[ubuntu/xenial-security] php7.0 7.0.8-0ubuntu0.16.04.3 (Accepted)
Marc Deslauriers
marc.deslauriers at canonical.com
Tue Oct 4 16:55:24 UTC 2016
php7.0 (7.0.8-0ubuntu0.16.04.3) xenial-security; urgency=medium
* SECURITY UPDATE: denial of service or code execution via crafted
serialized data
- debian/patches/CVE-2016-7124.patch: fix unserializing logic in
ext/session/session.c, ext/standard/var_unserializer.c*,
ext/wddx/wddx.c, added tests to
ext/standard/tests/serialize/bug72663.phpt,
ext/standard/tests/serialize/bug72663_2.phpt,
ext/standard/tests/serialize/bug72663_3.phpt.
- CVE-2016-7124
* SECURITY UPDATE: arbitrary-type session data injection
- debian/patches/CVE-2016-7125.patch: consume data even if not storing
in ext/session/session.c, added test to
ext/session/tests/bug72681.phpt.
- CVE-2016-7125
* SECURITY UPDATE: denial of service and possible code execution in
imagegammacorrect function
- debian/patches/CVE-2016-7127.patch: check gamma values in
ext/gd/gd.c, added test to ext/gd/tests/bug72730.phpt.
- CVE-2016-7127
* SECURITY UPDATE: information disclosure via exif_process_IFD_in_TIFF
- debian/patches/CVE-2016-7128.patch: properly handle thumbnails in
ext/exif/exif.c.
- CVE-2016-7128
* SECURITY UPDATE: denial of service and possible code execution via
invalid ISO 8601 time value
- debian/patches/CVE-2016-7129.patch: properly handle strings in
ext/wddx/wddx.c, added test to ext/wddx/tests/bug72749.phpt.
- CVE-2016-7129
* SECURITY UPDATE: denial of service and possible code execution via
invalid base64 binary value
- debian/patches/CVE-2016-7130.patch: properly handle string in
ext/wddx/wddx.c, added test to ext/wddx/tests/bug72750.phpt.
- CVE-2016-7130
* SECURITY UPDATE: denial of service and possible code execution via
malformed wddxPacket XML document
- debian/patches/CVE-2016-7131.patch: added checks to ext/wddx/wddx.c,
added tests to ext/wddx/tests/bug72790.phpt,
ext/wddx/tests/bug72799.phpt.
- CVE-2016-7131
- CVE-2016-7132
* SECURITY UPDATE: denial of service and possible code execution via
long pathname
- debian/patches/CVE-2016-7133.patch: fix memory allocator in
Zend/zend_alloc.c.
- CVE-2016-7133
* SECURITY UPDATE: denial of service and possible code execution via
long string and curl_escape call
- debian/patches/CVE-2016-7134.patch: check both curl_escape and
curl_unescape in ext/curl/interface.c.
- CVE-2016-7134
* SECURITY UPDATE: denial of service and possible code execution via
crafted field metadata in MySQL driver
- debian/patches/CVE-2016-7412.patch: validate field length in
ext/mysqlnd/mysqlnd_wireprotocol.c.
- CVE-2016-7412
* SECURITY UPDATE: denial of service and possible code execution via
malformed wddxPacket XML document
- debian/patches/CVE-2016-7413.patch: fixed use-after-free in
ext/wddx/wddx.c, added test to ext/wddx/tests/bug72860.phpt.
- CVE-2016-7413
* SECURITY UPDATE: denial of service and possible code execution via
crafted PHAR archive
- debian/patches/CVE-2016-7414.patch: validate signatures in
ext/phar/util.c, ext/phar/zip.c.
- CVE-2016-7414
* SECURITY UPDATE: denial of service and possible code execution via
MessageFormatter::formatMessage call with a long first argument
- debian/patches/CVE-2016-7416.patch: added locale length check to
ext/intl/msgformat/msgformat_format.c.
- CVE-2016-7416
* SECURITY UPDATE: denial of service or code execution via crafted
serialized data
- debian/patches/CVE-2016-7417.patch: added type check to
ext/spl/spl_array.c, added test to ext/spl/tests/bug73029.phpt, fix
test in ext/spl/tests/bug70068.phpt.
- CVE-2016-7417
* SECURITY UPDATE: denial of service and possible code execution via
malformed wddxPacket XML document
- debian/patches/CVE-2016-7418.patch: fix out-of-bounds read in
ext/wddx/wddx.c, added test to ext/wddx/tests/bug73065.phpt.
- CVE-2016-7418
Date: 2016-10-03 19:49:18.283675+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/php7.0/7.0.8-0ubuntu0.16.04.3
-------------- next part --------------
Sorry, changesfile not available.
More information about the Xenial-changes
mailing list