Date: Thu, 10 Mar 2016 10:42:28 +0100 From: Marcus Meissner <meissner@...e.de> To: OSS Security List <oss-security@...ts.openwall.com>, security@....net, cve-assign@...re.org Subject: CVE Request: PHP last release security issues Hi, PHP released a round of security updates, but no CVEs have apparently been assigned. from http://php.net/ChangeLog-7.php#7.0.4 https://bugs.php.net/bug.php?id=71610 Type Confusion Vulnerability - SOAP / make_http_soap_request() from http://php.net/ChangeLog-5.php#5.6.19 and http://php.net/ChangeLog-5.php#5.5.33 https://bugs.php.net/bug.php?id=71498 Out-of-Bound Read in phar_parse_zipfile() https://bugs.php.net/bug.php?id=71587 Use-After-Free / Double-Free in WDDX Deserialize There are more bugs in the release announcements with trigger words like integer overflow or use-after-free, but several if not all of those need specific PHP code, so basically self-exploitation. Perhaps the PHP security team can fill in if I missed some or one of the above is not an issue. Ciao, Marcus
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.