[ubuntu/trusty-security] php5 5.5.9+dfsg-1ubuntu4.21 (Accepted)
Marc Deslauriers
marc.deslauriers at canonical.com
Tue Feb 14 18:32:41 UTC 2017
php5 (5.5.9+dfsg-1ubuntu4.21) trusty-security; urgency=medium
* SECURITY UPDATE: overflow in locale_get_display_name
- debian/patches/CVE-2014-9912.patch: check locale name length in
ext/intl/locale/locale_methods.c, added test to
ext/intl/tests/bug67397.phpt.
- debian/patches/CVE-2014-9912-2.patch: fix test in
ext/intl/tests/bug62082.phpt.
- CVE-2014-9912
* SECURITY UPDATE: infinite loop via crafted serialized data
- debian/patches/CVE-2016-7478-pre.patch: don't unset the default value
in Zend/zend_exceptions.c, fix tests in
ext/standard/tests/serialize/bug69152.phpt,
ext/standard/tests/serialize/bug69793.phpt.
- debian/patches/CVE-2016-7478-pre2.patch: fix test in
ext/standard/tests/serialize/bug69793.phpt.
- debian/patches/CVE-2016-7478.patch: fix memcpy in
Zend/zend_exceptions.c, ext/bcmath/libbcmath/src/init.c,
ext/bcmath/libbcmath/src/outofmem.c.
- CVE-2016-7478
* SECURITY UPDATE: arbitrary code execution via crafted serialized data
- debian/patches/CVE-2016-7479-pre.patch: fix null pointer dereference
in ext/standard/var_unserializer.*, added test to
standard/tests/serialize/bug68545.phpt.
- debian/patches/CVE-2016-7479.patch: implement delayed __wakeup in
ext/standard/var_unserializer.*.
- CVE-2016-7479
* SECURITY UPDATE: denial of service via crafted serialized data
- debian/patches/CVE-2016-9137.patch: fix use-after-free in
Zend/zend_API.*, ext/curl/curl_file.c, added test to
ext/curl/tests/bug73147.phpt.
- CVE-2016-9137
* SECURITY UPDATE: denial of service via crafted wddxPacket XML document
- debian/patches/CVE-2016-9934.patch: check objects in ext/wddx/wddx.c,
ext/pdo/pdo_stmt.c, ext/wddx/tests/bug45901.phpt,
ext/wddx/tests/bug72790.phpt, ext/wddx/tests/bug73331.phpt.
- CVE-2016-9934
* SECURITY UPDATE: denial of service via crafted wddxPacket XML document
- debian/patches/CVE-2016-9935-1.patch: fix memory leak in
ext/wddx/wddx.c.
- debian/patches/CVE-2016-9935-2.patch: fix leak in ext/wddx/wddx.c.
- debian/patches/CVE-2016-9935-3.patch: fix leak in ext/wddx/wddx.c.
- CVE-2016-9935
* SECURITY UPDATE: exif DoS via FPE
- debian/patches/CVE-2016-10158.patch: fix integer size issue in
ext/exif/exif.c.
- CVE-2016-10158
* SECURITY UPDATE: integer overflow in phar_parse_pharfile
- debian/patches/CVE-2016-10159.patch: fix overflows in
ext/phar/phar.c.
- CVE-2016-10159
* SECURITY UPDATE: off-by-one in phar_parse_pharfile
- debian/patches/CVE-2016-10160.patch: handle length in
ext/phar/phar.c.
- CVE-2016-10160
* SECURITY UPDATE: denial of service via crafted serialized data
- debian/patches/CVE-2016-10161.patch: fix out-of-bounds read in
ext/standard/var_unserializer.*, added test to
ext/standard/tests/serialize/bug73825.phpt.
- CVE-2016-10161
Date: 2017-02-09 20:26:13.614741+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/php5/5.5.9+dfsg-1ubuntu4.21
-------------- next part --------------
Sorry, changesfile not available.
More information about the Trusty-changes
mailing list