Debian 7 Wheezy DLA-1034-1 Critical: PHP5 Multiple Issues Identified
debian lts
July 21, 2017
Several issues have been discovered in PHP (recursive acronym for PHP: Hypertext Preprocessor), a widely-used open source general-purpose scripting language that is especially suit...
Topics Covered
Summary
CVE-2016-10397
Incorrect handling of various URI components in the URL parser could
be used by attackers to bypass hostname-specific URL checks.
CVE-2017-11143
An invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to
crash the PHP interpreter.
CVE-2017-11144
The openssl extension PEM sealing code did not check the return value
of the OpenSSL sealing function, which could lead to a crash of the
PHP interpreter.
CVE-2017-11145
Lack of a bounds check in the date extension's timelib_meridian
parsing code could be used by attackers able to supply date strings to
leak information from the interpreter.
CVE-2017-11147
The PHAR archive handler could be used by attackers supplying
malicious archive files to crash the PHP interpreter or potentially
disclose information due to a buffer over-read in the
phar_parse_pharfile function in ext/phar/phar.c.
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: php5
Version: 5.4.45-0+deb7u9
CVE ID: CVE-2016-10397 CVE-2017-11143 CVE-2017-11144
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!