ID RHSA-2005:032 Type redhat Reporter RedHat Modified 2017-09-08T11:51:21
Description
PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Web server.
Flaws including possible information disclosure, double free, and negative
reference index array underflow were found in the deserialization code of
PHP. PHP applications may use the unserialize function on untrusted user
data, which could allow a remote attacker to gain access to memory or
potentially execute arbitrary code. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-1019 to
this issue.
A flaw in the exif extension of PHP was found which lead to a stack
overflow. An attacker could create a carefully crafted image file in such
a way which, if parsed by a PHP script using the exif extension, could
cause a crash or potentially execute arbitrary code. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-1065 to this issue.
Flaws were found in shmop_write, pack, and unpack PHP functions. These
functions are not normally passed user supplied data, so would require a
malicious PHP script to be exploited. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-1018 to
this issue.
Users of PHP should upgrade to these updated packages, which contain fixes
for these issues.
{"result": {"cve": [{"id": "CVE-2004-1018", "type": "cve", "title": "CVE-2004-1018", "description": "Multiple integer handling errors in PHP before 4.3.10 allow attackers to bypass safe mode restrictions, cause a denial of service, or execute arbitrary code via (1) a negative offset value to the shmop_write function, (2) an \"integer overflow/underflow\" in the pack function, or (3) an \"integer overflow/underflow\" in the unpack function. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion.", "published": "2005-01-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1018", "cvelist": ["CVE-2004-1018"], "lastseen": "2017-10-11T11:05:59"}, {"id": "CVE-2004-1019", "type": "cve", "title": "CVE-2004-1019", "description": "The deserialization code in PHP before 4.3.10 and PHP 5.x up to 5.0.2 allows remote attackers to cause a denial of service and execute arbitrary code via untrusted data to the unserialize function that may trigger \"information disclosure, double-free and negative reference index array underflow\" results.", "published": "2005-01-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1019", "cvelist": ["CVE-2004-1019"], "lastseen": "2017-10-11T11:05:59"}, {"id": "CVE-2004-1065", "type": "cve", "title": "CVE-2004-1065", "description": "Buffer overflow in the exif_read_data function in PHP before 4.3.10 and PHP 5.x up to 5.0.2 allows remote attackers to execute arbitrary code via a long section name in an image file.", "published": "2005-01-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1065", "cvelist": ["CVE-2004-1065"], "lastseen": "2017-10-11T11:05:59"}], "osvdb": [{"id": "OSVDB:34717", "type": "osvdb", "title": "PHP shmop_write() Arbitrary Memory Manipulation", "description": "## Vulnerability Description\nPHP contains a flaw that may allow an attacker to gain elevated privileges. The issue is due to the shmop_write function not properly sanitizing user-supplied input. This may allow an attaker to bypass safe mode restrictions, cause a denial of service or execute arbitrary code.\n## Solution Description\nUpgrade to version 4.3.10 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nPHP contains a flaw that may allow an attacker to gain elevated privileges. The issue is due to the shmop_write function not properly sanitizing user-supplied input. This may allow an attaker to bypass safe mode restrictions, cause a denial of service or execute arbitrary code.\n## References:\nVendor URL: http://www.php.net/\nVendor Specific News/Changelog Entry: http://us2.php.net/releases/4_3_10.php\n[CVE-2004-1018](https://vulners.com/cve/CVE-2004-1018)\n", "published": "2004-12-15T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:34717", "cvelist": ["CVE-2004-1018"], "lastseen": "2017-04-28T13:20:30"}, {"id": "OSVDB:12411", "type": "osvdb", "title": "PHP unpack() Function Heap Information Leak", "description": "## Vulnerability Description\nPHP contains a flaw that may allow a remote attacker to read arbitrary portions of system memory. The issue is due to the unpack() function not properly validating parameters passed to it.\n## Solution Description\nUpgrade to version 4.3.10 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nPHP contains a flaw that may allow a remote attacker to read arbitrary portions of system memory. The issue is due to the unpack() function not properly validating parameters passed to it.\n## References:\nVendor URL: http://www.php.net/\nVendor Specific News/Changelog Entry: http://www.php.net/release_4_3_10.php\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/openserver5/507/mp/osr507mp4/osr507mp4.htm)\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=300770)\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.49/SCOSA-2005.49.txt)\n[Vendor Specific Advisory URL](http://itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMA01212)\n[Secunia Advisory ID:13481](https://secuniaresearch.flexerasoftware.com/advisories/13481/)\n[Secunia Advisory ID:13614](https://secuniaresearch.flexerasoftware.com/advisories/13614/)\n[Secunia Advisory ID:13923](https://secuniaresearch.flexerasoftware.com/advisories/13923/)\n[Secunia Advisory ID:14653](https://secuniaresearch.flexerasoftware.com/advisories/14653/)\n[Secunia Advisory ID:17311](https://secuniaresearch.flexerasoftware.com/advisories/17311/)\n[Secunia Advisory ID:13562](https://secuniaresearch.flexerasoftware.com/advisories/13562/)\n[Secunia Advisory ID:13944](https://secuniaresearch.flexerasoftware.com/advisories/13944/)\n[Secunia Advisory ID:16322](https://secuniaresearch.flexerasoftware.com/advisories/16322/)\n[Secunia Advisory ID:17645](https://secuniaresearch.flexerasoftware.com/advisories/17645/)\n[Secunia Advisory ID:13568](https://secuniaresearch.flexerasoftware.com/advisories/13568/)\n[Related OSVDB ID: 12415](https://vulners.com/osvdb/OSVDB:12415)\n[Related OSVDB ID: 12410](https://vulners.com/osvdb/OSVDB:12410)\n[Related OSVDB ID: 12412](https://vulners.com/osvdb/OSVDB:12412)\n[Related OSVDB ID: 12413](https://vulners.com/osvdb/OSVDB:12413)\n[Related OSVDB ID: 12414](https://vulners.com/osvdb/OSVDB:12414)\nRedHat RHSA: RHSA-2005:031\nRedHat RHSA: RHSA-2005:816\nRedHat RHSA: RHSA-2004:687\nOther Advisory URL: http://www.ubuntulinux.org/support/documentation/usn/usn-99-1\nOther Advisory URL: http://www.hardened-php.net/advisories/012004.txt\nOther Advisory URL: http://www.ubuntulinux.org/support/documentation/usn/usn-66-1\nOther Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200412-14.xml\nOther Advisory URL: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:151\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-12/0173.html\nKeyword: SCOSA-2005.49\n[CVE-2004-1018](https://vulners.com/cve/CVE-2004-1018)\n", "published": "2004-12-15T08:12:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:12411", "cvelist": ["CVE-2004-1018"], "lastseen": "2017-04-28T13:20:08"}, {"id": "OSVDB:12410", "type": "osvdb", "title": "PHP pack() Function Overflow", "description": "## Vulnerability Description\nPHP contains a flaw that may allow a remote attacker to execute arbitrary code. The issue is due to insufficient validation of parameters passed to the pack() function which may result in a heap overflow. It is possible that the flaw may allow a remote attacker to bypass safe_mode restrictions and execute arbitrary code with the privileges of the Web server resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 4.3.10 or 5.0.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nPHP contains a flaw that may allow a remote attacker to execute arbitrary code. The issue is due to insufficient validation of parameters passed to the pack() function which may result in a heap overflow. It is possible that the flaw may allow a remote attacker to bypass safe_mode restrictions and execute arbitrary code with the privileges of the Web server resulting in a loss of integrity.\n## References:\nVendor URL: http://www.php.net/\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/openserver5/507/mp/osr507mp4/osr507mp4.htm)\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=300770)\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.49/SCOSA-2005.49.txt)\n[Vendor Specific Advisory URL](http://itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMA01212)\n[Secunia Advisory ID:13481](https://secuniaresearch.flexerasoftware.com/advisories/13481/)\n[Secunia Advisory ID:13923](https://secuniaresearch.flexerasoftware.com/advisories/13923/)\n[Secunia Advisory ID:14653](https://secuniaresearch.flexerasoftware.com/advisories/14653/)\n[Secunia Advisory ID:17311](https://secuniaresearch.flexerasoftware.com/advisories/17311/)\n[Secunia Advisory ID:13944](https://secuniaresearch.flexerasoftware.com/advisories/13944/)\n[Secunia Advisory ID:16322](https://secuniaresearch.flexerasoftware.com/advisories/16322/)\n[Secunia Advisory ID:17645](https://secuniaresearch.flexerasoftware.com/advisories/17645/)\n[Related OSVDB ID: 12411](https://vulners.com/osvdb/OSVDB:12411)\n[Related OSVDB ID: 12415](https://vulners.com/osvdb/OSVDB:12415)\n[Related OSVDB ID: 12412](https://vulners.com/osvdb/OSVDB:12412)\n[Related OSVDB ID: 12413](https://vulners.com/osvdb/OSVDB:12413)\n[Related OSVDB ID: 12414](https://vulners.com/osvdb/OSVDB:12414)\nRedHat RHSA: RHSA-2005:031\nRedHat RHSA: RHSA-2005:816\nRedHat RHSA: RHSA-2004:687\nOther Advisory URL: http://www.ubuntulinux.org/support/documentation/usn/usn-99-1\nOther Advisory URL: http://www.hardened-php.net/advisories/012004.txt\nOther Advisory URL: http://www.ubuntulinux.org/support/documentation/usn/usn-66-1\nOther Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200412-14.xml\nOther Advisory URL: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:151\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-12/0173.html\nKeyword: SCOSA-2005.49\nISS X-Force ID: 18509\n[CVE-2004-1018](https://vulners.com/cve/CVE-2004-1018)\nBugtraq ID: 11964\n", "published": "2004-12-15T08:12:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:12410", "cvelist": ["CVE-2004-1018"], "lastseen": "2017-04-28T13:20:08"}, {"id": "OSVDB:12415", "type": "osvdb", "title": "PHP unserialize() Function Negative Reference Arbitrary Code Execution", "description": "## Vulnerability Description\nPHP contains a flaw that may allow a remote attacker to gain elevated privileges. The issue is due to the deserialization code not properly sanitizing user-supplied input. This may allow an attacker to pass crafted content to the unserialize function and cause a denial of service or execute arbitrary code.\n## Solution Description\nUpgrade to version 4.3.10 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nPHP contains a flaw that may allow a remote attacker to gain elevated privileges. The issue is due to the deserialization code not properly sanitizing user-supplied input. This may allow an attacker to pass crafted content to the unserialize function and cause a denial of service or execute arbitrary code.\n## References:\nVendor URL: http://www.php.net/\nVendor Specific News/Changelog Entry: http://www.php.net/release_4_3_10.php\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/openserver5/507/mp/osr507mp4/osr507mp4.htm)\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=300770)\n[Vendor Specific Advisory URL](ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.49/SCOSA-2005.49.txt)\n[Vendor Specific Advisory URL](http://itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMA01212)\n[Secunia Advisory ID:13481](https://secuniaresearch.flexerasoftware.com/advisories/13481/)\n[Secunia Advisory ID:13851](https://secuniaresearch.flexerasoftware.com/advisories/13851/)\n[Secunia Advisory ID:13923](https://secuniaresearch.flexerasoftware.com/advisories/13923/)\n[Secunia Advisory ID:17311](https://secuniaresearch.flexerasoftware.com/advisories/17311/)\n[Secunia Advisory ID:13562](https://secuniaresearch.flexerasoftware.com/advisories/13562/)\n[Secunia Advisory ID:13944](https://secuniaresearch.flexerasoftware.com/advisories/13944/)\n[Secunia Advisory ID:16322](https://secuniaresearch.flexerasoftware.com/advisories/16322/)\n[Secunia Advisory ID:17645](https://secuniaresearch.flexerasoftware.com/advisories/17645/)\n[Secunia Advisory ID:13568](https://secuniaresearch.flexerasoftware.com/advisories/13568/)\n[Secunia Advisory ID:13611](https://secuniaresearch.flexerasoftware.com/advisories/13611/)\n[Secunia Advisory ID:13895](https://secuniaresearch.flexerasoftware.com/advisories/13895/)\n[Related OSVDB ID: 12411](https://vulners.com/osvdb/OSVDB:12411)\n[Related OSVDB ID: 12410](https://vulners.com/osvdb/OSVDB:12410)\n[Related OSVDB ID: 12412](https://vulners.com/osvdb/OSVDB:12412)\n[Related OSVDB ID: 12413](https://vulners.com/osvdb/OSVDB:12413)\n[Related OSVDB ID: 12414](https://vulners.com/osvdb/OSVDB:12414)\nRedHat RHSA: RHSA-2005:031\nRedHat RHSA: RHSA-2005:816\nOther Advisory URL: http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000915\nOther Advisory URL: http://www.hardened-php.net/advisories/012004.txt\nOther Advisory URL: http://www.novell.com/linux/security/advisories/2005_02_php4_mod_php4.html\nOther Advisory URL: http://www.ubuntulinux.org/support/documentation/usn/usn-66-1\nOther Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200412-14.xml\nOther Advisory URL: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:151\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-08/0146.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0332.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-12/0173.html\nKeyword: SCOSA-2005.49\nKeyword: SSRT5998\nISS X-Force ID: 18514\n[CVE-2004-1019](https://vulners.com/cve/CVE-2004-1019)\n", "published": "2004-12-15T08:12:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:12415", "cvelist": ["CVE-2004-1019"], "lastseen": "2017-04-28T13:20:08"}, {"id": "OSVDB:12602", "type": "osvdb", "title": "PHP exif_read_data Section Name Command Execution", "description": "## Solution Description\nUpgrade to version 4.3.10 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## References:\nVendor URL: http://www.php.net/\nVendor Specific News/Changelog Entry: http://www.php.net/release_4_3_10.php\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=300770)\n[Vendor Specific Advisory URL](http://itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMA01212)\n[Secunia Advisory ID:13614](https://secuniaresearch.flexerasoftware.com/advisories/13614/)\n[Secunia Advisory ID:13851](https://secuniaresearch.flexerasoftware.com/advisories/13851/)\n[Secunia Advisory ID:16322](https://secuniaresearch.flexerasoftware.com/advisories/16322/)\n[Secunia Advisory ID:13611](https://secuniaresearch.flexerasoftware.com/advisories/13611/)\n[Secunia Advisory ID:13895](https://secuniaresearch.flexerasoftware.com/advisories/13895/)\nRedHat RHSA: RHSA-2004:687\nOther Advisory URL: http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000915\nOther Advisory URL: http://www.novell.com/linux/security/advisories/2005_02_php4_mod_php4.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-08/0146.html\nKeyword: SSRT5998\nISS X-Force ID: 18517\n[CVE-2004-1065](https://vulners.com/cve/CVE-2004-1065)\n", "published": "2004-11-23T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:12602", "cvelist": ["CVE-2004-1065"], "lastseen": "2017-04-28T13:20:08"}], "exploitdb": [{"id": "EDB-ID:24854", "type": "exploitdb", "title": "PHP 3/4/5 - Multiple Local And Remote Vulnerabilities 1", "description": "PHP 3/4/5 Multiple Local And Remote Vulnerabilities (1). CVE-2004-1018. Dos exploit for php platform", "published": "2004-12-15T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/24854/", "cvelist": ["CVE-2004-1018"], "lastseen": "2016-02-03T00:09:27"}, {"id": "EDB-ID:24855", "type": "exploitdb", "title": "PHP 3/4/5 - Multiple Local And Remote Vulnerabilities 2", "description": "PHP 3/4/5 Multiple Local And Remote Vulnerabilities (2). CVE-2004-1018. Dos exploit for php platform", "published": "2004-12-15T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/24855/", "cvelist": ["CVE-2004-1018"], "lastseen": "2016-02-03T00:09:34"}], "nessus": [{"id": "REDHAT-RHSA-2005-031.NASL", "type": "nessus", "title": "RHEL 2.1 : php (RHSA-2005:031)", "description": "Updated php packages that fix various security issues are now available for Red Hat Enterprise Linux 2.1.\n\nPHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server.\n\nA double-free bug was found in the deserialization code of PHP. PHP applications use the unserialize function on untrusted user data, which could allow a remote attacker to gain access to memory or potentially execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1019 to this issue.\n\nFlaws were found in the pack and unpack PHP functions. These functions do not normally pass user-supplied data, so they would require a malicious PHP script to be exploited. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1018 to this issue.\n\nA bug was discovered in the initialization of the OpenSSL library, such that the curl extension could not be used to perform HTTP requests over SSL unless the php-imap package was installed.\n\nUsers of PHP should upgrade to these updated packages, which contain fixes for these issues.", "published": "2005-01-19T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=16222", "cvelist": ["CVE-2004-1018", "CVE-2004-1019"], "lastseen": "2017-10-29T13:45:41"}, {"id": "REDHAT-RHSA-2005-032.NASL", "type": "nessus", "title": "RHEL 4 : php (RHSA-2005:032)", "description": "Updated php packages that fix various security issues are now available for Red Hat Enterprise Linux 4.\n\nThis update has been rated as having important security impact by the Red Hat Security Response Team.\n\nPHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server.\n\nFlaws including possible information disclosure, double free, and negative reference index array underflow were found in the deserialization code of PHP. PHP applications may use the unserialize function on untrusted user data, which could allow a remote attacker to gain access to memory or potentially execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1019 to this issue.\n\nA flaw in the exif extension of PHP was found which lead to a stack overflow. An attacker could create a carefully crafted image file in such a way which, if parsed by a PHP script using the exif extension, could cause a crash or potentially execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1065 to this issue.\n\nFlaws were found in shmop_write, pack, and unpack PHP functions. These functions are not normally passed user-supplied data, so would require a malicious PHP script to be exploited. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1018 to this issue.\n\nUsers of PHP should upgrade to these updated packages, which contain fixes for these issues.", "published": "2005-02-22T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=17166", "cvelist": ["CVE-2004-1018", "CVE-2004-1065", "CVE-2004-1019"], "lastseen": "2017-10-29T13:43:10"}, {"id": "UBUNTU_USN-99-1.NASL", "type": "nessus", "title": "Ubuntu 4.10 : php4 vulnerabilities (USN-99-1)", "description": "Stefano Di Paola discovered integer overflows in PHP's pack() and unpack() functions. A malicious PHP script could exploit these to break out of safe mode and execute arbitrary code with the privileges of the PHP interpreter. (CAN-2004-1018)\n\nNote: The second part of CAN-2004-1018 (buffer overflow in the shmop_write() function) was already fixed in USN-66-1.\n\nStefan Esser discovered two safe mode bypasses which allowed malicious PHP scripts to circumvent path restrictions. This was possible by either using virtual_popen() with a current directory containing shell metacharacters (CAN-2004-1063) or creating a specially crafted directory whose length exceeded the capacity of the realpath() function (CAN-2004-1064).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2006-01-15T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=20725", "cvelist": ["CVE-2004-1018", "CVE-2004-1063", "CVE-2004-1064"], "lastseen": "2017-10-29T13:33:24"}, {"id": "REDHAT-RHSA-2004-687.NASL", "type": "nessus", "title": "RHEL 3 : php (RHSA-2004:687)", "description": "Updated php packages that fix various security issues and bugs are now available for Red Hat Enterprise Linux 3.\n\nPHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server.\n\nFlaws including possible information disclosure, double free, and negative reference index array underflow were found in the deserialization code of PHP. PHP applications may use the unserialize function on untrusted user data, which could allow a remote attacker to gain access to memory or potentially execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1019 to this issue.\n\nA flaw in the exif extension of PHP was found which lead to a stack overflow. An attacker could create a carefully crafted image file in such a way that if parsed by a PHP script using the exif extension it could cause a crash or potentially execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1065 to this issue.\n\nAn information disclosure bug was discovered in the parsing of 'GPC' variables in PHP (query strings or cookies, and POST form data). If particular scripts used the values of the GPC variables, portions of the memory space of an httpd child process could be revealed to the client. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0958 to this issue.\n\nA file access bug was discovered in the parsing of 'multipart/form-data' forms, used by PHP scripts which allow file uploads. In particular configurations, some scripts could allow a malicious client to upload files to an arbitrary directory where the 'apache' user has write access. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0959 to this issue.\n\nFlaws were found in shmop_write, pack, and unpack PHP functions. These functions are not normally passed user-supplied data, so would require a malicious PHP script to be exploited. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1018 to this issue.\n\nVarious issues were discovered in the use of the 'select' system call in PHP, which could be triggered if PHP is used in an Apache configuration where the number of open files (such as virtual host log files) exceeds the default process limit of 1024. Workarounds are now included for some of these issues.\n\nThe 'phpize' shell script included in PHP can be used to build third-party extension modules. A build issue was discovered in the 'phpize' script on some 64-bit platforms which prevented correct operation.\n\nThe 'pcntl' extension module is now enabled in the command line PHP interpreter, /usr/bin/php. This module enables process control features such as 'fork' and 'kill' from PHP scripts.\n\nUsers of PHP should upgrade to these updated packages, which contain fixes for these issues.", "published": "2004-12-23T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=16041", "cvelist": ["CVE-2004-1018", "CVE-2004-0959", "CVE-2004-1065", "CVE-2004-0958", "CVE-2004-1019"], "lastseen": "2017-10-29T13:34:30"}, {"id": "PHP45_MULTIPLE_FLAWS.NASL", "type": "nessus", "title": "PHP < 4.3.10 / 5.0.3 Multiple Vulnerabilities", "description": "According to its banner, the version of PHP installed on the remote host is prior to 4.3.10 / 5.0.3. It is, therefore, affected by multiple security issues that could, under certain circumstances, allow an attacker to execute arbitrary code on the remote host, provided that the attacker can pass arbitrary data to some functions, or to bypass safe_mode.", "published": "2004-12-15T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=15973", "cvelist": ["CVE-2004-1018", "CVE-2004-1065", "CVE-2004-1020", "CVE-2004-1063", "CVE-2004-1019", "CVE-2004-1064"], "lastseen": "2017-10-29T13:37:50"}, {"id": "MANDRAKE_MDKSA-2004-151.NASL", "type": "nessus", "title": "Mandrake Linux Security Advisory : php (MDKSA-2004:151)", "description": "A number of vulnerabilities in PHP versions prior to 4.3.10 were discovered by Stefan Esser. Some of these vulnerabilities were not deemed to be severe enough to warrant CVE names, however the packages provided, with the exception of the Corporate Server 2.1 packages, include fixes for all of the vulnerabilities, thanks to the efforts of the OpenPKG team who extracted and backported the fixes.\n\nThe vulnerabilities fixed in all provided packages include a fix for a possible information disclosure, double free, and negative reference index array underflow in deserialization code (CVE-2004-1019). As well, the exif_read_data() function suffers from an overflow on a long sectionname; this vulnerability was discovered by Ilia Alshanetsky (CVE-2004-1065).\n\nThe other fixes that appear in Mandrakelinux 9.2 and newer packages include a fix for out of bounds memory write access in shmop_write() and integer overflow/underflows in the pack() and unpack() functions.\nThe addslashes() function did not properly escape '�' correctly. A directory bypass issue existed in safe_mode execution. There is an issue of arbitrary file access through path truncation. Finally, the 'magic_quotes_gpc' functionality could lead to one level directory traversal with file uploads.", "published": "2004-12-19T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=15998", "cvelist": ["CVE-2004-1018", "CVE-2004-1065", "CVE-2004-1020", "CVE-2004-1063", "CVE-2004-1019", "CVE-2004-1064"], "lastseen": "2017-10-29T13:41:55"}, {"id": "MANDRAKE_MDKSA-2005-072.NASL", "type": "nessus", "title": "Mandrake Linux Security Advisory : php (MDKSA-2005:072)", "description": "A number of vulnerabilities are addressed in this PHP update :\n\nStefano Di Paolo discovered integer overflows in PHP's pack(), unpack(), and shmop_write() functions which could allow a malicious script to break out of safe mode and execute arbitrary code with privileges of the PHP interpreter (CVE-2004-1018; this was previously fixed in Mandrakelinux >= 10.0 in MDKSA-2004:151).\n\nStefan Esser discovered two safe mode bypasses which would allow malicious scripts to circumvent path restrictions by using virtual_popen() with a current directory containing shell meta- characters (CVE-2004-1063) or by creating a specially crafted directory whose length exceeded the capacity of realpath() (CVE-2004-1064; both of these were previously fixed in Mandrakelinux >= 10.0 in MDKSA-2004:151).\n\nTwo Denial of Service vulnerabilities were found in the getimagesize() function which uses the format-specific internal functions php_handle_iff() and php_handle_jpeg() which would get stuck in infinite loops when certain (invalid) size parameters are read from the image (CVE-2005-0524 and CVE-2005-0525).\n\nAn integer overflow was discovered in the exif_process_IFD_TAG() function in PHP's EXIF module. EXIF tags with a specially crafted 'Image File Directory' (IFD) tag would cause a buffer overflow which could be exploited to execute arbitrary code with the privileges of the PHP server (CVE-2005-1042).\n\nAnother vulnerability in the EXIF module was also discovered where headers with a large IFD nesting level would cause an unbound recursion which would eventually overflow the stack and cause the executed program to crash (CVE-2004-1043).\n\nAll of these issues are addressed in the Corporate Server 2.1 packages and the last three issues for all other platforms, which had previously included the first two issues but had not been mentioned in MDKSA-2004:151.", "published": "2005-04-19T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=18091", "cvelist": ["CVE-2004-1018", "CVE-2005-1043", "CVE-2005-0525", "CVE-2004-1063", "CVE-2005-0524", "CVE-2005-1042", "CVE-2004-1064"], "lastseen": "2017-10-29T13:40:07"}, {"id": "MACOSX_SECUPD2005-001.NASL", "type": "nessus", "title": "Mac OS X Multiple Vulnerabilities (Security Update 2005-001)", "description": "he remote host is missing Security Update 2005-001. This security update contains a number of fixes for the following programs :\n\n - at commands\n - ColorSync\n - libxml2\n - Mail\n - PHP\n - Safari\n - SquirrelMail\n\nThese programs have multiple vulnerabilities which may allow a remote attacker to execute arbitrary code.", "published": "2005-01-26T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=16251", "cvelist": ["CVE-2004-1314", "CVE-2004-1018", "CVE-2003-0863", "CVE-2004-0989", "CVE-2004-1036", "CVE-2004-1065", "CVE-2004-0595", "CVE-2003-0860", "CVE-2005-0126", "CVE-2004-1020", "CVE-2004-0594", "CVE-2004-1063", "CVE-2005-0125", "CVE-2005-0127", "CVE-2004-1019", "CVE-2004-1064"], "lastseen": "2018-01-17T00:59:14"}, {"id": "SUSE_SA_2005_002.NASL", "type": "nessus", "title": "SUSE-SA:2005:002: php4, mod_php4", "description": "The remote host is missing the patch for the advisory SUSE-SA:2005:002 (php4, mod_php4).\n\n\nPHP is a well known, widely-used scripting language often used within web server setups.\n\nStefan Esser and Marcus Boerger found several buffer overflow problems in the unserializer functions of PHP (CVE-2004-1019) and Ilia Alshanetsky (CVE-2004-1065) found one in the exif parser. Any of them could allow remote attackers to execute arbitrary code as the user running the PHP interpreter.\n\nAdditionally a bug where the server would disclose php sourcecode under some circumstances has been fixed.", "published": "2005-02-03T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=16306", "cvelist": ["CVE-2004-1065", "CVE-2004-1019"], "lastseen": "2016-09-26T17:23:28"}, {"id": "FREEBSD_PKG_D47E9D19501611D99B5F0050569F0001.NASL", "type": "nessus", "title": "FreeBSD : php -- multiple vulnerabilities (d47e9d19-5016-11d9-9b5f-0050569f0001)", "description": "Secunia reports :\n\nMultiple vulnerabilities have been reported in PHP, which can be exploited to gain escalated privileges, bypass certain security restrictions, gain knowledge of sensitive information, or compromise a vulnerable system.", "published": "2005-07-13T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=19133", "cvelist": ["CVE-2004-1065", "CVE-2004-1019"], "lastseen": "2017-10-29T13:40:45"}], "redhat": [{"id": "RHSA-2005:031", "type": "redhat", "title": "(RHSA-2005:031) php security update", "description": "PHP is an HTML-embedded scripting language commonly used with the Apache\nHTTP Web server.\n\nA double-free bug was found in the deserialization code of PHP. PHP\napplications use the unserialize function on untrusted user data, which\ncould allow a remote attacker to gain access to memory or potentially\nexecute arbitrary code. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2004-1019 to this issue.\n\nFlaws were found in the pack and unpack PHP functions. These functions\ndo not normally pass user supplied data, so they would require a malicious\nPHP script to be exploited. The Common Vulnerabilities and Exposures\nproject (cve.mitre.org) has assigned the name CAN-2004-1018 to this issue.\n\nA bug was discovered in the initialization of the OpenSSL library, such\nthat the curl extension could not be used to perform HTTP requests over SSL\nunless the php-imap package was installed.\n\nUsers of PHP should upgrade to these updated packages, which contain fixes\nfor these issues.", "published": "2005-01-19T05:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2005:031", "cvelist": ["CVE-2004-1018", "CVE-2004-1019"], "lastseen": "2018-03-15T06:36:56"}, {"id": "RHSA-2004:687", "type": "redhat", "title": "(RHSA-2004:687) php security update", "description": "PHP is an HTML-embedded scripting language commonly used with the Apache\nHTTP Web server.\n\nFlaws including possible information disclosure, double free, and negative\nreference index array underflow were found in the deserialization code of\nPHP. PHP applications may use the unserialize function on untrusted user\ndata, which could allow a remote attacker to gain access to memory or\npotentially execute arbitrary code. The Common Vulnerabilities and\nExposures project (cve.mitre.org) has assigned the name CAN-2004-1019 to\nthis issue.\n\nA flaw in the exif extension of PHP was found which lead to a stack\noverflow. An attacker could create a carefully crafted image file in such\na way that if parsed by a PHP script using the exif extension it could\ncause a crash or potentially execute arbitrary code. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the name\nCAN-2004-1065 to this issue.\n\nAn information disclosure bug was discovered in the parsing of \"GPC\"\nvariables in PHP (query strings or cookies, and POST form data). If\nparticular scripts used the values of the GPC variables, portions of the\nmemory space of an httpd child process could be revealed to the client. \nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CAN-2004-0958 to this issue.\n\nA file access bug was discovered in the parsing of \"multipart/form-data\"\nforms, used by PHP scripts which allow file uploads. In particular\nconfigurations, some scripts could allow a malicious client to upload files\nto an arbitrary directory where the \"apache\" user has write access. The\nCommon Vulnerabilities and Exposures project (cve.mitre.org) has assigned\nthe name CAN-2004-0959 to this issue.\n\nFlaws were found in shmop_write, pack, and unpack PHP functions. These\nfunctions are not normally passed user supplied data, so would require a\nmalicious PHP script to be exploited. The Common Vulnerabilities and\nExposures project (cve.mitre.org) has assigned the name CAN-2004-1018 to\nthis issue.\n\nVarious issues were discovered in the use of the \"select\" system call in\nPHP, which could be triggered if PHP is used in an Apache configuration\nwhere the number of open files (such as virtual host log files) exceeds the\ndefault process limit of 1024. Workarounds are now included for some of\nthese issues.\n\nThe \"phpize\" shell script included in PHP can be used to build third-party\nextension modules. A build issue was discovered in the \"phpize\" script on\nsome 64-bit platforms which prevented correct operation.\n\nThe \"pcntl\" extension module is now enabled in the command line PHP\ninterpreter, /usr/bin/php. This module enables process control features \nsuch as \"fork\" and \"kill\" from PHP scripts.\n\nUsers of PHP should upgrade to these updated packages, which contain fixes\nfor these issues.", "published": "2004-12-21T05:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2004:687", "cvelist": ["CVE-2004-0958", "CVE-2004-0959", "CVE-2004-1018", "CVE-2004-1019", "CVE-2004-1065"], "lastseen": "2017-08-02T16:58:15"}, {"id": "RHSA-2005:838", "type": "redhat", "title": "(RHSA-2005:838) php security update", "description": "PHP is an HTML-embedded scripting language commonly used with the Apache\r\nHTTP Web server.\r\n\r\nA flaw was found in the way PHP registers global variables during a file\r\nupload request. A remote attacker could submit a carefully crafted\r\nmultipart/form-data POST request that would overwrite the $GLOBALS array,\r\naltering expected script behavior, and possibly leading to the execution of\r\narbitrary PHP commands. Note that this vulnerability only affects\r\ninstallations which have register_globals enabled in the PHP configuration\r\nfile, which is not a default or recommended option. The Common\r\nVulnerabilities and Exposures project assigned the name CVE-2005-3390 to\r\nthis issue.\r\n\r\nA flaw was found in the PHP parse_str() function. If a PHP script passes\r\nonly one argument to the parse_str() function, and the script can be forced\r\nto abort execution during operation (for example due to the memory_limit\r\nsetting), the register_globals may be enabled even if it is disabled in the\r\nPHP configuration file. This vulnerability only affects installations that\r\nhave PHP scripts using the parse_str function in this way. (CVE-2005-3389)\r\n\r\nA Cross-Site Scripting flaw was found in the phpinfo() function. If a\r\nvictim can be tricked into following a malicious URL to a site with a page\r\ndisplaying the phpinfo() output, it may be possible to inject javascript\r\nor HTML content into the displayed page or steal data such as cookies. \r\nThis vulnerability only affects installations which allow users to view the\r\noutput of the phpinfo() function. As the phpinfo() function outputs a\r\nlarge amount of information about the current state of PHP, it should only\r\nbe used during debugging or if protected by authentication. (CVE-2005-3388)\r\n\r\nAdditionally, a bug introduced in the updates to fix CVE-2004-1019 has been\r\ncorrected.\r\n\r\nUsers of PHP should upgrade to these updated packages, which contain\r\nbackported patches that resolve these issues.", "published": "2005-11-10T05:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2005:838", "cvelist": ["CVE-2004-1019", "CVE-2005-3388", "CVE-2005-3389", "CVE-2005-3390"], "lastseen": "2018-03-14T15:43:58"}], "ubuntu": [{"id": "USN-99-1", "type": "ubuntu", "title": "PHP4 vulnerabilities", "description": "Stefano Di Paola discovered integer overflows in PHP\u2019s pack() and unpack() functions. A malicious PHP script could exploit these to break out of safe mode and execute arbitrary code with the privileges of the PHP interpreter. (CAN-2004-1018)\n\nNote: The second part of CAN-2004-1018 (buffer overflow in the shmop_write() function) was already fixed in USN-66-1.\n\nStefan Esser discovered two safe mode bypasses which allowed malicious PHP scripts to circumvent path restrictions. This was possible by either using virtual_popen() with a current directory containing shell metacharacters (CAN-2004-1063) or creating a specially crafted directory whose length exceeded the capacity of the realpath() function (CAN-2004-1064).", "published": "2005-03-18T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/99-1/", "cvelist": ["CVE-2004-1018", "CVE-2004-1063", "CVE-2004-1064"], "lastseen": "2018-03-29T18:21:00"}, {"id": "USN-40-1", "type": "ubuntu", "title": "PHP vulnerabilities", "description": "Stefan Esser reported several buffer overflows in PHP\u2019s variable unserializing handling. These could allow an attacker to execute arbitrary code on the server with the PHP interpreter\u2019s privileges by sending specially crafted input strings (form data, cookie values, and similar).\n\nAdditionally, Ilia Alshanetsky discovered a buffer overflow in the exif_read_data() function. Attackers could execute arbitrary code on the server by sending a JPEG image with a very long \u201csectionname\u201d value to PHP applications that support image uploads.", "published": "2004-12-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/40-1/", "cvelist": ["CVE-2004-1065", "CVE-2004-1019"], "lastseen": "2018-03-29T18:17:34"}], "freebsd": [{"id": "D47E9D19-5016-11D9-9B5F-0050569F0001", "type": "freebsd", "title": "php -- multiple vulnerabilities", "description": "\nSecunia reports:\n\nMultiple vulnerabilities have been reported in PHP,\n\t which can be exploited to gain escalated privileges,\n\t bypass certain security restrictions, gain knowledge\n\t of sensitive information, or compromise a vulnerable\n\t system.\n\n", "published": "2004-12-16T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vuxml.freebsd.org/freebsd/d47e9d19-5016-11d9-9b5f-0050569f0001.html", "cvelist": ["CVE-2004-1065", "CVE-2004-1019"], "lastseen": "2016-09-26T17:25:18"}], "openvas": [{"id": "OPENVAS:65134", "type": "openvas", "title": "SLES9: Security update for PHP4", "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n mod_php4-core\n apache2-mod_php4\n php4-servlet\n php4\n php4-imap\n php4-mysql\n php4-session\n apache-mod_php4\n mod_php4-servlet\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5020404 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "published": "2009-10-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=65134", "cvelist": ["CVE-2004-1065", "CVE-2004-1019"], "lastseen": "2017-07-26T08:55:31"}, {"id": "OPENVAS:136141256231065134", "type": "openvas", "title": "SLES9: Security update for PHP4", "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n mod_php4-core\n apache2-mod_php4\n php4-servlet\n php4\n php4-imap\n php4-mysql\n php4-session\n apache-mod_php4\n mod_php4-servlet\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5020404 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "published": "2009-10-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231065134", "cvelist": ["CVE-2004-1065", "CVE-2004-1019"], "lastseen": "2018-04-06T11:38:09"}, {"id": "OPENVAS:65465", "type": "openvas", "title": "SLES9: Security update for PHP4", "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n apache2-mod_php4\n php4-imap\n php4\n php4-mysql\n mod_php4-servlet\n php4-servlet\n mod_php4-core\n php4-session\n apache-mod_php4\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5020183 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "published": "2009-10-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=65465", "cvelist": ["CVE-2004-1065", "CVE-2004-1019"], "lastseen": "2017-07-26T08:55:52"}, {"id": "OPENVAS:136141256231065465", "type": "openvas", "title": "SLES9: Security update for PHP4", "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n apache2-mod_php4\n php4-imap\n php4\n php4-mysql\n mod_php4-servlet\n php4-servlet\n mod_php4-core\n php4-session\n apache-mod_php4\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5020183 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "published": "2009-10-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231065465", "cvelist": ["CVE-2004-1065", "CVE-2004-1019"], "lastseen": "2018-04-06T11:39:12"}, {"id": "OPENVAS:1361412562310120450", "type": "openvas", "title": "Amazon Linux Local Check: alas-2015-464", "description": "Amazon Linux Local Security Checks", "published": "2015-09-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120450", "cvelist": ["CVE-2014-8142", "CVE-2004-1019"], "lastseen": "2017-07-24T12:53:30"}, {"id": "OPENVAS:52269", "type": "openvas", "title": "php -- multiple vulnerabilities", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "published": "2008-09-04T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=52269", "cvelist": ["CVE-2004-1065", "CVE-2004-1019"], "lastseen": "2017-07-02T21:10:11"}, {"id": "OPENVAS:54773", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200412-14 (PHP)", "description": "The remote host is missing updates announced in\nadvisory GLSA 200412-14.", "published": "2008-09-24T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=54773", "cvelist": ["CVE-2004-1065", "CVE-2004-1019"], "lastseen": "2017-07-24T12:50:14"}, {"id": "OPENVAS:1361412562310120454", "type": "openvas", "title": "Amazon Linux Local Check: alas-2015-463", "description": "Amazon Linux Local Security Checks", "published": "2015-09-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120454", "cvelist": ["CVE-2014-8142", "CVE-2004-1019"], "lastseen": "2017-07-24T12:53:50"}, {"id": "OPENVAS:136141256231065511", "type": "openvas", "title": "SLES9: Security update for PHP4", "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n php4-sysvshm\n php4-fastcgi\n apache-mod_php4\n php4-imap\n php4-devel\n php4-mysql\n php4-servlet\n mod_php4-servlet\n php4-session\n mod_php4-core\n php4\n apache2-mod_php4\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5019075 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "published": "2009-10-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231065511", "cvelist": ["CVE-2005-0525", "CVE-2004-1065", "CVE-2005-0524", "CVE-2004-1019"], "lastseen": "2018-04-06T11:40:19"}, {"id": "OPENVAS:65511", "type": "openvas", "title": "SLES9: Security update for PHP4", "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n php4-sysvshm\n php4-fastcgi\n apache-mod_php4\n php4-imap\n php4-devel\n php4-mysql\n php4-servlet\n mod_php4-servlet\n php4-session\n mod_php4-core\n php4\n apache2-mod_php4\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5019075 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "published": "2009-10-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=65511", "cvelist": ["CVE-2005-0525", "CVE-2004-1065", "CVE-2005-0524", "CVE-2004-1019"], "lastseen": "2017-07-26T08:56:14"}], "amazon": [{"id": "ALAS-2015-463", "type": "amazon", "title": "Medium: php54", "description": "**Issue Overview:**\n\nUse-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than [CVE-2004-1019 __](<https://access.redhat.com/security/cve/CVE-2004-1019>).\n\n \n**Affected Packages:** \n\n\nphp54\n\n \n**Issue Correction:** \nRun _yum update php54_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n php54-bcmath-5.4.36-1.64.amzn1.i686 \n php54-odbc-5.4.36-1.64.amzn1.i686 \n php54-pdo-5.4.36-1.64.amzn1.i686 \n php54-mcrypt-5.4.36-1.64.amzn1.i686 \n php54-pspell-5.4.36-1.64.amzn1.i686 \n php54-snmp-5.4.36-1.64.amzn1.i686 \n php54-xmlrpc-5.4.36-1.64.amzn1.i686 \n php54-debuginfo-5.4.36-1.64.amzn1.i686 \n php54-common-5.4.36-1.64.amzn1.i686 \n php54-devel-5.4.36-1.64.amzn1.i686 \n php54-mssql-5.4.36-1.64.amzn1.i686 \n php54-embedded-5.4.36-1.64.amzn1.i686 \n php54-mbstring-5.4.36-1.64.amzn1.i686 \n php54-cli-5.4.36-1.64.amzn1.i686 \n php54-soap-5.4.36-1.64.amzn1.i686 \n php54-process-5.4.36-1.64.amzn1.i686 \n php54-mysql-5.4.36-1.64.amzn1.i686 \n php54-ldap-5.4.36-1.64.amzn1.i686 \n php54-mysqlnd-5.4.36-1.64.amzn1.i686 \n php54-tidy-5.4.36-1.64.amzn1.i686 \n php54-5.4.36-1.64.amzn1.i686 \n php54-gd-5.4.36-1.64.amzn1.i686 \n php54-xml-5.4.36-1.64.amzn1.i686 \n php54-pgsql-5.4.36-1.64.amzn1.i686 \n php54-recode-5.4.36-1.64.amzn1.i686 \n php54-intl-5.4.36-1.64.amzn1.i686 \n php54-dba-5.4.36-1.64.amzn1.i686 \n php54-enchant-5.4.36-1.64.amzn1.i686 \n php54-imap-5.4.36-1.64.amzn1.i686 \n php54-fpm-5.4.36-1.64.amzn1.i686 \n \n src: \n php54-5.4.36-1.64.amzn1.src \n \n x86_64: \n php54-enchant-5.4.36-1.64.amzn1.x86_64 \n php54-common-5.4.36-1.64.amzn1.x86_64 \n php54-embedded-5.4.36-1.64.amzn1.x86_64 \n php54-debuginfo-5.4.36-1.64.amzn1.x86_64 \n php54-xmlrpc-5.4.36-1.64.amzn1.x86_64 \n php54-process-5.4.36-1.64.amzn1.x86_64 \n php54-gd-5.4.36-1.64.amzn1.x86_64 \n php54-xml-5.4.36-1.64.amzn1.x86_64 \n php54-pdo-5.4.36-1.64.amzn1.x86_64 \n php54-5.4.36-1.64.amzn1.x86_64 \n php54-intl-5.4.36-1.64.amzn1.x86_64 \n php54-cli-5.4.36-1.64.amzn1.x86_64 \n php54-odbc-5.4.36-1.64.amzn1.x86_64 \n php54-mbstring-5.4.36-1.64.amzn1.x86_64 \n php54-imap-5.4.36-1.64.amzn1.x86_64 \n php54-mysql-5.4.36-1.64.amzn1.x86_64 \n php54-snmp-5.4.36-1.64.amzn1.x86_64 \n php54-pgsql-5.4.36-1.64.amzn1.x86_64 \n php54-mcrypt-5.4.36-1.64.amzn1.x86_64 \n php54-soap-5.4.36-1.64.amzn1.x86_64 \n php54-mysqlnd-5.4.36-1.64.amzn1.x86_64 \n php54-devel-5.4.36-1.64.amzn1.x86_64 \n php54-tidy-5.4.36-1.64.amzn1.x86_64 \n php54-pspell-5.4.36-1.64.amzn1.x86_64 \n php54-mssql-5.4.36-1.64.amzn1.x86_64 \n php54-bcmath-5.4.36-1.64.amzn1.x86_64 \n php54-recode-5.4.36-1.64.amzn1.x86_64 \n php54-fpm-5.4.36-1.64.amzn1.x86_64 \n php54-ldap-5.4.36-1.64.amzn1.x86_64 \n php54-dba-5.4.36-1.64.amzn1.x86_64 \n \n \n", "published": "2015-01-08T11:35:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://alas.aws.amazon.com/ALAS-2015-463.html", "cvelist": ["CVE-2014-8142", "CVE-2004-1019"], "lastseen": "2016-09-28T21:04:04"}, {"id": "ALAS-2015-464", "type": "amazon", "title": "Medium: php55", "description": "**Issue Overview:**\n\nUse-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than [CVE-2004-1019 __](<https://access.redhat.com/security/cve/CVE-2004-1019>).\n\n \n**Affected Packages:** \n\n\nphp55\n\n \n**Issue Correction:** \nRun _yum update php55_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n php55-xmlrpc-5.5.20-2.94.amzn1.i686 \n php55-embedded-5.5.20-2.94.amzn1.i686 \n php55-dba-5.5.20-2.94.amzn1.i686 \n php55-pgsql-5.5.20-2.94.amzn1.i686 \n php55-gmp-5.5.20-2.94.amzn1.i686 \n php55-enchant-5.5.20-2.94.amzn1.i686 \n php55-soap-5.5.20-2.94.amzn1.i686 \n php55-mbstring-5.5.20-2.94.amzn1.i686 \n php55-ldap-5.5.20-2.94.amzn1.i686 \n php55-common-5.5.20-2.94.amzn1.i686 \n php55-intl-5.5.20-2.94.amzn1.i686 \n php55-imap-5.5.20-2.94.amzn1.i686 \n php55-pdo-5.5.20-2.94.amzn1.i686 \n php55-mysqlnd-5.5.20-2.94.amzn1.i686 \n php55-debuginfo-5.5.20-2.94.amzn1.i686 \n php55-pspell-5.5.20-2.94.amzn1.i686 \n php55-opcache-5.5.20-2.94.amzn1.i686 \n php55-gd-5.5.20-2.94.amzn1.i686 \n php55-recode-5.5.20-2.94.amzn1.i686 \n php55-process-5.5.20-2.94.amzn1.i686 \n php55-cli-5.5.20-2.94.amzn1.i686 \n php55-devel-5.5.20-2.94.amzn1.i686 \n php55-xml-5.5.20-2.94.amzn1.i686 \n php55-tidy-5.5.20-2.94.amzn1.i686 \n php55-mcrypt-5.5.20-2.94.amzn1.i686 \n php55-snmp-5.5.20-2.94.amzn1.i686 \n php55-mssql-5.5.20-2.94.amzn1.i686 \n php55-fpm-5.5.20-2.94.amzn1.i686 \n php55-odbc-5.5.20-2.94.amzn1.i686 \n php55-bcmath-5.5.20-2.94.amzn1.i686 \n php55-5.5.20-2.94.amzn1.i686 \n \n src: \n php55-5.5.20-2.94.amzn1.src \n \n x86_64: \n php55-process-5.5.20-2.94.amzn1.x86_64 \n php55-enchant-5.5.20-2.94.amzn1.x86_64 \n php55-xmlrpc-5.5.20-2.94.amzn1.x86_64 \n php55-pspell-5.5.20-2.94.amzn1.x86_64 \n php55-pdo-5.5.20-2.94.amzn1.x86_64 \n php55-pgsql-5.5.20-2.94.amzn1.x86_64 \n php55-fpm-5.5.20-2.94.amzn1.x86_64 \n php55-xml-5.5.20-2.94.amzn1.x86_64 \n php55-odbc-5.5.20-2.94.amzn1.x86_64 \n php55-cli-5.5.20-2.94.amzn1.x86_64 \n php55-tidy-5.5.20-2.94.amzn1.x86_64 \n php55-soap-5.5.20-2.94.amzn1.x86_64 \n php55-opcache-5.5.20-2.94.amzn1.x86_64 \n php55-snmp-5.5.20-2.94.amzn1.x86_64 \n php55-mysqlnd-5.5.20-2.94.amzn1.x86_64 \n php55-gd-5.5.20-2.94.amzn1.x86_64 \n php55-bcmath-5.5.20-2.94.amzn1.x86_64 \n php55-common-5.5.20-2.94.amzn1.x86_64 \n php55-devel-5.5.20-2.94.amzn1.x86_64 \n php55-recode-5.5.20-2.94.amzn1.x86_64 \n php55-mbstring-5.5.20-2.94.amzn1.x86_64 \n php55-gmp-5.5.20-2.94.amzn1.x86_64 \n php55-mcrypt-5.5.20-2.94.amzn1.x86_64 \n php55-intl-5.5.20-2.94.amzn1.x86_64 \n php55-dba-5.5.20-2.94.amzn1.x86_64 \n php55-ldap-5.5.20-2.94.amzn1.x86_64 \n php55-imap-5.5.20-2.94.amzn1.x86_64 \n php55-5.5.20-2.94.amzn1.x86_64 \n php55-debuginfo-5.5.20-2.94.amzn1.x86_64 \n php55-embedded-5.5.20-2.94.amzn1.x86_64 \n php55-mssql-5.5.20-2.94.amzn1.x86_64 \n \n \n", "published": "2015-01-08T11:35:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://alas.aws.amazon.com/ALAS-2015-464.html", "cvelist": ["CVE-2014-8142", "CVE-2004-1019"], "lastseen": "2016-09-28T21:03:59"}], "f5": [{"id": "SOL16021", "type": "f5", "title": "SOL16021 - PHP vulnerability CVE-2014-8142", "description": "Recommended Action\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "published": "2015-01-22T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/16000/000/sol16021.html", "cvelist": ["CVE-2014-8142", "CVE-2004-1019"], "lastseen": "2016-11-09T00:09:56"}, {"id": "F5:K16021", "type": "f5", "title": "PHP vulnerability CVE-2014-8142", "description": " \n\n\nUse-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019. ([CVE-2014-8142](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8142>))\n\nImpact \n\n\nNone. F5 products are not affected by this vulnerability. \n\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "published": "2015-01-22T21:25:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://support.f5.com/csp/article/K16021", "cvelist": ["CVE-2014-8142", "CVE-2004-1019"], "lastseen": "2017-10-12T02:11:04"}], "suse": [{"id": "SUSE-SA:2005:002", "type": "suse", "title": "remote code execution in php4, mod_php4", "description": "PHP is a well known, widely-used scripting language often used within web server setups.\n#### Solution\nThere is no workaround known besides disabling PHP. Therefore we recommend to install the updated packages.", "published": "2005-01-17T17:12:32", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2005-01/msg00010.html", "cvelist": ["CVE-2004-1065", "CVE-2004-1019"], "lastseen": "2016-09-04T11:41:56"}, {"id": "SUSE-SU-2015:0365-1", "type": "suse", "title": "Security update for php5 (important)", "description": "php5 was updated to fix four security issues.\n\n These security issues were fixed:\n - CVE-2015-0231: Use-after-free vulnerability in the process_nested_data\n function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x\n before 5.5.21, and 5.6.x before 5.6.5 allowed remote attackers to\n execute arbitrary code via a crafted unserialize call that leverages\n improper handling of duplicate numerical keys within the serialized\n properties of an object. NOTE: this vulnerability exists because of an\n incomplete fix for CVE-2014-8142 (bnc#910659).\n - CVE-2014-9427: sapi/cgi/cgi_main.c in the CGI component in PHP through\n 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used\n to read a .php file, did not properly consider the mapping's length\n during processing of an invalid file that begins with a # character and\n lacks a newline character, which caused an out-of-bounds read and might\n (1) allow remote attackers to obtain sensitive information from php-cgi\n process memory by leveraging the ability to upload a .php file or (2)\n trigger unexpected code execution if a valid PHP script is present in\n memory locations adjacent to the mapping (bnc#911664).\n - CVE-2015-0232: The exif_process_unicode function in ext/exif/exif.c in\n PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allowed\n remote attackers to execute arbitrary code or cause a denial of service\n (uninitialized pointer free and application crash) via crafted EXIF data\n in a JPEG image (bnc#914690).\n - CVE-2014-8142: Use-after-free vulnerability in the process_nested_data\n function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x\n before 5.5.20, and 5.6.x before 5.6.4 allowed remote attackers to\n execute arbitrary code via a crafted unserialize call that leverages\n improper handling of duplicate keys within the serialized properties of\n an object, a different vulnerability than CVE-2004-1019 (bnc#910659).\n\n Additionally a fix was included that protects against a possible NULL\n pointer use (bnc#910659).\n\n This non-security issue was fixed:\n - php53 ignored default_socket_timeout on outgoing SSL connection\n (bnc#907519).\n\n", "published": "2015-02-24T11:05:36", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00029.html", "cvelist": ["CVE-2015-0232", "CVE-2014-9427", "CVE-2014-8142", "CVE-2015-0231", "CVE-2004-1019"], "lastseen": "2016-09-04T11:42:02"}, {"id": "SUSE-SU-2016:1638-1", "type": "suse", "title": "Security update for php53 (important)", "description": "This update for php53 to version 5.3.17 fixes the following issues:\n\n These security issues were fixed:\n - CVE-2016-5093: get_icu_value_internal out-of-bounds read (bnc#982010).\n - CVE-2016-5094: Don't create strings with lengths outside int range\n (bnc#982011).\n - CVE-2016-5095: Don't create strings with lengths outside int range\n (bnc#982012).\n - CVE-2016-5096: int/size_t confusion in fread (bsc#982013).\n - CVE-2016-5114: fpm_log.c memory leak and buffer overflow (bnc#982162).\n - CVE-2015-8879: The odbc_bindcols function in ext/odbc/php_odbc.c in PHP\n mishandles driver behavior for SQL_WVARCHAR columns, which allowed\n remote attackers to cause a denial of service (application crash) in\n opportunistic circumstances by leveraging use of the odbc_fetch_array\n function to access a certain type of Microsoft SQL Server table\n (bsc#981050).\n - CVE-2015-4116: Use-after-free vulnerability in the spl_ptr_heap_insert\n function in ext/spl/spl_heap.c in PHP allowed remote attackers to\n execute arbitrary code by triggering a failed SplMinHeap::compare\n operation (bsc#980366).\n - CVE-2015-8874: Stack consumption vulnerability in GD in PHP allowed\n remote attackers to cause a denial of service via a crafted\n imagefilltoborder call (bsc#980375).\n - CVE-2015-8873: Stack consumption vulnerability in Zend/zend_exceptions.c\n in PHP allowed remote attackers to cause a denial of service\n (segmentation fault) via recursive method calls (bsc#980373).\n - CVE-2016-4540: The grapheme_stripos function in\n ext/intl/grapheme/grapheme_string.c in PHP allowed remote attackers to\n cause a denial of service (out-of-bounds read) or possibly have\n unspecified other impact via a negative offset (bsc#978829).\n - CVE-2016-4541: The grapheme_strpos function in\n ext/intl/grapheme/grapheme_string.c in PHP allowed remote attackers to\n cause a denial of service (out-of-bounds read) or possibly have\n unspecified other impact via a negative offset (bsc#978829.\n - CVE-2016-4542: The exif_process_IFD_TAG function in ext/exif/exif.c in\n PHP did not properly construct spprintf arguments, which allowed remote\n attackers to cause a denial of service (out-of-bounds read) or possibly\n have unspecified other impact via crafted header data (bsc#978830).\n - CVE-2016-4543: The exif_process_IFD_in_JPEG function in ext/exif/exif.c\n in PHP did not validate IFD sizes, which allowed remote attackers to\n cause a denial of service (out-of-bounds read) or possibly have\n unspecified other impact via crafted header data (bsc#978830.\n - CVE-2016-4544: The exif_process_TIFF_in_JPEG function in ext/exif/exif.c\n in PHP did not validate TIFF start data, which allowed remote attackers\n to cause a denial of service (out-of-bounds read) or possibly have\n unspecified other impact via crafted header data (bsc#978830.\n - CVE-2016-4537: The bcpowmod function in ext/bcmath/bcmath.c in PHP\n accepted a negative integer for the scale argument, which allowed remote\n attackers to cause a denial of service or possibly have unspecified\n other impact via a crafted call (bsc#978827).\n - CVE-2016-4538: The bcpowmod function in ext/bcmath/bcmath.c in PHP\n modified certain data structures without considering whether they are\n copies of the _zero_, _one_, or _two_ global variable, which allowed\n remote attackers to cause a denial of service or possibly have\n unspecified other impact via a crafted call (bsc#978827).\n - CVE-2016-4539: The xml_parse_into_struct function in ext/xml/xml.c in\n PHP allowed remote attackers to cause a denial of service (buffer\n under-read and segmentation fault) or possibly have unspecified other\n impact via crafted XML data in the second argument, leading to a parser\n level of zero (bsc#978828).\n - CVE-2016-4342: ext/phar/phar_object.c in PHP mishandles zero-length\n uncompressed data, which allowed remote attackers to cause a denial of\n service (heap memory corruption) or possibly have unspecified other\n impact via a crafted (1) TAR, (2) ZIP, or (3) PHAR archive (bsc#977991).\n - CVE-2016-4346: Integer overflow in the str_pad function in\n ext/standard/string.c in PHP allowed remote attackers to cause a denial\n of service or possibly have unspecified other impact via a long string,\n leading to a heap-based buffer overflow (bsc#977994).\n - CVE-2016-4073: Multiple integer overflows in the mbfl_strcut function in\n ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP allowed remote attackers to\n cause a denial of service (application crash) or possibly execute\n arbitrary code via a crafted mb_strcut call (bsc#977003).\n - CVE-2015-8867: The openssl_random_pseudo_bytes function in\n ext/openssl/openssl.c in PHP incorrectly relied on the deprecated\n RAND_pseudo_bytes function, which made it easier for remote attackers to\n defeat cryptographic protection mechanisms via unspecified vectors\n (bsc#977005).\n - CVE-2016-4070: Integer overflow in the php_raw_url_encode function in\n ext/standard/url.c in PHP allowed remote attackers to cause a denial of\n service (application crash) via a long string to the rawurlencode\n function (bsc#976997).\n - CVE-2015-8866: ext/libxml/libxml.c in PHP when PHP-FPM is used, did not\n isolate each thread from libxml_disable_entity_loader changes in other\n threads, which allowed remote attackers to conduct XML External Entity\n (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document,\n a related issue to CVE-2015-5161 (bsc#976996).\n - CVE-2015-8838: ext/mysqlnd/mysqlnd.c in PHP used a client SSL option to\n mean that SSL is optional, which allowed man-in-the-middle attackers to\n spoof servers via a cleartext-downgrade attack, a related issue to\n CVE-2015-3152 (bsc#973792).\n - CVE-2015-8835: The make_http_soap_request function in\n ext/soap/php_http.c in PHP did not properly retrieve keys, which allowed\n remote attackers to cause a denial of service (NULL pointer dereference,\n type confusion, and application crash) or possibly execute arbitrary\n code via crafted serialized data representing a numerically indexed\n _cookies array, related to the SoapClient::__call method in\n ext/soap/soap.c (bsc#973351).\n - CVE-2016-3141: Use-after-free vulnerability in wddx.c in the WDDX\n extension in PHP allowed remote attackers to cause a denial of service\n (memory corruption and application crash) or possibly have unspecified\n other impact by triggering a wddx_deserialize call on XML data\n containing a crafted var element (bsc#969821).\n - CVE-2016-3142: The phar_parse_zipfile function in zip.c in the PHAR\n extension in PHP allowed remote attackers to obtain sensitive\n information from process memory or cause a denial of service\n (out-of-bounds read and application crash) by placing a PK\\x05\\x06\n signature at an invalid location (bsc#971912).\n - CVE-2014-9767: Directory traversal vulnerability in the\n ZipArchive::extractTo function in ext/zip/php_zip.c in PHP\n ext/zip/ext_zip.cpp in HHVM allowed remote attackers to create arbitrary\n empty directories via a crafted ZIP archive (bsc#971612).\n - CVE-2016-3185: The make_http_soap_request function in\n ext/soap/php_http.c in PHP allowed remote attackers to obtain sensitive\n information from process memory or cause a denial of service (type\n confusion and application crash) via crafted serialized _cookies data,\n related to the SoapClient::__call method in ext/soap/soap.c (bsc#971611).\n - CVE-2016-2554: Stack-based buffer overflow in ext/phar/tar.c in PHP\n allowed remote attackers to cause a denial of service (application\n crash) or possibly have unspecified other impact via a crafted TAR\n archive (bsc#968284).\n - CVE-2015-7803: The phar_get_entry_data function in ext/phar/util.c in\n PHP allowed remote attackers to cause a denial of service (NULL pointer\n dereference and application crash) via a .phar file with a crafted TAR\n archive entry in which the Link indicator references a file that did not\n exist (bsc#949961).\n - CVE-2015-6831: Multiple use-after-free vulnerabilities in SPL in PHP\n allowed remote attackers to execute arbitrary code via vectors involving\n (1) ArrayObject, (2) SplObjectStorage, and (3) SplDoublyLinkedList,\n which are mishandled during unserialization (bsc#942291).\n - CVE-2015-6833: Directory traversal vulnerability in the PharData class\n in PHP allowed remote attackers to write to arbitrary files via a ..\n (dot dot) in a ZIP archive entry that is mishandled during an extractTo\n call (bsc#942296.\n - CVE-2015-6836: The SoapClient __call method in ext/soap/soap.c in PHP\n did not properly manage headers, which allowed remote attackers to\n execute arbitrary code via crafted serialized data that triggers a "type\n confusion" in the serialize_function_call function (bsc#945428).\n - CVE-2015-6837: The xsl_ext_function_php function in\n ext/xsl/xsltprocessor.c in PHP when libxml2 is used, did not consider\n the possibility of a NULL valuePop return value proceeding with a free\n operation during initial error checking, which allowed remote attackers\n to cause a denial of service (NULL pointer dereference and application\n crash) via a crafted XML document, a different vulnerability than\n CVE-2015-6838 (bsc#945412).\n - CVE-2015-6838: The xsl_ext_function_php function in\n ext/xsl/xsltprocessor.c in PHP when libxml2 is used, did not consider\n the possibility of a NULL valuePop return value proceeding with a free\n operation after the principal argument loop, which allowed remote\n attackers to cause a denial of service (NULL pointer dereference and\n application crash) via a crafted XML document, a different vulnerability\n than CVE-2015-6837 (bsc#945412).\n - CVE-2015-5590: Stack-based buffer overflow in the phar_fix_filepath\n function in ext/phar/phar.c in PHP allowed remote attackers to cause a\n denial of service or possibly have unspecified other impact via a large\n length value, as demonstrated by mishandling of an e-mail attachment by\n the imap PHP extension (bsc#938719).\n - CVE-2015-5589: The phar_convert_to_other function in\n ext/phar/phar_object.c in PHP did not validate a file pointer a close\n operation, which allowed remote attackers to cause a denial of service\n (segmentation fault) or possibly have unspecified other impact via a\n crafted TAR archive that is mishandled in a Phar::convertToData call\n (bsc#938721).\n - CVE-2015-4602: The __PHP_Incomplete_Class function in\n ext/standard/incomplete_class.c in PHP allowed remote attackers to cause\n a denial of service (application crash) or possibly execute arbitrary\n code via an unexpected data type, related to a "type confusion" issue\n (bsc#935224).\n - CVE-2015-4599: The SoapFault::__toString method in ext/soap/soap.c in\n PHP allowed remote attackers to obtain sensitive information, cause a\n denial of service (application crash), or possibly execute arbitrary\n code via an unexpected data type, related to a "type confusion" issue\n (bsc#935226).\n - CVE-2015-4600: The SoapClient implementation in PHP allowed remote\n attackers to cause a denial of service (application crash) or possibly\n execute arbitrary code via an unexpected data type, related to "type\n confusion" issues in the (1) SoapClient::__getLastRequest, (2)\n SoapClient::__getLastResponse, (3) SoapClient::__getLastRequestHeaders,\n (4) SoapClient::__getLastResponseHeaders, (5) SoapClient::__getCookies,\n and (6) SoapClient::__setCookie methods (bsc#935226).\n - CVE-2015-4601: PHP allowed remote attackers to cause a denial of service\n (application crash) or possibly execute arbitrary code via an unexpected\n data type, related to "type confusion" issues in (1)\n ext/soap/php_encoding.c, (2) ext/soap/php_http.c, and (3)\n ext/soap/soap.c, a different issue than CVE-2015-4600 (bsc#935226.\n - CVE-2015-4603: The exception::getTraceAsString function in\n Zend/zend_exceptions.c in PHP allowed remote attackers to execute\n arbitrary code via an unexpected data type, related to a "type\n confusion" issue (bsc#935234).\n - CVE-2015-4644: The php_pgsql_meta_data function in pgsql.c in the\n PostgreSQL (aka pgsql) extension in PHP did not validate token\n extraction for table names, which might allowed remote attackers to\n cause a denial of service (NULL pointer dereference and application\n crash) via a crafted name. NOTE: this vulnerability exists because of an\n incomplete fix for CVE-2015-1352 (bsc#935274).\n - CVE-2015-4643: Integer overflow in the ftp_genlist function in\n ext/ftp/ftp.c in PHP allowed remote FTP servers to execute arbitrary\n code via a long reply to a LIST command, leading to a heap-based buffer\n overflow. NOTE: this vulnerability exists because of an incomplete fix\n for CVE-2015-4022 (bsc#935275).\n - CVE-2015-3411: PHP did not ensure that pathnames lack %00 sequences,\n which might have allowed remote attackers to read or write to arbitrary\n files via crafted input to an application that calls (1) a DOMDocument\n load method, (2) the xmlwriter_open_uri function, (3) the finfo_file\n function, or (4) the hash_hmac_file function, as demonstrated by a\n filename\\0.xml attack that bypasses an intended configuration in which\n client users may read only .xml files (bsc#935227).\n - CVE-2015-3412: PHP did not ensure that pathnames lack %00 sequences,\n which might have allowed remote attackers to read arbitrary files via\n crafted input to an application that calls the\n stream_resolve_include_path function in ext/standard/streamsfuncs.c, as\n demonstrated by a filename\\0.extension attack that bypasses an intended\n configuration in which client users may read files with only one\n specific extension (bsc#935229).\n - CVE-2015-4598: PHP did not ensure that pathnames lack %00 sequences,\n which might have allowed remote attackers to read or write to arbitrary\n files via crafted input to an application that calls (1) a DOMDocument\n save method or (2) the GD imagepsloadfont function, as demonstrated by a\n filename\\0.html attack that bypasses an intended configuration in which\n client users may write to only .html files (bsc#935232).\n - CVE-2015-4148: The do_soap_call function in ext/soap/soap.c in PHP did\n not verify that the uri property is a string, which allowed remote\n attackers to obtain sensitive information by providing crafted\n serialized data with an int data type, related to a "type confusion"\n issue (bsc#933227).\n - CVE-2015-4024: Algorithmic complexity vulnerability in the\n multipart_buffer_headers function in main/rfc1867.c in PHP allowed\n remote attackers to cause a denial of service (CPU consumption) via\n crafted form data that triggers an improper order-of-growth outcome\n (bsc#931421).\n - CVE-2015-4026: The pcntl_exec implementation in PHP truncates a pathname\n upon encountering a \\x00 character, which might allowed remote attackers\n to bypass intended extension restrictions and execute files with\n unexpected names via a crafted first argument. NOTE: this vulnerability\n exists because of an incomplete fix for CVE-2006-7243 (bsc#931776).\n - CVE-2015-4022: Integer overflow in the ftp_genlist function in\n ext/ftp/ftp.c in PHP allowed remote FTP servers to execute arbitrary\n code via a long reply to a LIST command, leading to a heap-based buffer\n overflow (bsc#931772).\n - CVE-2015-4021: The phar_parse_tarfile function in ext/phar/tar.c in PHP\n did not verify that the first character of a filename is different from\n the \\0 character, which allowed remote attackers to cause a denial of\n service (integer underflow and memory corruption) via a crafted entry in\n a tar archive (bsc#931769).\n - CVE-2015-3329: Multiple stack-based buffer overflows in the\n phar_set_inode function in phar_internal.h in PHP allowed remote\n attackers to execute arbitrary code via a crafted length value in a (1)\n tar, (2) phar, or (3) ZIP archive (bsc#928506).\n - CVE-2015-2783: ext/phar/phar.c in PHP allowed remote attackers to obtain\n sensitive information from process memory or cause a denial of service\n (buffer over-read and application crash) via a crafted length value in\n conjunction with crafted serialized data in a phar archive, related to\n the phar_parse_metadata and phar_parse_pharfile functions (bsc#928511).\n - CVE-2015-2787: Use-after-free vulnerability in the process_nested_data\n function in ext/standard/var_unserializer.re in PHP allowed remote\n attackers to execute arbitrary code via a crafted unserialize call that\n leverages use of the unset function within an __wakeup function, a\n related issue to CVE-2015-0231 (bsc#924972).\n - CVE-2014-9709: The GetCode_ function in gd_gif_in.c in GD 2.1.1 and\n earlier, as used in PHP allowed remote attackers to cause a denial of\n service (buffer over-read and application crash) via a crafted GIF image\n that is improperly handled by the gdImageCreateFromGif function\n (bsc#923945).\n - CVE-2015-2301: Use-after-free vulnerability in the phar_rename_archive\n function in phar_object.c in PHP allowed remote attackers to cause a\n denial of service or possibly have unspecified other impact via vectors\n that trigger an attempted renaming of a Phar archive to the name of an\n existing file (bsc#922452).\n - CVE-2015-2305: Integer overflow in the regcomp implementation in the\n Henry Spencer BSD regex library (aka rxspencer) 32-bit platforms might\n have allowed context-dependent attackers to execute arbitrary code via a\n large regular expression that leads to a heap-based buffer overflow\n (bsc#921950).\n - CVE-2014-9705: Heap-based buffer overflow in the\n enchant_broker_request_dict function in ext/enchant/enchant.c in PHP\n allowed remote attackers to execute arbitrary code via vectors that\n trigger creation of multiple dictionaries (bsc#922451).\n - CVE-2015-0273: Multiple use-after-free vulnerabilities in\n ext/date/php_date.c in PHP allowed remote attackers to execute arbitrary\n code via crafted serialized input containing a (1) R or (2) r type\n specifier in (a) DateTimeZone data handled by the\n php_date_timezone_initialize_from_hash function or (b) DateTime data\n handled by the php_date_initialize_from_hash function (bsc#918768).\n - CVE-2014-9652: The mconvert function in softmagic.c in file as used in\n the Fileinfo component in PHP did not properly handle a certain\n string-length field during a copy of a truncated version of a Pascal\n string, which might allowed remote attackers to cause a denial of\n service (out-of-bounds memory access and application crash) via a\n crafted file (bsc#917150).\n - CVE-2014-8142: Use-after-free vulnerability in the process_nested_data\n function in ext/standard/var_unserializer.re in PHP allowed remote\n attackers to execute arbitrary code via a crafted unserialize call that\n leverages improper handling of duplicate keys within the serialized\n properties of an object, a different vulnerability than CVE-2004-1019\n (bsc#910659).\n - CVE-2015-0231: Use-after-free vulnerability in the process_nested_data\n function in ext/standard/var_unserializer.re in PHP allowed remote\n attackers to execute arbitrary code via a crafted unserialize call that\n leverages improper handling of duplicate numerical keys within the\n serialized properties of an object. NOTE: this vulnerability exists\n because of an incomplete fix for CVE-2014-8142 (bsc#910659).\n - CVE-2014-8142: Use-after-free vulnerability in the process_nested_data\n function in ext/standard/var_unserializer.re in PHP allowed remote\n attackers to execute arbitrary code via a crafted unserialize call that\n leverages improper handling of duplicate keys within the serialized\n properties of an object, a different vulnerability than CVE-2004-1019\n (bsc#910659).\n - CVE-2015-0232: The exif_process_unicode function in ext/exif/exif.c in\n PHP allowed remote attackers to execute arbitrary code or cause a denial\n of service (uninitialized pointer free and application crash) via\n crafted EXIF data in a JPEG image (bsc#914690).\n - CVE-2014-3670: The exif_ifd_make_value function in exif.c in the EXIF\n extension in PHP operates on floating-point arrays incorrectly, which\n allowed remote attackers to cause a denial of service (heap memory\n corruption and application crash) or possibly execute arbitrary code via\n a crafted JPEG image with TIFF thumbnail data that is improperly handled\n by the exif_thumbnail function (bsc#902357).\n - CVE-2014-3669: Integer overflow in the object_custom function in\n ext/standard/var_unserializer.c in PHP allowed remote attackers to cause\n a denial of service (application crash) or possibly execute arbitrary\n code via an argument to the unserialize function that triggers\n calculation of a large length value (bsc#902360).\n - CVE-2014-3668: Buffer overflow in the date_from_ISO8601 function in the\n mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in\n PHP allowed remote attackers to cause a denial of service (application\n crash) via (1) a crafted first argument to the xmlrpc_set_type function\n or (2) a crafted argument to the xmlrpc_decode function, related to an\n out-of-bounds read operation (bsc#902368).\n - CVE-2014-5459: The PEAR_REST class in REST.php in PEAR in PHP allowed\n local users to write to arbitrary files via a symlink attack on a (1)\n rest.cachefile or (2) rest.cacheid file in /tmp/pear/cache/, related to\n the retrieveCacheFirst and useLocalCache functions (bsc#893849).\n - CVE-2014-3597: Multiple buffer overflows in the php_parserr function in\n ext/standard/dns.c in PHP allowed remote DNS servers to cause a denial\n of service (application crash) or possibly execute arbitrary code via a\n crafted DNS record, related to the dns_get_record function and the\n dn_expand function. NOTE: this issue exists because of an incomplete fix\n for CVE-2014-4049 (bsc#893853).\n - CVE-2014-4670: Use-after-free vulnerability in ext/spl/spl_dllist.c in\n the SPL component in PHP allowed context-dependent attackers to cause a\n denial of service or possibly have unspecified other impact via crafted\n iterator usage within applications in certain web-hosting environments\n (bsc#886059).\n - CVE-2014-4698: Use-after-free vulnerability in ext/spl/spl_array.c in\n the SPL component in PHP allowed context-dependent attackers to cause a\n denial of service or possibly have unspecified other impact via crafted\n ArrayIterator usage within applications in certain web-hosting\n environments (bsc#886060).\n - CVE-2014-4721: The phpinfo implementation in ext/standard/info.c in PHP\n did not ensure use of the string data type for the PHP_AUTH_PW,\n PHP_AUTH_TYPE, PHP_AUTH_USER, and PHP_SELF variables, which might\n allowed context-dependent attackers to obtain sensitive information from\n process memory by using the integer data type with crafted values,\n related to a "type confusion" vulnerability, as demonstrated by reading\n a private SSL key in an Apache HTTP Server web-hosting environment with\n mod_ssl and a PHP 5.3.x mod_php (bsc#885961).\n - CVE-2014-0207: The cdf_read_short_sector function in cdf.c in file as\n used in the Fileinfo component in PHP allowed remote attackers to cause\n a denial of service (assertion failure and application exit) via a\n crafted CDF file (bsc#884986).\n - CVE-2014-3478: Buffer overflow in the mconvert function in softmagic.c\n in file as used in the Fileinfo component in PHP allowed remote\n attackers to cause a denial of service (application crash) via a crafted\n Pascal string in a FILE_PSTRING conversion (bsc#884987).\n - CVE-2014-3479: The cdf_check_stream_offset function in cdf.c in file as\n used in the Fileinfo component in PHP relies on incorrect sector-size\n data, which allowed remote attackers to cause a denial of service\n (application crash) via a crafted stream offset in a CDF file\n (bsc#884989).\n - CVE-2014-3480: The cdf_count_chain function in cdf.c in file as used in\n the Fileinfo component in PHP did not properly validate sector-count\n data, which allowed remote attackers to cause a denial of service\n (application crash) via a crafted CDF file (bsc#884990).\n - CVE-2014-3487: The cdf_read_property_info function in file as used in\n the Fileinfo component in PHP did not properly validate a stream offset,\n which allowed remote attackers to cause a denial of service (application\n crash) via a crafted CDF file (bsc#884991).\n - CVE-2014-3515: The SPL component in PHP incorrectly anticipates that\n certain data structures will have the array data type after\n unserialization, which allowed remote attackers to execute arbitrary\n code via a crafted string that triggers use of a Hashtable destructor,\n related to "type confusion" issues in (1) ArrayObject and (2)\n SPLObjectStorage (bsc#884992).\n\n These non-security issues were fixed:\n - bnc#935074: compare with SQL_NULL_DATA correctly\n - bnc#935074: fix segfault in odbc_fetch_array\n - bnc#919080: fix timezone map\n - bnc#925109: unserialize SoapClient type confusion\n\n", "published": "2016-06-21T13:08:17", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00041.html", "cvelist": ["CVE-2014-9705", "CVE-2015-2787", "CVE-2015-0232", "CVE-2015-4601", "CVE-2014-9767", "CVE-2016-4342", "CVE-2015-2783", "CVE-2015-8873", "CVE-2015-5161", "CVE-2015-3329", "CVE-2014-3478", "CVE-2016-4540", "CVE-2016-4538", "CVE-2015-4644", "CVE-2015-8879", "CVE-2015-1352", "CVE-2016-3185", "CVE-2016-4544", "CVE-2015-2301", "CVE-2014-3515", "CVE-2014-3479", "CVE-2015-8867", "CVE-2014-9709", "CVE-2014-4670", "CVE-2015-2305", "CVE-2016-4543", "CVE-2014-3668", "CVE-2015-0273", "CVE-2016-4542", "CVE-2016-4541", "CVE-2014-3480", "CVE-2014-8142", "CVE-2015-4148", "CVE-2006-7243", "CVE-2014-0207", "CVE-2016-2554", "CVE-2014-3669", "CVE-2015-4024", "CVE-2015-8835", "CVE-2015-4021", "CVE-2014-3487", "CVE-2014-3597", "CVE-2015-6836", "CVE-2015-3152", "CVE-2015-4602", "CVE-2015-4026", "CVE-2015-6833", "CVE-2014-4721", "CVE-2016-4070", "CVE-2014-4698", "CVE-2015-8874", "CVE-2015-3411", "CVE-2015-4116", "CVE-2014-4049", "CVE-2015-6831", "CVE-2014-3670", "CVE-2015-5590", "CVE-2015-4600", "CVE-2015-4022", "CVE-2014-9652", "CVE-2015-3412", "CVE-2016-4539", "CVE-2015-6837", "CVE-2016-5093", "CVE-2016-5094", "CVE-2016-5095", "CVE-2016-4073", "CVE-2015-7803", "CVE-2014-5459", "CVE-2015-4603", "CVE-2015-4599", "CVE-2016-5096", "CVE-2015-4598", "CVE-2015-8866", "CVE-2015-5589", "CVE-2016-3141", "CVE-2015-4643", "CVE-2015-8838", "CVE-2016-4346", "CVE-2015-0231", "CVE-2016-5114", "CVE-2004-1019", "CVE-2016-3142", "CVE-2015-6838", "CVE-2016-4537"], "lastseen": "2016-09-04T12:09:51"}], "gentoo": [{"id": "GLSA-200412-14", "type": "gentoo", "title": "PHP: Multiple vulnerabilities", "description": "### Background\n\nPHP is a general-purpose scripting language widely used to develop web-based applications. It can run inside a web server using the mod_php module or the CGI version of PHP, or can run stand-alone in a CLI. \n\n### Description\n\nStefan Esser and Marcus Boerger reported several different issues in the unserialize() function, including serious exploitable bugs in the way it handles negative references (CAN-2004-1019). \n\nStefan Esser also discovered that the pack() and unpack() functions are subject to integer overflows that can lead to a heap buffer overflow and a heap information leak. Finally, he found that the way multithreaded PHP handles safe_mode_exec_dir restrictions can be bypassed, and that various path truncation issues also allow to bypass path and safe_mode restrictions. \n\nIlia Alshanetsky found a stack overflow issue in the exif_read_data() function (CAN-2004-1065). Finally, Daniel Fabian found that addslashes and magic_quotes_gpc do not properly escape null characters and that magic_quotes_gpc contains a bug that could lead to one level directory traversal. \n\n### Impact\n\nThese issues could be exploited by a remote attacker to retrieve web server heap information, bypass safe_mode or path restrictions and potentially execute arbitrary code with the rights of the web server running a PHP application. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll PHP users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-php/php-4.3.10\"\n\nAll mod_php users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-php/mod_php-4.3.10\"\n\nAll php-cgi users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-php/php-cgi-4.3.10\"", "published": "2004-12-19T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/200412-14", "cvelist": ["CVE-2004-1065", "CVE-2004-1020", "CVE-2004-1063", "CVE-2004-1019", "CVE-2004-1064"], "lastseen": "2016-09-06T19:46:04"}], "centos": [{"id": "CESA-2005:838-01", "type": "centos", "title": "php security update", "description": "**CentOS Errata and Security Advisory** CESA-2005:838-01\n\n\nPHP is an HTML-embedded scripting language commonly used with the Apache\r\nHTTP Web server.\r\n\r\nA flaw was found in the way PHP registers global variables during a file\r\nupload request. A remote attacker could submit a carefully crafted\r\nmultipart/form-data POST request that would overwrite the $GLOBALS array,\r\naltering expected script behavior, and possibly leading to the execution of\r\narbitrary PHP commands. Note that this vulnerability only affects\r\ninstallations which have register_globals enabled in the PHP configuration\r\nfile, which is not a default or recommended option. The Common\r\nVulnerabilities and Exposures project assigned the name CVE-2005-3390 to\r\nthis issue.\r\n\r\nA flaw was found in the PHP parse_str() function. If a PHP script passes\r\nonly one argument to the parse_str() function, and the script can be forced\r\nto abort execution during operation (for example due to the memory_limit\r\nsetting), the register_globals may be enabled even if it is disabled in the\r\nPHP configuration file. This vulnerability only affects installations that\r\nhave PHP scripts using the parse_str function in this way. (CVE-2005-3389)\r\n\r\nA Cross-Site Scripting flaw was found in the phpinfo() function. If a\r\nvictim can be tricked into following a malicious URL to a site with a page\r\ndisplaying the phpinfo() output, it may be possible to inject javascript\r\nor HTML content into the displayed page or steal data such as cookies. \r\nThis vulnerability only affects installations which allow users to view the\r\noutput of the phpinfo() function. As the phpinfo() function outputs a\r\nlarge amount of information about the current state of PHP, it should only\r\nbe used during debugging or if protected by authentication. (CVE-2005-3388)\r\n\r\nAdditionally, a bug introduced in the updates to fix CVE-2004-1019 has been\r\ncorrected.\r\n\r\nUsers of PHP should upgrade to these updated packages, which contain\r\nbackported patches that resolve these issues.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2005-November/012392.html\n\n**Affected packages:**\nphp\nphp-devel\nphp-imap\nphp-ldap\nphp-manual\nphp-mysql\nphp-odbc\nphp-pgsql\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/rh21as-errata.html", "published": "2005-11-10T23:45:48", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2005-November/012392.html", "cvelist": ["CVE-2005-3388", "CVE-2005-3389", "CVE-2005-3390", "CVE-2004-1019"], "lastseen": "2018-01-25T07:01:57"}]}}
