Date: Thu, 10 Mar 2016 10:42:28 +0100 From: Marcus Meissner <meissner@...e.de> To: OSS Security List <oss-security@...ts.openwall.com>, security@....net, cve-assign@...re.org Subject: CVE Request: PHP last release security issues Hi, PHP released a round of security updates, but no CVEs have apparently been assigned. from http://php.net/ChangeLog-7.php#7.0.4 https://bugs.php.net/bug.php?id=71610 Type Confusion Vulnerability - SOAP / make_http_soap_request() from http://php.net/ChangeLog-5.php#5.6.19 and http://php.net/ChangeLog-5.php#5.5.33 https://bugs.php.net/bug.php?id=71498 Out-of-Bound Read in phar_parse_zipfile() https://bugs.php.net/bug.php?id=71587 Use-After-Free / Double-Free in WDDX Deserialize There are more bugs in the release announcements with trigger words like integer overflow or use-after-free, but several if not all of those need specific PHP code, so basically self-exploitation. Perhaps the PHP security team can fill in if I missed some or one of the above is not an issue. Ciao, Marcus
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ