Login
Login-Name Passwort


 
Newsletter
Werbung

Sicherheit: Mehrere Probleme in PHP
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in PHP
ID: USN-3211-1
Distribution: Ubuntu
Plattformen: Ubuntu 16.04 LTS, Ubuntu 16.10
Datum: Do, 23. Februar 2017, 20:17
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9935
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9936
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10162
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7479
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9137
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10159
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10161
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10160
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10158
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5340

Originalnachricht

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============8879567050922520838==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="mAihjK1b1jpVqVa1B1kSUOkwIjJ3N1lk1"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--mAihjK1b1jpVqVa1B1kSUOkwIjJ3N1lk1
Content-Type: multipart/mixed;
boundary="aP7SwI1WI2Vavl9QnGilrJeWAK1ahcJmt"
From: Marc Deslauriers <marc.deslauriers@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <93c71d55-010a-c793-b17e-fde0b27f056c@canonical.com>
Subject: [USN-3211-1] PHP vulnerabilities

--aP7SwI1WI2Vavl9QnGilrJeWAK1ahcJmt
Content-Type: text/plain; charset=utf-
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-3211-1
February 23, 2017

php7.0 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.10
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in PHP.

Software Description:
- php7.0: HTML-embedded scripting language interpreter

Details:

It was discovered that PHP incorrectly handled certain invalid objects when
unserializing data. A remote attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2016-7479)

It was discovered that PHP incorrectly handled certain invalid objects when
unserializing data. A remote attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2016-9137)

It was discovered that PHP incorrectly handled unserializing certain
wddxPacket XML documents. A remote attacker could use this issue to cause
PHP to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2016-9935)

It was discovered that PHP incorrectly handled certain invalid objects when
unserializing data. A remote attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2016-9936)

It was discovered that PHP incorrectly handled certain EXIF data. A remote
attacker could use this issue to cause PHP to crash, resulting in a denial
of service. (CVE-2016-10158)

It was discovered that PHP incorrectly handled certain PHAR archives. A
remote attacker could use this issue to cause PHP to crash or consume
resources, resulting in a denial of service. (CVE-2016-10159)

It was discovered that PHP incorrectly handled certain PHAR archives. A
remote attacker could use this issue to cause PHP to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2016-10160)

It was discovered that PHP incorrectly handled certain invalid objects when
unserializing data. A remote attacker could use this issue to cause PHP to
crash, resulting in a denial of service. (CVE-2016-10161)

It was discovered that PHP incorrectly handled unserializing certain
wddxPacket XML documents. A remote attacker could use this issue to cause
PHP to crash, resulting in a denial of service. (CVE-2016-10162)

It was discovered that PHP incorrectly handled certain invalid objects when
unserializing data. A remote attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2017-5340)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.10:
libapache2-mod-php7.0 7.0.15-0ubuntu0.16.10.2
php7.0-cgi 7.0.15-0ubuntu0.16.10.2
php7.0-cli 7.0.15-0ubuntu0.16.10.2
php7.0-fpm 7.0.15-0ubuntu0.16.10.2

Ubuntu 16.04 LTS:
libapache2-mod-php7.0 7.0.15-0ubuntu0.16.04.2
php7.0-cgi 7.0.15-0ubuntu0.16.04.2
php7.0-cli 7.0.15-0ubuntu0.16.04.2
php7.0-fpm 7.0.15-0ubuntu0.16.04.2

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References:
http://www.ubuntu.com/usn/usn-3211-1
CVE-2016-10158, CVE-2016-10159, CVE-2016-10160, CVE-2016-10161,
CVE-2016-10162, CVE-2016-7479, CVE-2016-9137, CVE-2016-9935,
CVE-2016-9936, CVE-2017-5340

Package Information:
https://launchpad.net/ubuntu/+source/php7.0/7.0.15-0ubuntu0.16.10.2
https://launchpad.net/ubuntu/+source/php7.0/7.0.15-0ubuntu0.16.04.2



--aP7SwI1WI2Vavl9QnGilrJeWAK1ahcJmt--

--mAihjK1b1jpVqVa1B1kSUOkwIjJ3N1lk1
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJYrxIDAAoJEGVp2FWnRL6T7BkQALSRbePbDSmwVlAVdo3fFACr
icyMuqRUhAba1qF2zGRsOQfKCmKJV7RJPSkd1L58vp21XLSQYz2oSHnb/CjDz4o7
8l6k7bAJAQehAZj6WFd4h5vrYWD8uZ81zMCXrAOlT+okqNBZsyVrAvsKKN9PLj8/
nwBzDEBU4+7Zx8Jd/OrALFsS668zafeXS4EIGkCHEIKMDsBTGBRWKd23lyFQL5GE
8Pyc9pGXnwHQiE9aECUtdkZEVR1JqOWC14PsevDlpvkacY4QkXoYLUu6mNaIISh/
V9/kn4R0H+ZNMXoXd8zkNjFYEQzwXE5IbpjEiSeR5ccqTcKTQRSl82piKEhotcD7
fpP9/Eo39G1NbySCojc3jGhyvff3Fss+JTgkH+empqPkaOWJ3hbcbjvEtgDEKxaL
q4/NfmLKuUXJFjj7fSfku+hqhhVLrFDFUhNm/GturZPKQP40Ls7lObuA8h1+L/CY
IlN/EnzkVLhgIrOwd5vOyXdrRRPnNhY0kcOvZ3JvecprODWyEyUIPCoIKQe95eqz
6leqg8u1N032UPHU9xEfjAmwuoKcSQXsLFh/kUToM1JsvghJRNwE+TwdPXCLsWpX
9UtlzrC4fzuoGON4afQpwJEzEDmwDGfjsNusOL+M5IkavZT1w3zpvQHGI1yBaQZz
9miuLwuDcE2cXW9SKtvJ
=N6Jk
-----END PGP SIGNATURE-----

--mAihjK1b1jpVqVa1B1kSUOkwIjJ3N1lk1--


--===============8879567050922520838==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============8879567050922520838==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung