- Vulnerability/
- USN-3382-1
USN-3382-1: PHP vulnerabilities
First published: Thu Aug 10 2017(Updated: )
It was discovered that the PHP opcache created keys for files it cached based on their filepath. A local attacker could possibly use this issue in a shared hosting environment to obtain sensitive information. This issue only affected Ubuntu 14.04 LTS. (CVE-2015-8994) It was discovered that the PHP URL parser incorrectly handled certain URI components. A remote attacker could possibly use this issue to bypass hostname-specific URL checks. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-10397) It was discovered that PHP incorrectly handled certain boolean parameters when unserializing data. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2017-11143) Sebastian Li, Wei Lei, Xie Xiaofei, and Liu Yang discovered that PHP incorrectly handled the OpenSSL sealing function. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2017-11144) Wei Lei and Liu Yang discovered that the PHP date extension incorrectly handled memory. A remote attacker could possibly use this issue to disclose sensitive information from the server. (CVE-2017-11145) It was discovered that PHP incorrectly handled certain PHAR archives. A remote attacker could use this issue to cause PHP to crash or disclose sensitive information. This issue only affected Ubuntu 14.04 LTS. (CVE-2017-11147) It was discovered that PHP incorrectly handled locale length. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2017-11362) Wei Lei and Liu Yang discovered that PHP incorrectly handled parsing ini files. An attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2017-11628) It was discovered that PHP mbstring incorrectly handled certain regular expressions. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229)
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| ubuntu/libapache2-mod-php7.0 | <7.0.22-0ubuntu0.17.04.1 | 7.0.22-0ubuntu0.17.04.1 |
| =17.04 | ||
| All of | ||
| ubuntu/php7.0-cgi | <7.0.22-0ubuntu0.17.04.1 | 7.0.22-0ubuntu0.17.04.1 |
| =17.04 | ||
| All of | ||
| ubuntu/php7.0-cli | <7.0.22-0ubuntu0.17.04.1 | 7.0.22-0ubuntu0.17.04.1 |
| =17.04 | ||
| All of | ||
| ubuntu/php7.0-fpm | <7.0.22-0ubuntu0.17.04.1 | 7.0.22-0ubuntu0.17.04.1 |
| =17.04 | ||
| All of | ||
| ubuntu/libapache2-mod-php7.0 | <7.0.22-0ubuntu0.16.04.1 | 7.0.22-0ubuntu0.16.04.1 |
| =16.04 | ||
| All of | ||
| ubuntu/php7.0-cgi | <7.0.22-0ubuntu0.16.04.1 | 7.0.22-0ubuntu0.16.04.1 |
| =16.04 | ||
| All of | ||
| ubuntu/php7.0-cli | <7.0.22-0ubuntu0.16.04.1 | 7.0.22-0ubuntu0.16.04.1 |
| =16.04 | ||
| All of | ||
| ubuntu/php7.0-fpm | <7.0.22-0ubuntu0.16.04.1 | 7.0.22-0ubuntu0.16.04.1 |
| =16.04 | ||
| All of | ||
| ubuntu/libapache2-mod-php5 | <5.5.9+dfsg-1ubuntu4.22 | 5.5.9+dfsg-1ubuntu4.22 |
| =14.04 | ||
| All of | ||
| ubuntu/php5-cgi | <5.5.9+dfsg-1ubuntu4.22 | 5.5.9+dfsg-1ubuntu4.22 |
| =14.04 | ||
| All of | ||
| ubuntu/php5-cli | <5.5.9+dfsg-1ubuntu4.22 | 5.5.9+dfsg-1ubuntu4.22 |
| =14.04 | ||
| All of | ||
| ubuntu/php5-fpm | <5.5.9+dfsg-1ubuntu4.22 | 5.5.9+dfsg-1ubuntu4.22 |
| =14.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://ubuntu.com/security/CVE-2015-8994
- https://ubuntu.com/security/CVE-2016-10397
- https://ubuntu.com/security/CVE-2017-11143
- https://ubuntu.com/security/CVE-2017-11144
- https://ubuntu.com/security/CVE-2017-11145
- https://ubuntu.com/security/CVE-2017-11147
- https://ubuntu.com/security/CVE-2017-11362
- https://ubuntu.com/security/CVE-2017-11628
- https://ubuntu.com/security/CVE-2017-9224
- https://ubuntu.com/security/CVE-2017-9226
- https://ubuntu.com/security/CVE-2017-9227
- https://ubuntu.com/security/CVE-2017-9228
- https://ubuntu.com/security/CVE-2017-9229
- https://ubuntu.com/security/notices/USN-3382-2
- https://ubuntu.com/security/notices/USN-3566-2
- https://launchpad.net/ubuntu/+source/php7.0/7.0.22-0ubuntu0.17.04.1
- https://launchpad.net/ubuntu/+source/php7.0/7.0.22-0ubuntu0.16.04.1
- https://launchpad.net/ubuntu/+source/php5/5.5.9+dfsg-1ubuntu4.22
- https://ubuntu.com/security/notices/USN-3382-1 (Advisory)
Child vulnerabilities
(Contains the following vulnerabilities)
- agent/last-modified-date
- agent/first-publish-date
- agent/type
- agent/severity
- agent/softwarecombine
- collector/usn
- source/Ubuntu
- anchor-related/USN-3382-2
- anchor-related/USN-3566-2
- agent/software-canonical-lookup
- agent/references
- agent/title
- agent/tags
- agent/description
- agent/event
- agent/trending
- package-manager/ubuntu
- vendor/ubuntu
- canonical/ubuntu ubuntu
- version/ubuntu ubuntu/17.04
- version/ubuntu ubuntu/16.04
- version/ubuntu ubuntu/14.04