rpm package

suse/php7&distro=SUSE Linux Enterprise Module for Web and Scripting 12

pkg:rpm/suse/php7&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012

Vulnerabilities (103)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2017-11144	Hig	7.5	< 7.0.7-50.9.2	7.0.7-50.9.2	Jul 10, 2017	In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function, which could lead to a crash of the PHP interpreter, related to an interpretation conflict for a negative number
CVE-2017-11142	Hig	7.5	< 7.0.7-50.9.2	7.0.7-50.9.2	Jul 10, 2017	In PHP before 5.6.31, 7.x before 7.0.17, and 7.1.x before 7.1.3, remote attackers could cause a CPU consumption denial of service attack by injecting long form variables, related to main/php_variables.c.
CVE-2016-10397	Hig	7.5	< 7.0.7-50.9.2	7.0.7-50.9.2	Jul 10, 2017	In PHP before 5.6.28 and 7.x before 7.0.13, incorrect handling of various URI components in the URL parser could be used by attackers to bypass hostname-specific URL checks, as demonstrated by evil.example.com:80#@good.example.com/ and evil.example.com:80?@good.example.com/ input
CVE-2016-4473	Cri	9.8	< 7.0.7-15.1	7.0.7-15.1	Jun 8, 2017	/ext/phar/phar_object.c in PHP 7.0.7 and 5.6.x allows remote attackers to execute arbitrary code. NOTE: Introduced as part of an incomplete fix to CVE-2015-6833.
CVE-2017-9229	Hig	7.5	< 7.0.7-50.23.1	7.0.7-50.23.1	May 24, 2017	An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV occurs in left_adjust_char_head() during regular expression compilation. Invalid handling of reg->dmax in forward_search_range() could result in
CVE-2017-9228	Cri	9.8	< 7.0.7-50.23.1	7.0.7-50.23.1	May 24, 2017	An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs in bitset_set_range() during regular expression compilation due to an uninitialized variable from an incorrect state tra
CVE-2017-9227	Cri	9.8	< 7.0.7-49.1	7.0.7-49.1	May 24, 2017	An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in mbc_enc_len() during regular expression searching. Invalid handling of reg->dmin in forward_search_range() could resu
CVE-2017-9226	Cri	9.8	< 7.0.7-49.1	7.0.7-49.1	May 24, 2017	An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write or read occurs in next_state_val() during regular expression compilation. Octal numbers larger than 0xff are not handled correc
CVE-2017-9224	Cri	9.8	< 7.0.7-49.1	7.0.7-49.1	May 24, 2017	An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in match_at() during regular expression searching. A logical error involving order of validation and access in match_at(
CVE-2016-5399	Hig	7.8	< 7.0.7-15.1	7.0.7-15.1	Apr 21, 2017	The bzread function in ext/bz2/bz2.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted bz2 archive.
CVE-2017-6441	Hig	7.5	< 7.0.7-49.1	7.0.7-49.1	Apr 3, 2017	The _zval_get_long_func_ex in Zend/zend_operators.c in PHP 7.1.2 allows attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted use of "declare(ticks=" in a PHP script. NOTE: the vendor disputes the classification of this as a vulnerabi
CVE-2016-10168	Hig	7.8	< 7.0.7-35.1	7.0.7-35.1	Mar 15, 2017	Integer overflow in gd_io.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to have unspecified impact via vectors involving the number of horizontal and vertical chunks in an image.
CVE-2016-10167	Med	5.5	< 7.0.7-35.1	7.0.7-35.1	Mar 15, 2017	The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted image file.
CVE-2016-10166	Cri	9.8	< 7.0.7-35.1	7.0.7-35.1	Mar 15, 2017	Integer underflow in the _gdContributionsAlloc function in gd_interpolation.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to have unspecified impact via vectors related to decrementing the u variable.
CVE-2015-8994	Hig	7.5	< 7.0.7-38.1	7.0.7-38.1	Mar 2, 2017	An issue was discovered in PHP 5.x and 7.x, when the configuration uses apache2handler/mod_php or php-fpm with OpCache enabled. With 5.x after 5.6.28 or 7.x after 7.0.13, the issue is resolved in a non-default configuration with the opcache.validate_permission=1 setting. The vuln
CVE-2016-6911	Med	5.5	< 7.0.7-20.1	7.0.7-20.1	Jan 26, 2017	The dynamicGetbuf function in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TIFF image.
CVE-2016-10162	Hig	7.5	< 7.0.7-35.1	7.0.7-35.1	Jan 24, 2017	The php_wddx_pop_element function in ext/wddx/wddx.c in PHP 7.0.x before 7.0.15 and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an inapplicable class name in a wddxPacket XML document, leading to mis
CVE-2016-10161	Hig	7.5	< 7.0.7-35.1	7.0.7-35.1	Jan 24, 2017	The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finis
CVE-2016-10160	Cri	9.8	< 7.0.7-35.1	7.0.7-35.1	Jan 24, 2017	Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PHAR archive with an alias mismatch.
CVE-2016-10159	Hig	7.5	< 7.0.7-35.1	7.0.7-35.1	Jan 24, 2017	Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory consumption or application crash) via a truncated manifest entry in a PHAR archive.

CVE-2017-11144HigJul 10, 2017
affected < 7.0.7-50.9.2fixed 7.0.7-50.9.2
In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function, which could lead to a crash of the PHP interpreter, related to an interpretation conflict for a negative number
CVE-2017-11142HigJul 10, 2017
affected < 7.0.7-50.9.2fixed 7.0.7-50.9.2
In PHP before 5.6.31, 7.x before 7.0.17, and 7.1.x before 7.1.3, remote attackers could cause a CPU consumption denial of service attack by injecting long form variables, related to main/php_variables.c.
CVE-2016-10397HigJul 10, 2017
affected < 7.0.7-50.9.2fixed 7.0.7-50.9.2
In PHP before 5.6.28 and 7.x before 7.0.13, incorrect handling of various URI components in the URL parser could be used by attackers to bypass hostname-specific URL checks, as demonstrated by evil.example.com:80#@good.example.com/ and evil.example.com:80?@good.example.com/ input
CVE-2016-4473CriJun 8, 2017
affected < 7.0.7-15.1fixed 7.0.7-15.1
/ext/phar/phar_object.c in PHP 7.0.7 and 5.6.x allows remote attackers to execute arbitrary code. NOTE: Introduced as part of an incomplete fix to CVE-2015-6833.
CVE-2017-9229HigMay 24, 2017
affected < 7.0.7-50.23.1fixed 7.0.7-50.23.1
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV occurs in left_adjust_char_head() during regular expression compilation. Invalid handling of reg->dmax in forward_search_range() could result in
CVE-2017-9228CriMay 24, 2017
affected < 7.0.7-50.23.1fixed 7.0.7-50.23.1
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs in bitset_set_range() during regular expression compilation due to an uninitialized variable from an incorrect state tra
CVE-2017-9227CriMay 24, 2017
affected < 7.0.7-49.1fixed 7.0.7-49.1
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in mbc_enc_len() during regular expression searching. Invalid handling of reg->dmin in forward_search_range() could resu
CVE-2017-9226CriMay 24, 2017
affected < 7.0.7-49.1fixed 7.0.7-49.1
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write or read occurs in next_state_val() during regular expression compilation. Octal numbers larger than 0xff are not handled correc
CVE-2017-9224CriMay 24, 2017
affected < 7.0.7-49.1fixed 7.0.7-49.1
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in match_at() during regular expression searching. A logical error involving order of validation and access in match_at(
CVE-2016-5399HigApr 21, 2017
affected < 7.0.7-15.1fixed 7.0.7-15.1
The bzread function in ext/bz2/bz2.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted bz2 archive.
CVE-2017-6441HigApr 3, 2017
affected < 7.0.7-49.1fixed 7.0.7-49.1
The _zval_get_long_func_ex in Zend/zend_operators.c in PHP 7.1.2 allows attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted use of "declare(ticks=" in a PHP script. NOTE: the vendor disputes the classification of this as a vulnerabi
CVE-2016-10168HigMar 15, 2017
affected < 7.0.7-35.1fixed 7.0.7-35.1
Integer overflow in gd_io.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to have unspecified impact via vectors involving the number of horizontal and vertical chunks in an image.
CVE-2016-10167MedMar 15, 2017
affected < 7.0.7-35.1fixed 7.0.7-35.1
The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted image file.
CVE-2016-10166CriMar 15, 2017
affected < 7.0.7-35.1fixed 7.0.7-35.1
Integer underflow in the _gdContributionsAlloc function in gd_interpolation.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to have unspecified impact via vectors related to decrementing the u variable.
CVE-2015-8994HigMar 2, 2017
affected < 7.0.7-38.1fixed 7.0.7-38.1
An issue was discovered in PHP 5.x and 7.x, when the configuration uses apache2handler/mod_php or php-fpm with OpCache enabled. With 5.x after 5.6.28 or 7.x after 7.0.13, the issue is resolved in a non-default configuration with the opcache.validate_permission=1 setting. The vuln
CVE-2016-6911MedJan 26, 2017
affected < 7.0.7-20.1fixed 7.0.7-20.1
The dynamicGetbuf function in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TIFF image.
CVE-2016-10162HigJan 24, 2017
affected < 7.0.7-35.1fixed 7.0.7-35.1
The php_wddx_pop_element function in ext/wddx/wddx.c in PHP 7.0.x before 7.0.15 and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an inapplicable class name in a wddxPacket XML document, leading to mis
CVE-2016-10161HigJan 24, 2017
affected < 7.0.7-35.1fixed 7.0.7-35.1
The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finis
CVE-2016-10160CriJan 24, 2017
affected < 7.0.7-35.1fixed 7.0.7-35.1
Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PHAR archive with an alias mismatch.
CVE-2016-10159HigJan 24, 2017
affected < 7.0.7-35.1fixed 7.0.7-35.1
Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory consumption or application crash) via a truncated manifest entry in a PHAR archive.

Page 3 of 6