1
PublicDateAtUSN: 2016-06-24
2
Candidate: CVE-2016-5773
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5773
6
https://www.evonide.com/breaking-phps-garbage-collection-and-unserialize/
7
https://usn.ubuntu.com/usn/usn-3045-1
9
php_zip.c in the zip extension in PHP before 5.5.37, 5.6.x before 5.6.23,
10
and 7.x before 7.0.8 improperly interacts with the unserialize
11
implementation and garbage collection, which allows remote attackers to
12
execute arbitrary code or cause a denial of service (use-after-free and
13
application crash) via crafted serialized data containing a ZipArchive
17
mdeslaur> Applications should never deserialize unauthenticated data.
18
mdeslaur> precise needs backported fix
19
mdeslaur> we will not be fixing this in Ubuntu 12.04 LTS. We recommend
20
mdeslaur> validating untrusted data before unserializing.
22
https://bugs.php.net/bug.php?id=72434
28
upstream: http://git.php.net/?p=php-src.git;a=commit;h=f6aef68089221c5ea047d4a74224ee3deead99a6
29
upstream_php5: released (5.6.23)
31
trusty_php5: released (5.5.9+dfsg-1ubuntu4.19)
32
vivid/ubuntu-core_php5: DNE
33
vivid/stable-phone-overlay_php5: DNE
34
wily_php5: ignored (reached end-of-life)
39
upstream: http://git.php.net/?p=php-src.git;a=commit;h=f6aef68089221c5ea047d4a74224ee3deead99a6
40
upstream_php7.0: released (7.0.8)
43
vivid/ubuntu-core_php7.0: DNE
44
vivid/stable-phone-overlay_php7.0: DNE
46
xenial_php7.0: released (7.0.8-0ubuntu0.16.04.1)
47
devel_php7.0: not-affected (7.0.8-3ubuntu1)