Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 24 Jul 2016 11:06:25 +0300
From: Lior Kaplan <>
Cc: "" <>,
Subject: Fwd: CVE for PHP 5.5.38 issues


PHP 5.5.38 was released over the weekend, with a few security fixes, see
list bellow (I removed issues already have CVE assigned to them).

Source code is at;a=shortlog;h=refs/tags/php-5.5.38

- Core:
   . Fixed bug #70480 (php_url_parse_ex() buffer overflow read). (Stas)
   . Fixed bug #72513 (Stack-based buffer overflow vulnerability in
     virtual_file_ex). (loianhtuan at gmail dot com)
   . Fixed bug #72562 (Use After Free in unserialize() with Unexpected Session
     Deserialization). (taoguangchen at icloud dot com)

   . Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE).
   . Fixed bug #72618 (NULL Pointer Dereference in exif_process_user_comment).

- Intl:
   . Fixed bug #72533 (locale_accept_from_http out-of-bounds access). (Stas)

   . Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and
     unserialize()). (taoguangchen at icloud dot com)

- Xmlrpc:
   . Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn

- Zip:
   . Fixed bug #72520 (Stack-based buffer overflow vulnerability in
     php_stream_zip_opener). (loianhtuan at gmail dot com)



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.