rpm package

suse/php7&distro=SUSE Linux Enterprise Module for Web and Scripting 12

pkg:rpm/suse/php7&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012

Vulnerabilities (103)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2016-10158	Hig	7.5	< 7.0.7-35.1	7.0.7-35.1	Jan 24, 2017	The exif_convert_any_to_int function in ext/exif/exif.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (application crash) via crafted EXIF data that triggers an attempt to divide the minimum representable ne
CVE-2016-7479	Cri	9.8	< 7.0.7-35.1	7.0.7-35.1	Jan 12, 2017	In all versions of PHP 7, during the unserialization process, resizing the 'properties' hash table of a serialized object may lead to use-after-free. A remote attacker may exploit this bug to gain arbitrary code execution.
CVE-2016-7480	Cri	9.8	< 7.0.7-35.1	7.0.7-35.1	Jan 11, 2017	The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.
CVE-2017-5340	Cri	9.8	< 7.0.7-35.1	7.0.7-35.1	Jan 11, 2017	Zend/zend_hash.c in PHP before 7.0.15 and 7.1.x before 7.1.1 mishandles certain cases that require large array allocations, which allows remote attackers to execute arbitrary code or cause a denial of service (integer overflow, uninitialized memory access, and use of arbitrary de
CVE-2016-7478	Hig	7.5	< 7.0.7-35.1	7.0.7-35.1	Jan 11, 2017	Zend/zend_exceptions.c in PHP, possibly 5.x before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (infinite loop) via a crafted Exception object in serialized data, a related issue to CVE-2015-8876.
CVE-2016-9936	Cri	9.8	< 7.0.7-28.2	7.0.7-28.2	Jan 4, 2017	The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted serialized data. NOTE: this vulnerability exists because of an incomplete fix
CVE-2016-9935	Cri	9.8	< 7.0.7-28.2	7.0.7-28.2	Jan 4, 2017	The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have unspecified other impact via an empty boolean element in a wddxPacket
CVE-2016-9934	Hig	7.5	< 7.0.7-28.2	7.0.7-28.2	Jan 4, 2017	ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as demonstrated by a PDORow string.
CVE-2016-9933	Hig	7.5	< 7.0.7-28.2	7.0.7-28.2	Jan 4, 2017	Stack consumption vulnerability in the gdImageFillToBorder function in gd.c in the GD Graphics Library (aka libgd) before 2.2.2, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (segmentation violation) via a crafted imagefi
CVE-2016-9138	Cri	9.8	< 7.0.7-35.1	7.0.7-35.1	Jan 4, 2017	PHP through 5.6.27 and 7.x through 7.0.12 mishandles property modification during __wakeup processing, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data, as demonstrated by Exception::__toString with D
CVE-2016-9137	Cri	9.8	< 7.0.7-25.1	7.0.7-25.1	Jan 4, 2017	Use-after-free vulnerability in the CURLFile implementation in ext/curl/curl_file.c in PHP before 5.6.27 and 7.x before 7.0.12 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that is mishandled during __wa
CVE-2016-8670	Cri	9.8	< 7.0.7-20.1	7.0.7-20.1	Jan 4, 2017	Integer signedness error in the dynamicGetbuf function in gd_io_dp.c in the GD Graphics Library (aka libgd) through 2.2.3, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspe
CVE-2016-7568	Cri	9.8	< 7.0.7-20.1	7.0.7-20.1	Sep 28, 2016	Integer overflow in the gdImageWebpCtx function in gd_webp.c in the GD Graphics Library (aka libgd) through 2.2.3, as used in PHP through 7.0.11, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafte
CVE-2016-7418	Hig	7.5	< 7.0.7-15.1	7.0.7-15.1	Sep 17, 2016	The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service (invalid pointer access and out-of-bounds read) or possibly have unspecified other impact via an incorrect boolean element in a wd
CVE-2016-7417	Cri	9.8	< 7.0.7-15.1	7.0.7-15.1	Sep 17, 2016	ext/spl/spl_array.c in PHP before 5.6.26 and 7.x before 7.0.11 proceeds with SplArray unserialization without validating a return value and data type, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data.
CVE-2016-7416	Hig	7.5	< 7.0.7-15.1	7.0.7-15.1	Sep 17, 2016	ext/intl/msgformat/msgformat_format.c in PHP before 5.6.26 and 7.x before 7.0.11 does not properly restrict the locale length provided to the Locale class in the ICU library, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecifi
CVE-2016-7414	Cri	9.8	< 7.0.7-15.1	7.0.7-15.1	Sep 17, 2016	The ZIP signature-verification feature in PHP before 5.6.26 and 7.x before 7.0.11 does not ensure that the uncompressed_filesize field is large enough, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impa
CVE-2016-7413	Cri	9.8	< 7.0.7-15.1	7.0.7-15.1	Sep 17, 2016	Use-after-free vulnerability in the wddx_stack_destroy function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a wddxPacket XML document that lacks an end-tag for a r
CVE-2016-7412	Hig	8.1	< 7.0.7-15.1	7.0.7-15.1	Sep 17, 2016	ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x before 7.0.11 does not verify that a BIT field has the UNSIGNED_FLAG flag, which allows remote MySQL servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via cra
CVE-2016-7134	Cri	9.8	< 7.0.7-15.1	7.0.7-15.1	Sep 12, 2016	ext/curl/interface.c in PHP 7.x before 7.0.10 does not work around a libcurl integer overflow, which allows remote attackers to cause a denial of service (allocation error and heap-based buffer overflow) or possibly have unspecified other impact via a long string that is mishandl

CVE-2016-10158HigJan 24, 2017
affected < 7.0.7-35.1fixed 7.0.7-35.1
The exif_convert_any_to_int function in ext/exif/exif.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (application crash) via crafted EXIF data that triggers an attempt to divide the minimum representable ne
CVE-2016-7479CriJan 12, 2017
affected < 7.0.7-35.1fixed 7.0.7-35.1
In all versions of PHP 7, during the unserialization process, resizing the 'properties' hash table of a serialized object may lead to use-after-free. A remote attacker may exploit this bug to gain arbitrary code execution.
CVE-2016-7480CriJan 11, 2017
affected < 7.0.7-35.1fixed 7.0.7-35.1
The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.
CVE-2017-5340CriJan 11, 2017
affected < 7.0.7-35.1fixed 7.0.7-35.1
Zend/zend_hash.c in PHP before 7.0.15 and 7.1.x before 7.1.1 mishandles certain cases that require large array allocations, which allows remote attackers to execute arbitrary code or cause a denial of service (integer overflow, uninitialized memory access, and use of arbitrary de
CVE-2016-7478HigJan 11, 2017
affected < 7.0.7-35.1fixed 7.0.7-35.1
Zend/zend_exceptions.c in PHP, possibly 5.x before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (infinite loop) via a crafted Exception object in serialized data, a related issue to CVE-2015-8876.
CVE-2016-9936CriJan 4, 2017
affected < 7.0.7-28.2fixed 7.0.7-28.2
The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted serialized data. NOTE: this vulnerability exists because of an incomplete fix
CVE-2016-9935CriJan 4, 2017
affected < 7.0.7-28.2fixed 7.0.7-28.2
The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have unspecified other impact via an empty boolean element in a wddxPacket
CVE-2016-9934HigJan 4, 2017
affected < 7.0.7-28.2fixed 7.0.7-28.2
ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as demonstrated by a PDORow string.
CVE-2016-9933HigJan 4, 2017
affected < 7.0.7-28.2fixed 7.0.7-28.2
Stack consumption vulnerability in the gdImageFillToBorder function in gd.c in the GD Graphics Library (aka libgd) before 2.2.2, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (segmentation violation) via a crafted imagefi
CVE-2016-9138CriJan 4, 2017
affected < 7.0.7-35.1fixed 7.0.7-35.1
PHP through 5.6.27 and 7.x through 7.0.12 mishandles property modification during __wakeup processing, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data, as demonstrated by Exception::__toString with D
CVE-2016-9137CriJan 4, 2017
affected < 7.0.7-25.1fixed 7.0.7-25.1
Use-after-free vulnerability in the CURLFile implementation in ext/curl/curl_file.c in PHP before 5.6.27 and 7.x before 7.0.12 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that is mishandled during __wa
CVE-2016-8670CriJan 4, 2017
affected < 7.0.7-20.1fixed 7.0.7-20.1
Integer signedness error in the dynamicGetbuf function in gd_io_dp.c in the GD Graphics Library (aka libgd) through 2.2.3, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspe
CVE-2016-7568CriSep 28, 2016
affected < 7.0.7-20.1fixed 7.0.7-20.1
Integer overflow in the gdImageWebpCtx function in gd_webp.c in the GD Graphics Library (aka libgd) through 2.2.3, as used in PHP through 7.0.11, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafte
CVE-2016-7418HigSep 17, 2016
affected < 7.0.7-15.1fixed 7.0.7-15.1
The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service (invalid pointer access and out-of-bounds read) or possibly have unspecified other impact via an incorrect boolean element in a wd
CVE-2016-7417CriSep 17, 2016
affected < 7.0.7-15.1fixed 7.0.7-15.1
ext/spl/spl_array.c in PHP before 5.6.26 and 7.x before 7.0.11 proceeds with SplArray unserialization without validating a return value and data type, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data.
CVE-2016-7416HigSep 17, 2016
affected < 7.0.7-15.1fixed 7.0.7-15.1
ext/intl/msgformat/msgformat_format.c in PHP before 5.6.26 and 7.x before 7.0.11 does not properly restrict the locale length provided to the Locale class in the ICU library, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecifi
CVE-2016-7414CriSep 17, 2016
affected < 7.0.7-15.1fixed 7.0.7-15.1
The ZIP signature-verification feature in PHP before 5.6.26 and 7.x before 7.0.11 does not ensure that the uncompressed_filesize field is large enough, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impa
CVE-2016-7413CriSep 17, 2016
affected < 7.0.7-15.1fixed 7.0.7-15.1
Use-after-free vulnerability in the wddx_stack_destroy function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a wddxPacket XML document that lacks an end-tag for a r
CVE-2016-7412HigSep 17, 2016
affected < 7.0.7-15.1fixed 7.0.7-15.1
ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x before 7.0.11 does not verify that a BIT field has the UNSIGNED_FLAG flag, which allows remote MySQL servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via cra
CVE-2016-7134CriSep 12, 2016
affected < 7.0.7-15.1fixed 7.0.7-15.1
ext/curl/interface.c in PHP 7.x before 7.0.10 does not work around a libcurl integer overflow, which allows remote attackers to cause a denial of service (allocation error and heap-based buffer overflow) or possibly have unspecified other impact via a long string that is mishandl

Page 4 of 6