rpm package

suse/php53&distro=SUSE Linux Enterprise Server 11 SP2-LTSS

pkg:rpm/suse/php53&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP2-LTSS

Vulnerabilities (109)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2015-8866	Cri	9.6	< 5.3.17-47.1	5.3.17-47.1	May 22, 2016	ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attack
CVE-2014-9767	Med	4.3	< 5.3.17-47.1	5.3.17-47.1	May 22, 2016	Directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 and ext/zip/ext_zip.cpp in HHVM before 3.12.1 allows remote attackers to create arbitrary empty directories via a crafte
CVE-2016-4073	Cri	9.8	< 5.3.17-47.1	5.3.17-47.1	May 20, 2016	Multiple integer overflows in the mbfl_strcut function in ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted
CVE-2016-4070	Hig	7.5	< 5.3.17-47.1	5.3.17-47.1	May 20, 2016	Integer overflow in the php_raw_url_encode function in ext/standard/url.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to cause a denial of service (application crash) via a long string to the rawurlencode function. NOTE: the vendor says
CVE-2016-3185	Hig	7.1	< 5.3.17-47.1	5.3.17-47.1	May 16, 2016	The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28, 5.6.x before 5.6.12, and 7.x before 7.0.4 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (type confusion and application
CVE-2016-2554	Cri	9.8	< 5.3.17-47.1	5.3.17-47.1	May 16, 2016	Stack-based buffer overflow in ext/phar/tar.c in PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TAR archive.
CVE-2015-8874	Hig	7.5	< 5.3.17-47.1	5.3.17-47.1	May 16, 2016	Stack consumption vulnerability in GD in PHP before 5.6.12 allows remote attackers to cause a denial of service via a crafted imagefilltoborder call.
CVE-2015-8873	Hig	7.5	< 5.3.17-47.1	5.3.17-47.1	May 16, 2016	Stack consumption vulnerability in Zend/zend_exceptions.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to cause a denial of service (segmentation fault) via recursive method calls.
CVE-2015-8838	Med	5.9	< 5.3.17-47.1	5.3.17-47.1	May 16, 2016	ext/mysqlnd/mysqlnd.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 uses a client SSL option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152.
CVE-2015-8835	Cri	9.8	< 5.3.17-47.1	5.3.17-47.1	May 16, 2016	The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 does not properly retrieve keys, which allows remote attackers to cause a denial of service (NULL pointer dereference, type confusion, and application cra
CVE-2015-6838	Hig	7.5	< 5.3.17-47.1	5.3.17-47.1	May 16, 2016	The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation after the
CVE-2015-6837	Hig	7.5	< 5.3.17-47.1	5.3.17-47.1	May 16, 2016	The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation during ini
CVE-2015-5589	Cri	9.8	< 5.3.17-47.1	5.3.17-47.1	May 16, 2016	The phar_convert_to_other function in ext/phar/phar_object.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 does not validate a file pointer before a close operation, which allows remote attackers to cause a denial of service (segmentation fault) or possibly h
CVE-2015-4644	Hig	7.5	< 5.3.17-47.1	5.3.17-47.1	May 16, 2016	The php_pgsql_meta_data function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not validate token extraction for table names, which might allow remote attackers to cause a denial of service (NULL pointer
CVE-2015-4643	Cri	9.8	< 5.3.17-47.1	5.3.17-47.1	May 16, 2016	Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 allows remote FTP servers to execute arbitrary code via a long reply to a LIST command, leading to a heap-based buffer overflow. NOTE: this vulnerabil
CVE-2015-4603	Cri	9.8	< 5.3.17-47.1	5.3.17-47.1	May 16, 2016	The exception::getTraceAsString function in Zend/zend_exceptions.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to execute arbitrary code via an unexpected data type, related to a "type confusion" issue.
CVE-2015-4602	Cri	9.8	< 5.3.17-47.1	5.3.17-47.1	May 16, 2016	The __PHP_Incomplete_Class function in ext/standard/incomplete_class.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, relate
CVE-2015-4601	Cri	9.8	< 5.3.17-47.1	5.3.17-47.1	May 16, 2016	PHP before 5.6.7 might allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, related to "type confusion" issues in (1) ext/soap/php_encoding.c, (2) ext/soap/php_http.c, and (3) ext/soap/soap.c, a di
CVE-2015-4600	Cri	9.8	< 5.3.17-47.1	5.3.17-47.1	May 16, 2016	The SoapClient implementation in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, related to "type confusion" issues in the (1) S
CVE-2015-4599	Cri	9.8	< 5.3.17-47.1	5.3.17-47.1	May 16, 2016	The SoapFault::__toString method in ext/soap/soap.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to obtain sensitive information, cause a denial of service (application crash), or possibly execute arbitrary code via an unexpected data

CVE-2015-8866CriMay 22, 2016
affected < 5.3.17-47.1fixed 5.3.17-47.1
ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attack
CVE-2014-9767MedMay 22, 2016
affected < 5.3.17-47.1fixed 5.3.17-47.1
Directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 and ext/zip/ext_zip.cpp in HHVM before 3.12.1 allows remote attackers to create arbitrary empty directories via a crafte
CVE-2016-4073CriMay 20, 2016
affected < 5.3.17-47.1fixed 5.3.17-47.1
Multiple integer overflows in the mbfl_strcut function in ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted
CVE-2016-4070HigMay 20, 2016
affected < 5.3.17-47.1fixed 5.3.17-47.1
Integer overflow in the php_raw_url_encode function in ext/standard/url.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to cause a denial of service (application crash) via a long string to the rawurlencode function. NOTE: the vendor says
CVE-2016-3185HigMay 16, 2016
affected < 5.3.17-47.1fixed 5.3.17-47.1
The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28, 5.6.x before 5.6.12, and 7.x before 7.0.4 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (type confusion and application
CVE-2016-2554CriMay 16, 2016
affected < 5.3.17-47.1fixed 5.3.17-47.1
Stack-based buffer overflow in ext/phar/tar.c in PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TAR archive.
CVE-2015-8874HigMay 16, 2016
affected < 5.3.17-47.1fixed 5.3.17-47.1
Stack consumption vulnerability in GD in PHP before 5.6.12 allows remote attackers to cause a denial of service via a crafted imagefilltoborder call.
CVE-2015-8873HigMay 16, 2016
affected < 5.3.17-47.1fixed 5.3.17-47.1
Stack consumption vulnerability in Zend/zend_exceptions.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to cause a denial of service (segmentation fault) via recursive method calls.
CVE-2015-8838MedMay 16, 2016
affected < 5.3.17-47.1fixed 5.3.17-47.1
ext/mysqlnd/mysqlnd.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 uses a client SSL option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152.
CVE-2015-8835CriMay 16, 2016
affected < 5.3.17-47.1fixed 5.3.17-47.1
The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 does not properly retrieve keys, which allows remote attackers to cause a denial of service (NULL pointer dereference, type confusion, and application cra
CVE-2015-6838HigMay 16, 2016
affected < 5.3.17-47.1fixed 5.3.17-47.1
The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation after the
CVE-2015-6837HigMay 16, 2016
affected < 5.3.17-47.1fixed 5.3.17-47.1
The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation during ini
CVE-2015-5589CriMay 16, 2016
affected < 5.3.17-47.1fixed 5.3.17-47.1
The phar_convert_to_other function in ext/phar/phar_object.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 does not validate a file pointer before a close operation, which allows remote attackers to cause a denial of service (segmentation fault) or possibly h
CVE-2015-4644HigMay 16, 2016
affected < 5.3.17-47.1fixed 5.3.17-47.1
The php_pgsql_meta_data function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not validate token extraction for table names, which might allow remote attackers to cause a denial of service (NULL pointer
CVE-2015-4643CriMay 16, 2016
affected < 5.3.17-47.1fixed 5.3.17-47.1
Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 allows remote FTP servers to execute arbitrary code via a long reply to a LIST command, leading to a heap-based buffer overflow. NOTE: this vulnerabil
CVE-2015-4603CriMay 16, 2016
affected < 5.3.17-47.1fixed 5.3.17-47.1
The exception::getTraceAsString function in Zend/zend_exceptions.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to execute arbitrary code via an unexpected data type, related to a "type confusion" issue.
CVE-2015-4602CriMay 16, 2016
affected < 5.3.17-47.1fixed 5.3.17-47.1
The __PHP_Incomplete_Class function in ext/standard/incomplete_class.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, relate
CVE-2015-4601CriMay 16, 2016
affected < 5.3.17-47.1fixed 5.3.17-47.1
PHP before 5.6.7 might allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, related to "type confusion" issues in (1) ext/soap/php_encoding.c, (2) ext/soap/php_http.c, and (3) ext/soap/soap.c, a di
CVE-2015-4600CriMay 16, 2016
affected < 5.3.17-47.1fixed 5.3.17-47.1
The SoapClient implementation in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, related to "type confusion" issues in the (1) S
CVE-2015-4599CriMay 16, 2016
affected < 5.3.17-47.1fixed 5.3.17-47.1
The SoapFault::__toString method in ext/soap/soap.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to obtain sensitive information, cause a denial of service (application crash), or possibly execute arbitrary code via an unexpected data

Page 3 of 6