[ubuntu/precise-security] php5 5.3.10-1ubuntu3.26 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Tue Feb 14 18:32:36 UTC 2017


php5 (5.3.10-1ubuntu3.26) precise-security; urgency=medium

  * SECURITY UPDATE: overflow in locale_get_display_name
    - debian/patches/CVE-2014-9912.patch: check locale name length in
      ext/intl/locale/locale_methods.c, added test to
      ext/intl/tests/bug67397.phpt.
    - CVE-2014-9912
  * SECURITY UPDATE: infinite loop via crafted serialized data
    - debian/patches/CVE-2016-7478-pre.patch: don't unset the default value
      in Zend/zend_exceptions.c, fix tests in
      ext/standard/tests/serialize/bug69152.phpt,
      ext/standard/tests/serialize/bug69793.phpt.
    - debian/patches/CVE-2016-7478-pre2.patch: fix test in
      ext/standard/tests/serialize/bug69793.phpt.
    - debian/patches/CVE-2016-7478-pre3.patch: add zend_unset_property() to
      Zend/zend_API.*.
    - debian/patches/CVE-2016-7478.patch: fix memcpy in
      Zend/zend_exceptions.c, ext/bcmath/libbcmath/src/init.c,
      ext/bcmath/libbcmath/src/outofmem.c.
    - CVE-2016-7478
  * SECURITY UPDATE: arbitrary code execution via crafted serialized data
    - debian/patches/CVE-2016-7479-pre.patch: fix null pointer dereference
      in ext/standard/var_unserializer.*, added test to
      standard/tests/serialize/bug68545.phpt.
    - debian/patches/CVE-2016-7479.patch: implement delayed __wakeup in
      ext/standard/var_unserializer.*.
    - CVE-2016-7479
  * SECURITY UPDATE: denial of service via crafted wddxPacket XML document
    - debian/patches/CVE-2016-9934.patch: check objects in ext/wddx/wddx.c,
      ext/pdo/pdo_stmt.c, ext/wddx/tests/bug45901.phpt,
      ext/wddx/tests/bug72790.phpt, ext/wddx/tests/bug73331.phpt.
    - CVE-2016-9934
  * SECURITY UPDATE: denial of service via crafted wddxPacket XML document
    - debian/patches/CVE-2016-9935-1.patch: fix memory leak in
      ext/wddx/wddx.c.
    - debian/patches/CVE-2016-9935-2.patch: fix leak in ext/wddx/wddx.c.
    - debian/patches/CVE-2016-9935-3.patch: fix leak in ext/wddx/wddx.c.
    - CVE-2016-9935
  * SECURITY UPDATE: exif DoS via FPE
    - debian/patches/CVE-2016-10158.patch: fix integer size issue in
      ext/exif/exif.c.
    - CVE-2016-10158
  * SECURITY UPDATE: integer overflow in phar_parse_pharfile
    - debian/patches/CVE-2016-10159.patch: fix overflows in
      ext/phar/phar.c.
    - CVE-2016-10159
  * SECURITY UPDATE: off-by-one in phar_parse_pharfile
    - debian/patches/CVE-2016-10160.patch: handle length in
      ext/phar/phar.c.
    - CVE-2016-10160
  * SECURITY UPDATE: denial of service via crafted serialized data
    - debian/patches/CVE-2016-10161.patch: fix out-of-bounds read in
      ext/standard/var_unserializer.*, added test to
      ext/standard/tests/serialize/bug73825.phpt.
    - CVE-2016-10161
  * debian/control: Build-Depends on mysql-server-5.5 to work with
    recent MySQL security updates.

Date: 2017-02-13 20:16:13.936122+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/php5/5.3.10-1ubuntu3.26
-------------- next part --------------
Sorry, changesfile not available.


More information about the Precise-changes mailing list