oss-sec mailing list archives
CVE Request: PHP last release security issues
From: Marcus Meissner <meissner () suse de>
Date: Thu, 10 Mar 2016 10:42:28 +0100
Hi, PHP released a round of security updates, but no CVEs have apparently been assigned. from http://php.net/ChangeLog-7.php#7.0.4 https://bugs.php.net/bug.php?id=71610 Type Confusion Vulnerability - SOAP / make_http_soap_request() from http://php.net/ChangeLog-5.php#5.6.19 and http://php.net/ChangeLog-5.php#5.5.33 https://bugs.php.net/bug.php?id=71498 Out-of-Bound Read in phar_parse_zipfile() https://bugs.php.net/bug.php?id=71587 Use-After-Free / Double-Free in WDDX Deserialize There are more bugs in the release announcements with trigger words like integer overflow or use-after-free, but several if not all of those need specific PHP code, so basically self-exploitation. Perhaps the PHP security team can fill in if I missed some or one of the above is not an issue. Ciao, Marcus
Current thread:
- CVE Request: PHP last release security issues Marcus Meissner (Mar 10)
- Re: CVE Request: PHP last release security issues cve-assign (Mar 16)
- Re: Re: CVE Request: PHP last release security issues Tyler Hicks (Mar 22)
- Re: CVE Request: PHP last release security issues cve-assign (Mar 25)
- Re: Re: CVE Request: PHP last release security issues Tyler Hicks (Mar 22)
- Re: CVE Request: PHP last release security issues cve-assign (Mar 16)