This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --===============8879567050922520838== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="mAihjK1b1jpVqVa1B1kSUOkwIjJ3N1lk1"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --mAihjK1b1jpVqVa1B1kSUOkwIjJ3N1lk1 Content-Type: multipart/mixed; boundary="aP7SwI1WI2Vavl9QnGilrJeWAK1ahcJmt" From: Marc Deslauriers <marc.deslauriers@canonical.com> Reply-To: Ubuntu Security <security@ubuntu.com> To: ubuntu-security-announce@lists.ubuntu.com Message-ID: <93c71d55-010a-c793-b17e-fde0b27f056c@canonical.com> Subject: [USN-3211-1] PHP vulnerabilities
--aP7SwI1WI2Vavl9QnGilrJeWAK1ahcJmt Content-Type: text/plain; charset=utf- Content-Transfer-Encoding: quoted-printable
========================================================================== Ubuntu Security Notice USN-3211-1 February 23, 2017
php7.0 vulnerabilities ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10 - Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in PHP.
Software Description: - php7.0: HTML-embedded scripting language interpreter
Details:
It was discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7479)
It was discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9137)
It was discovered that PHP incorrectly handled unserializing certain wddxPacket XML documents. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9935)
It was discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9936)
It was discovered that PHP incorrectly handled certain EXIF data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2016-10158)
It was discovered that PHP incorrectly handled certain PHAR archives. A remote attacker could use this issue to cause PHP to crash or consume resources, resulting in a denial of service. (CVE-2016-10159)
It was discovered that PHP incorrectly handled certain PHAR archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-10160)
It was discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2016-10161)
It was discovered that PHP incorrectly handled unserializing certain wddxPacket XML documents. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2016-10162)
It was discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2017-5340)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 16.10: libapache2-mod-php7.0 7.0.15-0ubuntu0.16.10.2 php7.0-cgi 7.0.15-0ubuntu0.16.10.2 php7.0-cli 7.0.15-0ubuntu0.16.10.2 php7.0-fpm 7.0.15-0ubuntu0.16.10.2
Ubuntu 16.04 LTS: libapache2-mod-php7.0 7.0.15-0ubuntu0.16.04.2 php7.0-cgi 7.0.15-0ubuntu0.16.04.2 php7.0-cli 7.0.15-0ubuntu0.16.04.2 php7.0-fpm 7.0.15-0ubuntu0.16.04.2
This update uses a new upstream release, which includes additional bug fixes. In general, a standard system update will make all the necessary changes.
References: http://www.ubuntu.com/usn/usn-3211-1 CVE-2016-10158, CVE-2016-10159, CVE-2016-10160, CVE-2016-10161, CVE-2016-10162, CVE-2016-7479, CVE-2016-9137, CVE-2016-9935, CVE-2016-9936, CVE-2017-5340
Package Information: https://launchpad.net/ubuntu/+source/php7.0/7.0.15-0ubuntu0.16.10.2 https://launchpad.net/ubuntu/+source/php7.0/7.0.15-0ubuntu0.16.04.2
--aP7SwI1WI2Vavl9QnGilrJeWAK1ahcJmt--
--mAihjK1b1jpVqVa1B1kSUOkwIjJ3N1lk1 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iQIcBAEBCgAGBQJYrxIDAAoJEGVp2FWnRL6T7BkQALSRbePbDSmwVlAVdo3fFACr icyMuqRUhAba1qF2zGRsOQfKCmKJV7RJPSkd1L58vp21XLSQYz2oSHnb/CjDz4o7 8l6k7bAJAQehAZj6WFd4h5vrYWD8uZ81zMCXrAOlT+okqNBZsyVrAvsKKN9PLj8/ nwBzDEBU4+7Zx8Jd/OrALFsS668zafeXS4EIGkCHEIKMDsBTGBRWKd23lyFQL5GE 8Pyc9pGXnwHQiE9aECUtdkZEVR1JqOWC14PsevDlpvkacY4QkXoYLUu6mNaIISh/ V9/kn4R0H+ZNMXoXd8zkNjFYEQzwXE5IbpjEiSeR5ccqTcKTQRSl82piKEhotcD7 fpP9/Eo39G1NbySCojc3jGhyvff3Fss+JTgkH+empqPkaOWJ3hbcbjvEtgDEKxaL q4/NfmLKuUXJFjj7fSfku+hqhhVLrFDFUhNm/GturZPKQP40Ls7lObuA8h1+L/CY IlN/EnzkVLhgIrOwd5vOyXdrRRPnNhY0kcOvZ3JvecprODWyEyUIPCoIKQe95eqz 6leqg8u1N032UPHU9xEfjAmwuoKcSQXsLFh/kUToM1JsvghJRNwE+TwdPXCLsWpX 9UtlzrC4fzuoGON4afQpwJEzEDmwDGfjsNusOL+M5IkavZT1w3zpvQHGI1yBaQZz 9miuLwuDcE2cXW9SKtvJ =N6Jk -----END PGP SIGNATURE-----
--mAihjK1b1jpVqVa1B1kSUOkwIjJ3N1lk1--
--===============8879567050922520838== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
--===============8879567050922520838==--
|