From ${URL} : Description Two vulnerabilities have been reported in PHP, which can be exploited by malicious, local users to gain escalated privileges. 1) A use-after-free error related to SPL iterators can be exploited to corrupt memory. 2) A use-after-free error related to ArrayIterators can be exploited to corrupt memory. Successful exploitation may allow execution of arbitrary code with e.g. web server's privileges by executing a specially crafted PHP script within Apache HTTP server context. The vulnerabilities are reported in version 5.5.14. Other versions may also be affected. Solution: Fixed in the source code repository. Provided and/or discovered by: insighti within bug entries. Original Advisory: https://bugs.php.net/bug.php?id=67538 https://bugs.php.net/bug.php?id=67539 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2014-4670 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4670): Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted iterator usage within applications in certain web-hosting environments.
Bump committed and can be stabilised.
Thanks, Arches please stabilize =dev-lang/php-5.5.15 Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Stable for HPPA.
Stable on alpha.
amd64 stable
x86 stable
arm stable
ia64/sparc stable
ppc stable
ppc64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Added to existing GLSA draft
@maintainers: Thanks for cleanup
This issue was resolved and addressed in GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml by GLSA coordinator Kristian Fiskerstrand (K_F).