[ubuntu/precise-updates] php5 5.3.10-1ubuntu3.25 (Accepted)
Ubuntu Archive Robot
cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk
Tue Oct 4 17:58:23 UTC 2016
php5 (5.3.10-1ubuntu3.25) precise-security; urgency=medium
* SECURITY UPDATE: denial of service or code execution via crafted
serialized data
- debian/patches/CVE-2016-7124-1.patch: destroy broken object when
unserializing in ext/standard/var_unserializer.c*.
- debian/patches/CVE-2016-7124-2.patch: improve fix in
ext/standard/var_unserializer.c*, added test to
ext/standard/tests/strings/bug72663_3.phpt.
- CVE-2016-7124
* SECURITY UPDATE: arbitrary-type session data injection
- debian/patches/CVE-2016-7125.patch: consume data even if not storing
in ext/session/session.c, added test to
ext/session/tests/bug72681.phpt.
- debian/patches/CVE-2016-7125-2.patch: remove unused label in
ext/session/session.c.
- CVE-2016-7125
* SECURITY UPDATE: denial of service and possible code execution in
imagegammacorrect function
- debian/patches/CVE-2016-7127.patch: check gamma values in
ext/gd/gd.c, added test to ext/gd/tests/bug72730.phpt.
- CVE-2016-7127
* SECURITY UPDATE: information disclosure via exif_process_IFD_in_TIFF
- debian/patches/CVE-2016-7128.patch: properly handle thumbnails in
ext/exif/exif.c.
- CVE-2016-7128
* SECURITY UPDATE: denial of service and possible code execution via
invalid ISO 8601 time value
- debian/patches/CVE-2016-7129.patch: properly handle strings in
ext/wddx/wddx.c, added test to ext/wddx/tests/bug72749.phpt.
- CVE-2016-7129
* SECURITY UPDATE: denial of service and possible code execution via
invalid base64 binary value
- debian/patches/CVE-2016-7130.patch: properly handle string in
ext/wddx/wddx.c, added test to ext/wddx/tests/bug72750.phpt.
- CVE-2016-7130
* SECURITY UPDATE: denial of service and possible code execution via
malformed wddxPacket XML document
- debian/patches/CVE-2016-7131.patch: added check to ext/wddx/wddx.c,
added tests to ext/wddx/tests/bug72790.phpt,
ext/wddx/tests/bug72799.phpt.
- CVE-2016-7131
- CVE-2016-7132
* SECURITY UPDATE: denial of service and possible code execution via
partially constructed object
- debian/patches/CVE-2016-7411.patch: properly handle partial object in
ext/standard/var_unserializer.*, added test to
ext/standard/tests/serialize/bug73052.phpt.
- CVE-2016-7411
* SECURITY UPDATE: denial of service and possible code execution via
crafted field metadata in MySQL driver
- debian/patches/CVE-2016-7412.patch: validate field length in
ext/mysqlnd/mysqlnd_wireprotocol.c.
- CVE-2016-7412
* SECURITY UPDATE: denial of service and possible code execution via
malformed wddxPacket XML document
- debian/patches/CVE-2016-7413.patch: fixed use-after-free in
ext/wddx/wddx.c, added test to ext/wddx/tests/bug72860.phpt.
- CVE-2016-7413
* SECURITY UPDATE: denial of service and possible code execution via
crafted PHAR archive
- debian/patches/CVE-2016-7414.patch: validate signatures in
ext/phar/util.c, ext/phar/zip.c.
- CVE-2016-7414
* SECURITY UPDATE: denial of service and possible code execution via
MessageFormatter::formatMessage call with a long first argument
- debian/patches/CVE-2016-7416.patch: added locale length check to
ext/intl/msgformat/msgformat_format.c.
- CVE-2016-7416
* SECURITY UPDATE: denial of service or code execution via crafted
serialized data
- debian/patches/CVE-2016-7417.patch: added type check to
ext/spl/spl_array.c.
- CVE-2016-7417
* SECURITY UPDATE: denial of service and possible code execution via
malformed wddxPacket XML document
- debian/patches/CVE-2016-7418.patch: fix out-of-bounds read in
ext/wddx/wddx.c, added test to ext/wddx/tests/bug73065.phpt.
- CVE-2016-7418
Date: 2016-10-03 16:30:21.969250+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
Signed-By: Ubuntu Archive Robot <cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk>
https://launchpad.net/ubuntu/+source/php5/5.3.10-1ubuntu3.25
-------------- next part --------------
Sorry, changesfile not available.
More information about the Precise-changes
mailing list