CVE-2019-11044

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link function accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access...

php:7.2 security update

php 7.2.11-4 - fix underflow in envpathinfo in fpmmain.c CVE-2019-11043...

CVE-2010-4657

CVE-2010-4657 affects PHP5 prior to 5.4.4. The flaw allows passing invalid UTF-8 strings to xmlTextWriterWriteAttribute, which are misparsed by libxml2, causing a memory leak in the produced output. The vulnerability is triggered through the attribute-writing path and is not described as exploita...

MGASA-2019-0307 Updated php and pcre2 packages fix security vulnerabilities

Updated php and pcre2 packages fix security vulnerabilities: - FPM 78599 envpathinfo underflow in fpmmain.c can lead to RCE. CVE-2019-11043 - MBString 78633 Heap buffer overflow read in mberegi. - Mysqlnd 78525 Memory leak in pdo when reusing native prepared statements. - PCRE 78272 calling...

CVE-2017-9118

PHP 7.1.5 has an Out of bounds access in phppcrereplaceimpl via a crafted pregreplace call...

PHP 7.1 < 7.3 - 'json serializer' disable_functions Bypass

= 8; public function str2ptr&$str, $p = 0, $s = 8 $address = 0; for$j = $s-1; $j = 0; $j-- $address = 8; return $out; unable to leak ro segments public function leak1$addr global $spl1; $this-write$this-abc, 8, $addr - 0x10; return strlengetclass$spl1; the real deal public function leak2$addr, $p...

Medium: php71, php72, php73

Issue Overview: Function iconvmimedecodeheaders in PHP may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may lead to information disclosure or crash.CVE-2019-11039 When using gdImageCreateFromXbm function of PHP gd extension, it is possible to supply data that...

CVE-2017-7189

Removed by vendor...

Cross-Site Scripting (XSS)

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. The php54 packages provide a recent stable release of PHP with the PEAR 1.9.4, APC 3.1.15, and memcache 3.0.8 PECL extensions, and a number of additional utilities. The php54 packages have been upgraded to...

SUSE-SU-2019:14013-1 Security update for php53

This update for php53 fixes the following issues: Security issues fixed: - CVE-2019-9637: Fixed improper implementation of rename function and multiple invalid memory access in EXIF extension bsc1128892. - CVE-2019-9675: Fixed improper implementation of rename function and multiple invalid memory...

EUVD-2019-19007

An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exifprocessIFDinMAKERNOTE because of mishandling the makernote-offset relationship to valuelen...

DSA-4403-1 php7.0 - security update

Bulletin has no description...

Fedora 28 : php-erusev-parsedown (2019-009fdcfb60)

1.7.1 - \475: 'Loose' lists will now contain paragraphs in all items, not just some. - \433: Links will no longer be double nested - \525: The info-string when beginning a code block may now contain non-word characters e.g. c++ - \561: The mbstring extension which we already depend on has been...

CVE-2019-9022

An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dnsgetrecord misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects phpparser...

CVE-2019-9023

Removed by vendor...

DSA-4353-1 php7.0 - security update

Bulletin has no description...

SUSE-SU-2018:2681-1 Security update for php53

This update for php53 fixes the following issues: The following security issues were fixed: - CVE-2018-14851: Fixed an out-of-bound read in exifprocessIFDinMAKERNOTE, which could be exploited by an attacker via crafted JPG files, and could result in an application crash. bsc1103659 -...

PHP Xdebug Module Unauthenticated RCE (exploit)

Binary data xdebugunauthrce.nbin...

PHP 7.3.0 [alpha|beta] < 7.3.0 Multiple vulnerabilities

According to its banner, the version of PHP running on the remote web server is 7.3.0 alpha|beta prior to 7.3.0. It is, therefore, affected by multiple vulnerabilities: - An arbitrary command injection vulnerability exists in the imapopen function due to improper filters for mailbox names prior t...

Amazon Linux AMI : php56 / php70,php71 (ALAS-2018-1019)

NULL pointer dereference due to mishandling of ldapgetdn return value allows denial-of-service by malicious LDAP server or man-in-the-middle attacker An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. ext/ldap/ldap.c allows remote LDAP...