Login
Newsletter
Werbung
Sicherheit: Mehrere Probleme in PHP
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in PHP
ID: USN-3196-1
Distribution: Ubuntu
Plattformen: Ubuntu 12.04 LTS, Ubuntu 14.04 LTS
Datum: Di, 14. Februar 2017, 22:53
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10159
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10160
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10161
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7478
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9137
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9912
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10158
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9935
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7479
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9934
Applikationen: PHP

Originalnachricht

 
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============3919910133356474552==
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="VbE1WxIUNPIqPX3BJGXhGhRU2R3b4xbHc"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--VbE1WxIUNPIqPX3BJGXhGhRU2R3b4xbHc
Content-Type: multipart/mixed;
 boundary="d5lhUqbqSMqoAm8CuS7ulVpb2cBEIQtBe"
From: Marc Deslauriers <marc.deslauriers@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <677c734a-15f5-ae29-975f-2882d519d668@canonical.com>
Subject: [USN-3196-1] PHP vulnerabilities

--d5lhUqbqSMqoAm8CuS7ulVpb2cBEIQtBe
Content-Type: text/plain; charset=utf-
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-3196-1
February 14, 2017

php5 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in PHP.

Software Description:
- php5: HTML-embedded scripting language interpreter

Details:

It was discovered that PHP incorrectly handled certain arguments to the
locale_get_display_name function. A remote attacker could use this issue to
cause PHP to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2014-9912)

It was discovered that PHP incorrectly handled certain invalid objects when
unserializing data. A remote attacker could use this issue to cause PHP to
hang, resulting in a denial of service. (CVE-2016-7478)

It was discovered that PHP incorrectly handled certain invalid objects when
unserializing data. A remote attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2016-7479)

It was discovered that PHP incorrectly handled certain invalid objects when
unserializing data. A remote attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only applied to Ubuntu 14.04 LTS. (CVE-2016-9137)

It was discovered that PHP incorrectly handled unserializing certain
wddxPacket XML documents. A remote attacker could use this issue to cause
PHP to crash, resulting in a denial of service. (CVE-2016-9934)

It was discovered that PHP incorrectly handled unserializing certain
wddxPacket XML documents. A remote attacker could use this issue to cause
PHP to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2016-9935)

It was discovered that PHP incorrectly handled certain EXIF data. A remote
attacker could use this issue to cause PHP to crash, resulting in a denial
of service. (CVE-2016-10158)

It was discovered that PHP incorrectly handled certain PHAR archives. A
remote attacker could use this issue to cause PHP to crash or consume
resources, resulting in a denial of service. (CVE-2016-10159)

It was discovered that PHP incorrectly handled certain PHAR archives. A
remote attacker could use this issue to cause PHP to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2016-10160)

It was discovered that PHP incorrectly handled certain invalid objects when
unserializing data. A remote attacker could use this issue to cause PHP to
crash, resulting in a denial of service. (CVE-2016-10161)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
  libapache2-mod-php5             5.5.9+dfsg-1ubuntu4.21
  php5-cgi                        5.5.9+dfsg-1ubuntu4.21
  php5-cli                        5.5.9+dfsg-1ubuntu4.21
  php5-fpm                        5.5.9+dfsg-1ubuntu4.21

Ubuntu 12.04 LTS:
  libapache2-mod-php5             5.3.10-1ubuntu3.26
  php5-cgi                        5.3.10-1ubuntu3.26
  php5-cli                        5.3.10-1ubuntu3.26
  php5-fpm                        5.3.10-1ubuntu3.26

In general, a standard system update will make all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-3196-1
  CVE-2014-9912, CVE-2016-10158, CVE-2016-10159, CVE-2016-10160,
  CVE-2016-10161, CVE-2016-7478, CVE-2016-7479, CVE-2016-9137,
  CVE-2016-9934, CVE-2016-9935

Package Information:
  https://launchpad.net/ubuntu/+source/php5/5.5.9+dfsg-1ubuntu4.21
  https://launchpad.net/ubuntu/+source/php5/5.3.10-1ubuntu3.26



--d5lhUqbqSMqoAm8CuS7ulVpb2cBEIQtBe--

--VbE1WxIUNPIqPX3BJGXhGhRU2R3b4xbHc
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJYo1OBAAoJEGVp2FWnRL6TnEUP+wZv+ObwuVzSmXlfLwSiHxWx
uLCJRrcsOs2nlIc1HTOUPVOA1B65QJL6gupTHR9+gvUr/pU9ku5ItdTg9IpW0X3A
81Chg7Vgi251VtMYn9ihCCj+5W0LBVavuOKYJJLt2FWLmhS0kZAzvwM/ceQ1rlHb
htCrNL+a3gt6kF+0TPHbFOcS5CqnLpGmi5oVU6iygngl/Yqhb+46mGjlqe6Xk7Td
NRzD6cWiz9MyNhWoA0Vr3ARcrer8qpJr+cWt8YWNjvEsV2PsHOXshIi0sJotpFn1
uZx5q5SsldGtWhe1qqQkrC8Ak9OdNoBpa88qnAER99mHo93KsEaWiiR4qvdJOmhR
CBoEbU3m1VuYZUO2q5I6KK01ah3WsmbcNDCDF7GREv2E3vn1bG0YVBMTL8zaKBlr
b5gAJc3b8RTZ+7HPudEdNoFoyqIvpWXCPXl775nS6oYRzdVYWDwpNwaivM4HUDKA
eLMABBQB5Vy1lOO+ouA0uC3hGCrS81kui2RWcfrix4vPK0bbgO6159sOiG5Db/31
v4IWnpsIgNteFntVskxcxmXZY+HVX60DgG/NIXFxI6uU9CtCSJD8lRlc80ne2U8i
6FfYmLthKgK1bys35WURGIGsLJokaUzx+1+/9q6+WT/p99oJkRuZVlAKedvGzHKK
meRmtmFlKYS3ftGoYr0S
=dk+/
-----END PGP SIGNATURE-----

--VbE1WxIUNPIqPX3BJGXhGhRU2R3b4xbHc--


--===============3919910133356474552==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============3919910133356474552==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung