1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
PublicDateAtUSN: 2017-01-24
Candidate: CVE-2016-10161
PublicDate: 2017-01-24
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10161
http://php.net/ChangeLog-5.php
http://php.net/ChangeLog-7.php
http://www.ubuntu.com/usn/usn-3196-1
http://www.ubuntu.com/usn/usn-3211-1
Description:
The object_common1 function in ext/standard/var_unserializer.c in PHP
before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote
attackers to cause a denial of service (buffer over-read and application
crash) via crafted serialized data that is mishandled in a
finish_nested_data call.
Ubuntu-Description:
Notes:
Bugs:
https://bugs.php.net/bug.php?id=73825
Priority: low
Discovered-by:
Assigned-to:
Patches_php5:
upstream: http://git.php.net/?p=php-src.git;a=commit;h=16b3003ffc6393e250f069aa28a78dc5a2c064b2
upstream: http://git.php.net/?p=php-src.git;a=commit;h=fa2125df6766bb7edac0a0bf433940465da9af4b
upstream_php5: released (5.6.30)
precise_php5: released (5.3.10-1ubuntu3.26)
trusty_php5: released (5.5.9+dfsg-1ubuntu4.21)
vivid/ubuntu-core_php5: DNE
vivid/stable-phone-overlay_php5: DNE
xenial_php5: DNE
yakkety_php5: DNE
devel_php5: DNE
Patches_php7.0:
upstream: http://git.php.net/?p=php-src.git;a=commit;h=16b3003ffc6393e250f069aa28a78dc5a2c064b2
upstream: http://git.php.net/?p=php-src.git;a=commit;h=9f560baef5eacbe3fdb6a23a2d4e1996a30a2d2c
upstream_php7.0: released (7.0.15)
precise_php7.0: DNE
trusty_php7.0: DNE
vivid/ubuntu-core_php7.0: DNE
vivid/stable-phone-overlay_php7.0: DNE
xenial_php7.0: released (7.0.15-0ubuntu0.16.04.2)
yakkety_php7.0: released (7.0.15-0ubuntu0.16.10.2)
devel_php7.0: released (7.0.15-1ubuntu2)
|