CVE-2017-12932: ext/standard/var_unserializer.re in PHP 7.0.x through 7.0.22 and 7.1.x through 7.1.8 is prone to a heap use after free while unserializing untrusted data, related to improper use of the hash API for key deletion in a situation with an invalid array size. Exploitation of this issue can have an unspecified impact on the integrity of PHP.
I added php-7.0.23 to the tree, but I don't see a fixed release of the 7.1 series yet.
(In reply to Michael Orlitzky from comment #1) > I don't see a fixed release of the 7.1 series yet. This patch was posted: https://github.com/php/php-src/commit/1a23ebc1fff59bf480ca92963b36eba5c1b904c4 also see ${URL}: particularly, bug #74622. Daj'Uan (jmbailey/mbailey_j) Gentoo Security Padawan
Brian added the official php-7.1.9 and I just dropped php-7.1.8, so we're ready to stabilize php-7.0.23.
ia64 stable
hppa stable
sparc stable (thanks to Dakon)
ppc/ppc64 stable
Stable on alpha.
amd64 tested, ok
arm stable
amd64 stable
x86 stable @ Maintainers: Please cleanup and drop <dev-lang/php-7.0.23!
The vulnerable versions are gone (thanks Brian).
GLSA Request filed. Gentoo Security Padawan ChrisADR
This issue was resolved and addressed in GLSA 201709-21 at https://security.gentoo.org/glsa/201709-21 by GLSA coordinator Aaron Bauman (b-man).