Shows Id Day Date Title Host 2912 Tue 2019-10-01 Stardrifter RPG Playtest Part 06 lostnbronx 2913 Wed 2019-10-02 Windows, SDN, and Firewalls Beto 2914 Thu 2019-10-03 Describing how I listen to podcasts PART 4 MrX 2915 Fri 2019
  • 11.

    HPR2826: HPR Community News for May 2019

    vom 100.9 Punkte ic_school_black_18dp
    New hosts Welcome to our new hosts: Joel D, Zen_Floater2. Last Month's Shows Id Day Date Title Host 2803 Wed 2019-05-01 Update on my Raspi 3 B OpenMedia Vault and Next Cloud instances JWP 2804 Thu 2019-05-02 Awk Part 13: Fix-Width Field Processing b-yeezi
  • 12.

    HPR2846: HPR Community News for June 2019

    vom 99.93 Punkte ic_school_black_18dp
    New hosts Welcome to our new host: Shannon Wright. Last Month's Shows Id Day Date Title Host 2826 Mon 2019-06-03 HPR Community News for May 2019 HPR Volunteers 2827 Tue 2019-06-04 Unscripted ramblings from my garage about my first CTF event Christopher M. Hobbs 2828 Wed 2019-06-05 Writ