Fixed bug #68677 (Use After Free). (CVE-2015-1351)
Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (CVE-2015-2783)
Fixed bug #68741 (Null pointer dereference). (CVE-2015-1352)
+5.4 only (already fixed in 5.5, 5.6):
Fixed bug #68601 (buffer read overflow in gd_gif_in.c). (CVE-2014-9709)
The ThinkServer System Manager (TSM) Baseboard Management Controller before
firmware 1.27.73476 for ThinkServer RD350, RD450, RD550, RD650, and TD350
does not validate server certificates during an "encrypted remote KVM
session," which allows man-in-the-middle attackers to spoof servers.
Use-after-free vulnerability in the phar_rename_archive function in
phar_object.c in PHP before 5.5.22 and 5.6.x before 5.6.6 allows remote
attackers to cause a denial of service or possibly have unspecified other
impact via vectors that trigger an attempted renaming of a Phar archive to
the name of an existing file.
The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql)
extension in PHP through 5.6.7 does not validate token extraction for table
names, which allows remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted name.
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP
before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a
denial of service (buffer over-read and application crash) via a crafted GIF
image that is improperly handled by the gdImageCreateFromGif function.
NOT CVE-2015-3324 (Removing)
Use-after-free vulnerability in the _zend_shared_memdup function in
zend_shared_alloc.c in the OPcache extension in PHP through 5.6.7 allows
remote attackers to cause a denial of service or possibly have unspecified
other impact via unknown vectors.
Ebuilds in the tree. Feel free to stabilise
Arches, please test and mark stable:
Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86"
Stable for HPPA PPC64.
We just hit a bug with these new versions:
It's already fixed in master:
. Fixed bug #69402 (Reading empty SSL stream hangs until timeout).
Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Arches and Maintainer(s), Thank you for your work.
Added to an existing GLSA Request.
ext/phar/phar.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before
5.6.8 allows remote attackers to obtain sensitive information from process
memory or cause a denial of service (buffer over-read and application crash)
via a crafted length value in conjunction with crafted serialized data in a
phar archive, related to the phar_parse_metadata and phar_parse_pharfile
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2)
php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which
makes it easier for local users to conduct WSDL injection attacks by
creating a file under /tmp with a predictable filename that is used by the
get_sdl function in ext/soap/php_sdl.c.
The php_handler function in sapi/apache2handler/sapi_apache2.c in PHP before
5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, when the Apache HTTP
Server 2.4.x is used, allows remote attackers to cause a denial of service
(application crash) or possibly execute arbitrary code via pipelined HTTP
requests that result in a "deconfigured interpreter."
Multiple stack-based buffer overflows in the phar_set_inode function in
phar_internal.h in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before
5.6.8 allow remote attackers to execute arbitrary code via a crafted length
value in a (1) tar, (2) phar, or (3) ZIP archive.
This issue was resolved and addressed in
GLSA 201606-10 at https://security.gentoo.org/glsa/201606-10
by GLSA coordinator Kristian Fiskerstrand (K_F).