SUSE-SU-2017:2303-1
Vulnerability Summary
Timeline
Description
Security update for php7 This update for php7 fixes the following issues: - CVE-2016-10397: parse_url() can be bypassed to return fake host. (bsc#1047454) - CVE-2017-11142: Remoteattackers could cause a CPU consumption denial of service attack by injectinglong form variables, related to main/php_variables. (bsc#1048100) - CVE-2017-11144: The opensslextension PEM sealing code did not check the return value of the OpenSSL sealingfunction, which could lead to a crash. (bsc#1048096) - CVE-2017-11145: Lack of bounds checks in timelib_meridian coud lead to information leak. (bsc#1048112) - CVE-2017-11146: Lack of bounds checks in timelib_meridian parse code could lead to information leak. (bsc#1048111) - CVE-2017-11147: The PHAR archive handler could beused by attackers supplying malicious archive files to crash the PHP interpreteror potentially disclose information. (bsc#1048094) - CVE-2017-11628: Stack-base dbuffer overflow in zend_ini_do_op() could lead to denial of service (bsc#1050726) - CVE-2017-7890: Buffer over-read from unitialized data in gdImageCreateFromGifCtx function could lead to denial of service (bsc#1050241) - CVE-2016-5766: Integer Overflow in _gd2GetHeader() resulting in heap overflow could lead to denial of service or code execution (bsc#986386) Other fixes: - Soap Request with References (bsc#1053645) - php7-pear should explicitly require php7-pear-Archive_Tar otherwise this dependency must be declared in every php7-pear-* package explicitly. [bnc#1052389]
Affected Systems
- suse•php7&distro=SUSE Linux Enterprise Module for Web and Scripting 12
< 7.0.7-50.9.2
- suse•php7&distro=SUSE Linux Enterprise Software Development Kit 12 SP2
< 7.0.7-50.9.2
- suse•php7&distro=SUSE Linux Enterprise Software Development Kit 12 SP3
< 7.0.7-50.9.2
References (21)
- https://www.suse.com/support/update/announcement/2017/suse-su-20172303-1/
- https://bugzilla.suse.com/1047454
- https://bugzilla.suse.com/1048094
- https://bugzilla.suse.com/1048096
- https://bugzilla.suse.com/1048100
- https://bugzilla.suse.com/1048111
- https://bugzilla.suse.com/1048112
- https://bugzilla.suse.com/1050241
- https://bugzilla.suse.com/1050726
- https://bugzilla.suse.com/1052389
- https://bugzilla.suse.com/1053645
- https://bugzilla.suse.com/986386
- https://www.suse.com/security/cve/CVE-2016-10397
- https://www.suse.com/security/cve/CVE-2016-5766
- https://www.suse.com/security/cve/CVE-2017-11142
- https://www.suse.com/security/cve/CVE-2017-11144
- https://www.suse.com/security/cve/CVE-2017-11145
- https://www.suse.com/security/cve/CVE-2017-11146
- https://www.suse.com/security/cve/CVE-2017-11147
- https://www.suse.com/security/cve/CVE-2017-11628
- https://www.suse.com/security/cve/CVE-2017-7890