Security update for php5 (important)

ID SUSE-SU-2015:1253-2
Type suse
Reporter Suse
Modified 2015-07-17T11:08:12


This security update of PHP fixes the following issues:

Security issues fixed:

  • CVE-2015-4024 [bnc#931421]: Fixed multipart/form-data remote DOS Vulnerability.
  • CVE-2015-4026 [bnc#931776]: pcntl_exec() did not check path validity.
  • CVE-2015-4022 [bnc#931772]: Fixed and overflow in ftp_genlist() that resulted in a heap overflow.
  • CVE-2015-4021 [bnc#931769]: Fixed memory corruption in phar_parse_tarfile when entry filename starts with NULL.
  • CVE-2015-4148 [bnc#933227]: Fixed SoapClient's do_soap_call() type confusion after unserialize() information disclosure.
  • CVE-2015-4602 [bnc#935224]: Fixed an incomplete Class unserialization type confusion.
  • CVE-2015-4599, CVE-2015-4600, CVE-2015-4601 [bnc#935226]: Fixed type confusion issues in unserialize() with various SOAP methods.
  • CVE-2015-4603 [bnc#935234]: Fixed exception::getTraceAsString type confusion issue after unserialize.
  • CVE-2015-4644 [bnc#935274]: Fixed a crash in php_pgsql_meta_data.
  • CVE-2015-4643 [bnc#935275]: Fixed an integer overflow in ftp_genlist() that could result in a heap overflow.
  • CVE-2015-3411, CVE-2015-3412, CVE-2015-4598 [bnc#935227], [bnc#935232]: Added missing null byte checks for paths in various PHP extensions.

Bugs fixed:

  • configure php-fpm with --localstatedir=/var [bnc#927147]
  • fix timezone map [bnc#919080]