{"affected":[{"ecosystem_specific":{"binaries":[{"apache2-mod_php5":"5.5.14-68.1","php5":"5.5.14-68.1","php5-bcmath":"5.5.14-68.1","php5-bz2":"5.5.14-68.1","php5-calendar":"5.5.14-68.1","php5-ctype":"5.5.14-68.1","php5-curl":"5.5.14-68.1","php5-dba":"5.5.14-68.1","php5-dom":"5.5.14-68.1","php5-enchant":"5.5.14-68.1","php5-exif":"5.5.14-68.1","php5-fastcgi":"5.5.14-68.1","php5-fileinfo":"5.5.14-68.1","php5-fpm":"5.5.14-68.1","php5-ftp":"5.5.14-68.1","php5-gd":"5.5.14-68.1","php5-gettext":"5.5.14-68.1","php5-gmp":"5.5.14-68.1","php5-iconv":"5.5.14-68.1","php5-imap":"5.5.14-68.1","php5-intl":"5.5.14-68.1","php5-json":"5.5.14-68.1","php5-ldap":"5.5.14-68.1","php5-mbstring":"5.5.14-68.1","php5-mcrypt":"5.5.14-68.1","php5-mysql":"5.5.14-68.1","php5-odbc":"5.5.14-68.1","php5-opcache":"5.5.14-68.1","php5-openssl":"5.5.14-68.1","php5-pcntl":"5.5.14-68.1","php5-pdo":"5.5.14-68.1","php5-pear":"5.5.14-68.1","php5-pgsql":"5.5.14-68.1","php5-phar":"5.5.14-68.1","php5-posix":"5.5.14-68.1","php5-pspell":"5.5.14-68.1","php5-shmop":"5.5.14-68.1","php5-snmp":"5.5.14-68.1","php5-soap":"5.5.14-68.1","php5-sockets":"5.5.14-68.1","php5-sqlite":"5.5.14-68.1","php5-suhosin":"5.5.14-68.1","php5-sysvmsg":"5.5.14-68.1","php5-sysvsem":"5.5.14-68.1","php5-sysvshm":"5.5.14-68.1","php5-tokenizer":"5.5.14-68.1","php5-wddx":"5.5.14-68.1","php5-xmlreader":"5.5.14-68.1","php5-xmlrpc":"5.5.14-68.1","php5-xmlwriter":"5.5.14-68.1","php5-xsl":"5.5.14-68.1","php5-zip":"5.5.14-68.1","php5-zlib":"5.5.14-68.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Web and Scripting 12","name":"php5","purl":"pkg:rpm/suse/php5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"5.5.14-68.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"php5-devel":"5.5.14-68.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Software Development Kit 12 SP1","name":"php5","purl":"pkg:rpm/suse/php5&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP1"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"5.5.14-68.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for php5 fixes the following issues:\n\n* It is possible to launch a web server with 'php -S localhost:8080'\n  It used to be possible to set an arbitrary $HTTP_PROXY environment variable\n  for request handlers -- like CGI scripts -- by including a specially crafted\n  HTTP header in the request (CVE-2016-5385). As a result, these server\n  components would potentially direct all their outgoing HTTP traffic through a\n  malicious proxy server. This patch fixes the issue: the updated php server\n  ignores such HTTP headers and never sets $HTTP_PROXY for sub-processes.\n  (bnc#988486)\n* There was multiple cases where a remote attacker could trigger a double free\n  and, given specific PHP code using callbacks, trigger code execution vectors.\n  (bnc#986246,bnc#986244,CVE-2016-5768,CVE-2016-5772)\n* It was possible to inject header or content information (XSS) when a user was \n  using internet explorer as the browser. (bnc#986004, CVE-2015-8935)\n* In several cases it was possible for a integer overflow to trigger an \n  excessive memory allocation (bnc#986392, bnc#986388, bnc#986386, bnc#986393, \n  CVE-2016-5770, CVE-2016-5769, CVE-2016-5766, CVE-2016-5767)\n* It was possible for an attacker to abuse the garbage collector to free a \n  target array. At this point an attacker could craft a fake zval object and \n  exploit the PHP process by taking over the EIP/RIP. (bnc#986391,\n  CVE-2016-5771)","id":"SUSE-SU-2016:1842-1","modified":"2016-07-20T18:56:58Z","published":"2016-07-20T18:56:58Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2016/suse-su-20161842-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/986004"},{"type":"REPORT","url":"https://bugzilla.suse.com/986244"},{"type":"REPORT","url":"https://bugzilla.suse.com/986246"},{"type":"REPORT","url":"https://bugzilla.suse.com/986386"},{"type":"REPORT","url":"https://bugzilla.suse.com/986388"},{"type":"REPORT","url":"https://bugzilla.suse.com/986391"},{"type":"REPORT","url":"https://bugzilla.suse.com/986392"},{"type":"REPORT","url":"https://bugzilla.suse.com/986393"},{"type":"REPORT","url":"https://bugzilla.suse.com/988486"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2015-8935"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-5385"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-5766"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-5767"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-5768"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-5769"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-5770"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-5771"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-5772"}],"related":["CVE-2015-8935","CVE-2016-5385","CVE-2016-5766","CVE-2016-5767","CVE-2016-5768","CVE-2016-5769","CVE-2016-5770","CVE-2016-5771","CVE-2016-5772"],"summary":"Security update for php5","upstream":["CVE-2015-8935","CVE-2016-5385","CVE-2016-5766","CVE-2016-5767","CVE-2016-5768","CVE-2016-5769","CVE-2016-5770","CVE-2016-5771","CVE-2016-5772"]}