Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:DLA-499-1
HistoryMay 31, 2016 - 12:00 a.m.

php5 - security update

2016-05-3100:00:00
Google
osv.dev
24

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON
  • CVE-2015-8865
    The file_check_mem function in funcs.c in file before 5.23, as used
    in the Fileinfo component in PHP before 5.5.34, 5.6.x before 5.6.20,
    and 7.x before 7.0.5, mishandles continuation-level jumps, which
    allows context-dependent attackers to cause a denial of service
    (buffer overflow and application crash) or possibly execute arbitrary
    code via a crafted magic file.
  • CVE-2015-8866
    libxml_disable_entity_loader setting is shared between threads
    ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when
    PHP-FPM is used, does not isolate each thread from
    libxml_disable_entity_loader changes in other threads, which allows
    remote attackers to conduct XML External Entity (XXE) and XML Entity
    Expansion (XEE) attacks via a crafted XML document, a related issue
    to CVE-2015-5161.
  • CVE-2015-8878
    main/php_open_temporary_file.c in PHP before 5.5.28 and 5.6.x before
    5.6.12 does not ensure thread safety, which allows remote attackers to
    cause a denial of service (race condition and heap memory corruption)
    by leveraging an application that performs many temporary-file accesses.
  • CVE-2015-8879
    The odbc_bindcols function in ext/odbc/php_odbc.c in PHP before 5.6.12
    mishandles driver behavior for SQL_WVARCHAR columns, which allows
    remote attackers to cause a denial of service (application crash) in
    opportunistic circumstances by leveraging use of the odbc_fetch_array
    function to access a certain type of Microsoft SQL Server table.
  • CVE-2016-4070
    Integer overflow in the php_raw_url_encode function in ext/standard/url.c
    in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows
    remote attackers to cause a denial of service (application crash) via a
    long string to the rawurlencode function.
  • CVE-2016-4071
    Format string vulnerability in the php_snmp_error function in
    ext/snmp/snmp.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x
    before 7.0.5 allows remote attackers to execute arbitrary code via
    format string specifiers in an SNMP::get call.
  • CVE-2016-4072
    The Phar extension in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x
    before 7.0.5 allows remote attackers to execute arbitrary code via a
    crafted filename, as demonstrated by mishandling of \0 characters by
    the phar_analyze_path function in ext/phar/phar.c.
  • CVE-2016-4073
    Multiple integer overflows in the mbfl_strcut function in
    ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before 5.5.34, 5.6.x before
    5.6.20, and 7.x before 7.0.5 allow remote attackers to cause a denial
    of service (application crash) or possibly execute arbitrary code via
    a crafted mb_strcut call.
  • CVE-2016-4343
    The phar_make_dirstream function in ext/phar/dirstream.c in PHP before
    5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files,
    which allows remote attackers to cause a denial of service
    (uninitialized pointer dereference) or possibly have unspecified other
    impact via a crafted TAR archive.
  • CVE-2016-4537
    The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35,
    5.6.x before 5.6.21, and 7.x before 7.0.6 accepts a negative integer
    for the scale argument, which allows remote attackers to cause a
    denial of service or possibly have unspecified other impact via a
    crafted call.
  • CVE-2016-4539
    The xml_parse_into_struct function in ext/xml/xml.c in PHP before
    5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote
    attackers to cause a denial of service (buffer under-read and
    segmentation fault) or possibly have unspecified other impact via
    crafted XML data in the second argument, leading to a parser level
    of zero.
  • CVE-2016-4540 /
    CVE-2016-4541
    The grapheme_strpos function in ext/intl/grapheme/grapheme_string.c
    in before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows
    remote attackers to cause a denial of service (out-of-bounds read)
    or possibly have unspecified other impact via a negative offset.
  • CVE-2016-4542 /
    CVE-2016-4543 /
    CVE-2016-4544
    The exif_process_* function in ext/exif/exif.c in PHP before 5.5.35,
    5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate IFD sizes,
    which allows remote attackers to cause a denial of service
    (out-of-bounds read) or possibly have unspecified other impact via
    crafted header data.

For Debian 7 Wheezy, these issues have been fixed in php5 version 5.4.45-0+deb7u3

Related

debian 8
nessus 38
openvas 37
ubuntu 1
fedora 8
amazon 1
suse 4
f5 14
prion 17
ubuntucve 17
cve 17
hackerone 1
osv 3
debiancve 14
gentoo 1
securityvulns 1
packetstorm 1
veracode 7
exploitpack 1
zdt 1
mageia 2
github 1
checkpoint_advisories 1
ibm 2
exploitdb 1
debian
debian
[SECURITY] [DLA 499-1] php5 security update
2016-05-31 20:07:56
[SECURITY] [DSA 3560-1] php5 security update
2016-04-27 20:06:49
[SECURITY] [DSA 3560-1] php5 security update
2016-04-27 20:06:49
nessus
nessus
Debian DLA-499-1 : php5 security update
2016-06-01 00:00:00
Ubuntu 14.04 LTS / 16.04 LTS : PHP vulnerabilities (USN-2984-1)
2016-05-25 00:00:00
PHP 7.0.x < 7.0.5 Multiple Vulnerabilities
2016-04-06 00:00:00
openvas
openvas
Debian: Security Advisory (DLA-499-1)
2023-03-08 00:00:00
Ubuntu: Security Advisory (USN-2984-1)
2016-05-25 00:00:00
Fedora Update for php FEDORA-2016-e205218629
2016-06-08 00:00:00
ubuntu
ubuntu
PHP vulnerabilities
2016-05-24 00:00:00
fedora
fedora
[SECURITY] Fedora 24 Update: php-5.6.21-1.fc24
2016-05-07 12:29:10
[SECURITY] Fedora 22 Update: php-5.6.21-1.fc22
2016-05-12 07:24:40
[SECURITY] Fedora 22 Update: php-ZendFramework2-2.4.7-1.fc22
2015-08-27 18:33:26
amazon
amazon
Important: php56, php55
2016-05-03 10:30:00
suse
suse
Security update for php5 (important)
2016-05-20 15:09:02
Security update for php5 (important)
2016-05-11 18:07:54
Security update for php5 (important)
2016-05-11 14:07:47
f5
f5
SOL24734336 - PHP vulnerabilities CVE-2016-4542, CVE-2016-4543, and CVE-2016-4544
2016-05-23 00:00:00
K24734336 : PHP vulnerabilities CVE-2016-4542, CVE-2016-4543, and CVE-2016-4544
2016-05-23 00:00:00
K80922332 : PHP vulnerability CVE-2015-8866
2020-10-02 00:00:00
prion
prion
Xxe
2016-05-22 01:59:00
Race condition
2016-05-22 01:59:00
Code injection
2016-05-22 01:59:00
ubuntucve
ubuntucve
CVE-2015-8866
2016-05-22 00:00:00
CVE-2016-4541
2016-05-06 00:00:00
CVE-2016-4544
2016-05-06 00:00:00
cve
cve
CVE-2015-8866
2016-05-22 01:59:00
CVE-2015-8878
2016-05-22 01:59:00
CVE-2015-8865
2016-05-20 10:59:00
hackerone
hackerone
Internet Bug Bounty: Buffer over-write in finfo_open with malformed magic file.
2019-01-07 20:34:26
osv
osv
file - security update
2016-05-07 00:00:00
zendframework - security update
2015-08-27 00:00:00
ZendXml and Zend Framework contain XXE and XEE Vulnerabilities
2022-05-17 03:16:37
debiancve
debiancve
CVE-2015-8879
2016-05-22 01:59:00
CVE-2015-8865
2016-05-20 10:59:00
CVE-2016-4541
2016-05-22 01:59:00
gentoo
gentoo
PHP: Multiple vulnerabilities
2016-11-30 00:00:00
securityvulns
securityvulns
[SECURITY] [DSA 3340-1] zendframework security update
2015-08-24 00:00:00
packetstorm
packetstorm
Zend Framework 2.4.2 / 1.12.13 XXE Injection
2015-08-13 00:00:00
veracode
veracode
XML External Entity (XXE) And XML Entity Expansion (XEE)
2017-07-26 23:17:17
Arbitrary Code Execution
2019-05-02 06:02:18
Denial Of Service (DoS)
2019-05-02 06:02:21
exploitpack
exploitpack
Zend Framework 2.4.2 - PHP FPM XML eXternal Entity Injection
2015-08-13 00:00:00
zdt
zdt
Zend Framework 2.4.2 / 1.12.13 XXE Injection Vulnerability
2015-08-13 00:00:00
mageia
mageia
Updated php-ZendFramework packages fix CVE-2015-5161
2015-09-15 17:55:06
Updated php-ZendFramework packages fix CVE-2015-5161
2015-09-15 17:55:06
github
github
ZendXml and Zend Framework contain XXE and XEE Vulnerabilities
2022-05-17 03:16:37
checkpoint_advisories
checkpoint_advisories
PHP TAR File Parsing Uninitialized Reference (CVE-2016-4343)
2016-08-24 00:00:00
ibm
ibm
Security Bulletin: Multiple vulnerabilities in PHP and memcached libraries affect IBM Tealeaf Customer Experience
2018-06-16 20:03:30
Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple php vulnerabilities
2018-06-18 01:33:37
exploitdb
exploitdb
Zend Framework 2.4.2 - PHP FPM XML eXternal Entity Injection
2015-08-13 00:00:00

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON
Related for OSV:DLA-499-1
debian8nessus38openvas37ubuntu1fedora8amazon1suse4f514prion17ubuntucve17cve17hackerone1osv3debiancve14gentoo1securityvulns1packetstorm1veracode7exploitpack1zdt1mageia2github1checkpoint_advisories1ibm2exploitdb1