SUSE-SU-2017:0534-1 Security update for php7

This update for php7 fixes the following security issues: - CVE-2016-7480: The SplObjectStorage unserialize implementation in ext/spl/splobserver.c in PHP did not verify that a key is an object, which allowed remote attackers to execute arbitrary code or cause a denial of service uninitialized...

CVE-2016-10161

The objectcommon1 function in ext/standard/varunserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service buffer over-read and application crash via crafted serialized data that is mishandled in a finishnesteddata call...

Medium: php70

Issue Overview: The SplObjectStorage unserialize implementation in ext/spl/splobserver.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service uninitialized memory access via crafted serialized data...

CVE-2016-10161

The objectcommon1 function in ext/standard/varunserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service buffer over-read and application crash via crafted serialized data that is mishandled in a finishnesteddata call...

Design/Logic Flaw

The objectcommon1 function in ext/standard/varunserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service buffer over-read and application crash via crafted serialized data that is mishandled in a finishnesteddata call...

CVE-2016-10161

Removed by vendor...

UBUNTU-CVE-2016-10161

The objectcommon1 function in ext/standard/varunserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service buffer over-read and application crash via crafted serialized data that is mishandled in a finishnesteddata call...

CVE-2016-4010

Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary PHP code via crafted serialized shopping cart data...

CVE-2016-4010

Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary PHP code via crafted serialized shopping cart data...

Design/Logic Flaw

Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary PHP code via crafted serialized shopping cart data...

CVE-2016-4010

Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary PHP code via crafted serialized shopping cart data...

Design/Logic Flaw

includes/classes/ia.core.users.php in Subrion CMS 4.0.5 allows remote attackers to conduct PHP Object Injection attacks via crafted serialized data in a salt cookie in a login request...

PHP Zend/zend_hash.c Remote Code Execution Vulnerability

PHP is an open source general-purpose computer scripting language maintained by the PHP Group and the open source community. A security vulnerability exists in PHP's Zend/zendhash.c file. Because the program fails to properly allocate large arrays, it allows a remote attacker to exploit the...

CVE-2017-5340

Zend/zendhash.c in PHP before 7.0.15 and 7.1.x before 7.1.1 mishandles certain cases that require large array allocations, which allows remote attackers to execute arbitrary code or cause a denial of service integer overflow, uninitialized memory access, and use of arbitrary destructor function...

CVE-2016-7480

The SplObjectStorage unserialize implementation in ext/spl/splobserver.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service uninitialized memory access via crafted serialized data...

UBUNTU-CVE-2016-7480

The SplObjectStorage unserialize implementation in ext/spl/splobserver.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service uninitialized memory access via crafted serialized data...

CVE-2016-7480

The SplObjectStorage unserialize implementation in ext/spl/splobserver.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service uninitialized memory access via crafted serialized data...

CVE-2016-7480

The SplObjectStorage unserialize implementation in ext/spl/splobserver.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service uninitialized memory access via crafted serialized data...

CVE-2017-5340

Zend/zendhash.c in PHP before 7.0.15 and 7.1.x before 7.1.1 mishandles certain cases that require large array allocations, which allows remote attackers to execute arbitrary code or cause a denial of service integer overflow, uninitialized memory access, and use of arbitrary destructor function...

Design/Logic Flaw

Zend/zendexceptions.c in PHP, possibly 5.x before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service infinite loop via a crafted Exception object in serialized data, a related issue to CVE-2015-8876...