CVE-2015-2301: Use After Free
First published: Fri Feb 20 2015(Updated: )
Use after free vulnerability reported in PHP "phar" extension [1]. Upstream commit that fixes this: <a href="http://git.php.net/?p=php-src.git;a=commit;h=b2cf3f064b8f5efef89bb084521b61318c71781b">http://git.php.net/?p=php-src.git;a=commit;h=b2cf3f064b8f5efef89bb084521b61318c71781b</a> [1]: <a href="https://bugs.php.net/bug.php?id=68901">https://bugs.php.net/bug.php?id=68901</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/php | <5.5.22 | 5.5.22 |
| redhat/php | <5.6.6 | 5.6.6 |
| Ubuntu Linux | =10.04 | |
| Ubuntu Linux | =12.04 | |
| Ubuntu Linux | =14.04 | |
| Ubuntu Linux | =14.10 | |
| Debian Debian Linux | =7.0 | |
| openSUSE | =13.1 | |
| openSUSE | =13.2 | |
| PHP | >=5.4.0<5.4.40 | |
| PHP | >=5.5.0<5.5.22 | |
| PHP | >=5.6.0<5.6.6 | |
| macOS Yosemite | <=10.10.4 | |
| redhat enterprise Linux desktop | =7.0 | |
| Red Hat Enterprise Linux HPC Node | =7.0 | |
| Red Hat Enterprise Linux HPC Node | =7.1 | |
| redhat enterprise Linux server | =7.0 | |
| redhat enterprise Linux server eus | =7.1 | |
| redhat enterprise Linux workstation | =7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.php.net/?p=php-src.git;a=commit;h=b2cf3f064b8f5efef89bb084521b61318c71781b
- http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html
- http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00005.html
- http://lists.opensuse.org/opensuse-updates/2015-04/msg00002.html
- http://marc.info/?l=bugtraq&m=143403519711434&w=2
- http://marc.info/?l=bugtraq&m=143748090628601&w=2
- http://marc.info/?l=bugtraq&m=144050155601375&w=2
- http://openwall.com/lists/oss-security/2015/03/15/6
- http://php.net/ChangeLog-5.php
- http://rhn.redhat.com/errata/RHSA-2015-1053.html
- http://rhn.redhat.com/errata/RHSA-2015-1066.html
- http://rhn.redhat.com/errata/RHSA-2015-1135.html
- http://rhn.redhat.com/errata/RHSA-2015-1218.html
- http://www.debian.org/security/2015/dsa-3198
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:079
- http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
- http://www.securityfocus.com/bid/73037
- http://www.securitytracker.com/id/1031949
- http://www.ubuntu.com/usn/USN-2535-1
- https://bugs.php.net/bug.php?id=68901
- https://bugzilla.redhat.com/show_bug.cgi?id=1194747
- https://security.gentoo.org/glsa/201606-10
- https://support.apple.com/HT205267
- http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=b2cf3f064b8f5efef89bb084521b61318c71781b
- http://php.net/ChangeLog-5.php#5.6.6
- http://php.net/ChangeLog-5.php#5.5.22
- https://rhn.redhat.com/errata/RHSA-2015-1066.html
- https://rhn.redhat.com/errata/RHSA-2015-1053.html
- https://rhn.redhat.com/errata/RHSA-2015-1135.html
- https://rhn.redhat.com/errata/RHSA-2015-1218.html
Frequently Asked Questions
What is the severity of CVE-2015-2301?
CVE-2015-2301 is classified as a high severity vulnerability due to the potential for arbitrary code execution through the PHP 'phar' extension.
How do I fix CVE-2015-2301?
To fix CVE-2015-2301, update PHP to version 5.5.22 or 5.6.6 or later, as those versions contain the necessary security patches.
Which PHP versions are affected by CVE-2015-2301?
CVE-2015-2301 affects PHP versions from 5.4.0 up to 5.4.40, 5.5.0 up to 5.5.22, and 5.6.0 up to 5.6.6.
What types of systems are affected by CVE-2015-2301?
CVE-2015-2301 affects several systems, including specific versions of Ubuntu, Debian, openSUSE, and Red Hat Enterprise Linux.
Is CVE-2015-2301 exploitable remotely?
Yes, CVE-2015-2301 can be exploited remotely, allowing attackers to execute malicious code on affected systems.
- agent/type
- agent/first-publish-date
- agent/severity
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2015-2301
- agent/software-canonical-lookup
- agent/references
- agent/weakness
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/10.04
- version/ubuntu linux/12.04
- version/ubuntu linux/14.04
- version/ubuntu linux/14.10
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/7.0
- vendor/opensuse
- canonical/opensuse
- version/opensuse/13.1
- version/opensuse/13.2
- vendor/php
- canonical/php
- version/php/5.4.0
- version/php/5.5.0
- version/php/5.6.0
- vendor/apple
- canonical/macos yosemite
- version/macos yosemite/10.10.4
- vendor/redhat
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/7.0
- canonical/red hat enterprise linux hpc node
- version/red hat enterprise linux hpc node/7.0
- version/red hat enterprise linux hpc node/7.1
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux server eus
- version/redhat enterprise linux server eus/7.1
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/7.0