Use-After-Free

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Multiple flaws were discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. (CVE-2015-6831, CVE-2015-6832, CVE-2015-6834, CVE-2015-6835, CVE-2015-6836) Multiple flaws were found in the way the way PHP’s Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened. (CVE-2015-5589, CVE-2015-5590, CVE-2015-6833, CVE-2015-7803, CVE-2015-7804) Two NULL pointer dereference flaws were found in the XSLTProcessor class in PHP. An attacker could use these flaws to cause a PHP application to crash if it performed Extensible Stylesheet Language (XSL) transformations using untrusted XSLT files and allowed the use of PHP functions to be used as XSLT functions within XSL stylesheets. (CVE-2015-6837, CVE-2015-6838) All rh-php56-php users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd24-httpd service must be restarted for the update to take effect.