rpm package
opensuse/php7&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/php7&distro=openSUSE%20Tumbleweed
Vulnerabilities (121)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2014-3587 | — | < 7.0.14-1.4 | 7.0.14-1.4 | Aug 23, 2014 | Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vuln | ||
| CVE-2014-4698 | — | < 7.0.14-1.4 | 7.0.14-1.4 | Jul 10, 2014 | Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted ArrayIterator usage within applications in certain web-hosting envi | ||
| CVE-2014-4670 | — | < 7.0.14-1.4 | 7.0.14-1.4 | Jul 10, 2014 | Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted iterator usage within applications in certain web-hosting environm | ||
| CVE-2014-3538 | — | < 7.0.14-1.4 | 7.0.14-1.4 | Jul 3, 2014 | file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule. NOTE: this vulnerability exists | ||
| CVE-2014-4049 | — | < 7.0.14-1.4 | 7.0.14-1.4 | Jun 18, 2014 | Heap-based buffer overflow in the php_parserr function in ext/standard/dns.c in PHP 5.6.0beta4 and earlier allows remote servers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS TXT record, related to the dns_get_record function. | ||
| CVE-2014-0238 | — | < 7.0.14-1.4 | 7.0.14-1.4 | Jun 1, 2014 | The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (infinite loop or out-of-bounds memory access) via a vector that (1) has zero length or (2) is too long. | ||
| CVE-2014-0237 | — | < 7.0.14-1.4 | 7.0.14-1.4 | Jun 1, 2014 | The cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (performance degradation) by triggering many file_printf calls. | ||
| CVE-2014-0185 | — | < 7.0.14-1.4 | 7.0.14-1.4 | May 6, 2014 | sapi/fpm/fpm/fpm_unix.c in the FastCGI Process Manager (FPM) in PHP before 5.4.28 and 5.5.x before 5.5.12 uses 0666 permissions for the UNIX socket, which allows local users to gain privileges via a crafted FastCGI client. | ||
| CVE-2013-7345 | — | < 7.0.14-1.4 | 7.0.14-1.4 | Mar 24, 2014 | The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers | ||
| CVE-2014-2497 | — | < 7.0.14-1.4 | 7.0.14-1.4 | Mar 21, 2014 | The gdImageCreateFromXpm function in gdxpm.c in libgd, as used in PHP 5.4.26 and earlier, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted color table in an XPM file. | ||
| CVE-2014-2270 | — | < 7.0.14-1.4 | 7.0.14-1.4 | Mar 14, 2014 | softmagic.c in file before 5.17 and libmagic allows context-dependent attackers to cause a denial of service (out-of-bounds memory access and crash) via crafted offsets in the softmagic of a PE executable. | ||
| CVE-2014-1943 | — | < 7.0.14-1.4 | 7.0.14-1.4 | Feb 18, 2014 | Fine Free file before 5.17 allows context-dependent attackers to cause a denial of service (infinite recursion, CPU consumption, and crash) via a crafted indirect offset value in the magic of a file. | ||
| CVE-2013-7327 | — | < 7.0.14-1.4 | 7.0.14-1.4 | Feb 18, 2014 | The gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 does not check return values, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via invalid imagecrop arguments that lead to use of a NULL poin | ||
| CVE-2013-6420 | — | < 7.0.14-1.4 | 7.0.14-1.4 | Dec 17, 2013 | The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not properly parse (1) notBefore and (2) notAfter timestamps in X.509 certificates, which allows remote attackers to execute arbitrary code or cause a | ||
| CVE-2013-6712 | — | < 7.0.14-1.4 | 7.0.14-1.4 | Nov 28, 2013 | The scan function in ext/date/lib/parse_iso_intervals.c in PHP through 5.5.6 does not properly restrict creation of DateInterval objects, which might allow remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted interval specification. | ||
| CVE-2013-1824 | — | < 7.0.14-1.4 | 7.0.14-1.4 | Sep 16, 2013 | The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.12 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlPa | ||
| CVE-2013-4248 | — | < 7.0.14-1.4 | 7.0.14-1.4 | Aug 18, 2013 | The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spo | ||
| CVE-2011-4718 | — | < 7.0.14-1.4 | 7.0.14-1.4 | Aug 13, 2013 | Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by specifying a session ID. | ||
| CVE-2013-4113 | — | < 7.0.14-1.4 | 7.0.14-1.4 | Jul 13, 2013 | ext/xml/xml.c in PHP before 5.3.27 does not properly consider parsing depth, which allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted document that is processed by the xml_parse_into_struct functio | ||
| CVE-2013-1643 | — | < 7.0.14-1.4 | 7.0.14-1.4 | Mar 6, 2013 | The SOAP parser in PHP before 5.3.23 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlPa |
- CVE-2014-3587Aug 23, 2014affected < 7.0.14-1.4fixed 7.0.14-1.4
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vuln
- CVE-2014-4698Jul 10, 2014affected < 7.0.14-1.4fixed 7.0.14-1.4
Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted ArrayIterator usage within applications in certain web-hosting envi
- CVE-2014-4670Jul 10, 2014affected < 7.0.14-1.4fixed 7.0.14-1.4
Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted iterator usage within applications in certain web-hosting environm
- CVE-2014-3538Jul 3, 2014affected < 7.0.14-1.4fixed 7.0.14-1.4
file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule. NOTE: this vulnerability exists
- CVE-2014-4049Jun 18, 2014affected < 7.0.14-1.4fixed 7.0.14-1.4
Heap-based buffer overflow in the php_parserr function in ext/standard/dns.c in PHP 5.6.0beta4 and earlier allows remote servers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS TXT record, related to the dns_get_record function.
- CVE-2014-0238Jun 1, 2014affected < 7.0.14-1.4fixed 7.0.14-1.4
The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (infinite loop or out-of-bounds memory access) via a vector that (1) has zero length or (2) is too long.
- CVE-2014-0237Jun 1, 2014affected < 7.0.14-1.4fixed 7.0.14-1.4
The cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (performance degradation) by triggering many file_printf calls.
- CVE-2014-0185May 6, 2014affected < 7.0.14-1.4fixed 7.0.14-1.4
sapi/fpm/fpm/fpm_unix.c in the FastCGI Process Manager (FPM) in PHP before 5.4.28 and 5.5.x before 5.5.12 uses 0666 permissions for the UNIX socket, which allows local users to gain privileges via a crafted FastCGI client.
- CVE-2013-7345Mar 24, 2014affected < 7.0.14-1.4fixed 7.0.14-1.4
The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers
- CVE-2014-2497Mar 21, 2014affected < 7.0.14-1.4fixed 7.0.14-1.4
The gdImageCreateFromXpm function in gdxpm.c in libgd, as used in PHP 5.4.26 and earlier, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted color table in an XPM file.
- CVE-2014-2270Mar 14, 2014affected < 7.0.14-1.4fixed 7.0.14-1.4
softmagic.c in file before 5.17 and libmagic allows context-dependent attackers to cause a denial of service (out-of-bounds memory access and crash) via crafted offsets in the softmagic of a PE executable.
- CVE-2014-1943Feb 18, 2014affected < 7.0.14-1.4fixed 7.0.14-1.4
Fine Free file before 5.17 allows context-dependent attackers to cause a denial of service (infinite recursion, CPU consumption, and crash) via a crafted indirect offset value in the magic of a file.
- CVE-2013-7327Feb 18, 2014affected < 7.0.14-1.4fixed 7.0.14-1.4
The gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 does not check return values, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via invalid imagecrop arguments that lead to use of a NULL poin
- CVE-2013-6420Dec 17, 2013affected < 7.0.14-1.4fixed 7.0.14-1.4
The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not properly parse (1) notBefore and (2) notAfter timestamps in X.509 certificates, which allows remote attackers to execute arbitrary code or cause a
- CVE-2013-6712Nov 28, 2013affected < 7.0.14-1.4fixed 7.0.14-1.4
The scan function in ext/date/lib/parse_iso_intervals.c in PHP through 5.5.6 does not properly restrict creation of DateInterval objects, which might allow remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted interval specification.
- CVE-2013-1824Sep 16, 2013affected < 7.0.14-1.4fixed 7.0.14-1.4
The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.12 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlPa
- CVE-2013-4248Aug 18, 2013affected < 7.0.14-1.4fixed 7.0.14-1.4
The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spo
- CVE-2011-4718Aug 13, 2013affected < 7.0.14-1.4fixed 7.0.14-1.4
Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by specifying a session ID.
- CVE-2013-4113Jul 13, 2013affected < 7.0.14-1.4fixed 7.0.14-1.4
ext/xml/xml.c in PHP before 5.3.27 does not properly consider parsing depth, which allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted document that is processed by the xml_parse_into_struct functio
- CVE-2013-1643Mar 6, 2013affected < 7.0.14-1.4fixed 7.0.14-1.4
The SOAP parser in PHP before 5.3.23 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlPa
Page 4 of 7