Vulnerabilities > CVE-2014-9767 - Path Traversal vulnerability in PHP

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

NONE

network

php

hiphop-virtual-machine-for-php-project

CWE-22

nessus

NVD

Published: 2016-05-22

Updated: 2018-01-05

Summary

Directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 and ext/zip/ext_zip.cpp in HHVM before 3.12.1 allows remote attackers to create arbitrary empty directories via a crafted ZIP archive.

Vulnerable Configurations

Part	Description	Count
Application	Php PHP PHP - PHP PHP 0.1 PHP PHP 0.1.1 PHP PHP 0.2 PHP PHP 0.2.0 PHP PHP 0.2.1 PHP PHP 0.2.2 PHP PHP 0.2.3 PHP PHP 0.2.4 PHP PHP 0.3 PHP PHP 0.4 PHP PHP 0.5 PHP PHP 0.5.2 PHP PHP 0.5.3 PHP PHP 0.6 PHP PHP 0.7 PHP PHP 0.9 PHP PHP 0.9.0 PHP PHP 0.9.1 PHP PHP 0.9.2 PHP PHP 0.9.3 PHP PHP 0.9.4 PHP PHP 0.10 PHP PHP 0.11 PHP PHP 0.90 PHP PHP 0.91 PHP PHP 1.0 PHP PHP 1.0.0 PHP PHP 1.0.1 PHP PHP 1.0.2 PHP PHP 1.0.3 PHP PHP 1.0.4 PHP PHP 1.1 PHP PHP 1.1.0 PHP PHP 1.1.1 PHP PHP 1.2 PHP PHP 1.2.0 PHP PHP 1.2.1 PHP PHP 1.2.2 PHP PHP 1.2.3 PHP PHP 1.2.4 PHP PHP 1.2.5 PHP PHP 1.3 PHP PHP 1.3.1 PHP PHP 1.3.5 PHP PHP 1.4 PHP PHP 1.5 PHP PHP 2.0 PHP PHP 2.0.0 PHP PHP 2.0.1 PHP PHP 2.0.2 PHP PHP 2.0B10 PHP PHP 3.0 PHP PHP 3.0.1 PHP PHP 3.0.2 PHP PHP 3.0.3 PHP PHP 3.0.4 PHP PHP 3.0.5 PHP PHP 3.0.6 PHP PHP 3.0.7 PHP PHP 3.0.8 PHP PHP 3.0.9 PHP PHP 3.0.10 PHP PHP 3.0.11 PHP PHP 3.0.12 PHP PHP 3.0.13 PHP PHP 3.0.14 PHP PHP 3.0.15 PHP PHP 3.0.16 PHP PHP 3.0.17 PHP PHP 3.0.18 PHP PHP 4.0 PHP PHP 4.0.0 PHP PHP 4.0.1 PHP PHP 4.0.2 PHP PHP 4.0.3 PHP PHP 4.0.4 PHP PHP 4.0.5 PHP PHP 4.0.6 PHP PHP 4.0.7 PHP PHP 4.1.0 PHP PHP 4.1.1 PHP PHP 4.1.2 PHP PHP 4.1.3 PHP PHP 4.2 PHP PHP 4.2.0 PHP PHP 4.2.1 PHP PHP 4.2.2 PHP PHP 4.2.3 PHP PHP 4.2.4 PHP PHP 4.3 PHP PHP 4.3.0 PHP PHP 4.3.1 PHP PHP 4.3.2 PHP PHP 4.3.3 PHP PHP 4.3.4 PHP PHP 4.3.5 PHP PHP 4.3.6 PHP PHP 4.3.7 PHP PHP 4.3.8 PHP PHP 4.3.9 PHP PHP 4.3.10 PHP PHP 4.3.11 PHP PHP 4.4.0 PHP PHP 4.4.1 PHP PHP 4.4.2 PHP PHP 4.4.3 PHP PHP 4.4.4 PHP PHP 4.4.5 PHP PHP 4.4.6 PHP PHP 4.4.7 PHP PHP 4.4.8 PHP PHP 4.4.9 PHP PHP 5.0.0 PHP PHP 5.0.1 PHP PHP 5.0.2 PHP PHP 5.0.3 PHP PHP 5.0.4 PHP PHP 5.0.5 PHP PHP 5.1 PHP PHP 5.1.0 PHP PHP 5.1.1 PHP PHP 5.1.2 PHP PHP 5.1.3 PHP PHP 5.1.4 PHP PHP 5.1.5 PHP PHP 5.1.6 PHP PHP 5.2.0 PHP PHP 5.2.1 PHP PHP 5.2.2 PHP PHP 5.2.3 PHP PHP 5.2.4 PHP PHP 5.2.5 PHP PHP 5.2.6 PHP PHP 5.2.7 PHP PHP 5.2.8 PHP PHP 5.2.9 PHP PHP 5.2.10 PHP PHP 5.2.11 PHP PHP 5.2.12 PHP PHP 5.2.13 PHP PHP 5.2.14 PHP PHP 5.2.15 PHP PHP 5.2.16 PHP PHP 5.2.17 PHP PHP 5.3.0 PHP PHP 5.3.1 PHP PHP 5.3.2 PHP PHP 5.3.3 PHP PHP 5.3.4 PHP PHP 5.3.5 PHP PHP 5.3.6 PHP PHP 5.3.7 PHP PHP 5.3.8 PHP PHP 5.3.9 PHP PHP 5.3.10 PHP PHP 5.3.11 PHP PHP 5.3.12 PHP PHP 5.3.13 PHP PHP 5.3.14 PHP PHP 5.3.15 PHP PHP 5.3.16 PHP PHP 5.3.17 PHP PHP 5.3.18 PHP PHP 5.3.19 PHP PHP 5.3.20 PHP PHP 5.3.21 PHP PHP 5.3.22 PHP PHP 5.3.23 PHP PHP 5.3.24 PHP PHP 5.3.25 PHP PHP 5.3.26 PHP PHP 5.3.27 PHP PHP 5.3.28 PHP PHP 5.3.29 PHP PHP 5.4.0 PHP PHP 5.4.1 PHP PHP 5.4.2 PHP PHP 5.4.3 PHP PHP 5.4.4 PHP PHP 5.4.5 PHP PHP 5.4.6 PHP PHP 5.4.7 PHP PHP 5.4.8 PHP PHP 5.4.9 PHP PHP 5.4.10 PHP PHP 5.4.11 PHP PHP 5.4.12 PHP PHP 5.4.13 PHP PHP 5.4.14 PHP PHP 5.4.15 PHP PHP 5.4.16 PHP PHP 5.4.17 PHP PHP 5.4.18 PHP PHP 5.4.19 PHP PHP 5.4.20 PHP PHP 5.4.21 PHP PHP 5.4.22 PHP PHP 5.4.23 PHP PHP 5.4.24 PHP PHP 5.4.25 PHP PHP 5.4.26 PHP PHP 5.4.27 PHP PHP 5.4.28 PHP PHP 5.4.29 PHP PHP 5.4.30 PHP PHP 5.4.31 PHP PHP 5.4.32 PHP PHP 5.4.33 PHP PHP 5.4.34 PHP PHP 5.4.35 PHP PHP 5.4.36 PHP PHP 5.4.37 PHP PHP 5.4.38 PHP PHP 5.4.39 PHP PHP 5.4.40 PHP PHP 5.4.41 PHP PHP 5.4.42 PHP PHP 5.4.43 PHP PHP 5.4.44 PHP PHP 5.4.45 PHP PHP 5.5.0 PHP PHP 5.5.1 PHP PHP 5.5.2 PHP PHP 5.5.3 PHP PHP 5.5.4 PHP PHP 5.5.5 PHP PHP 5.5.6 PHP PHP 5.5.7 PHP PHP 5.5.8 PHP PHP 5.5.9 PHP PHP 5.5.10 PHP PHP 5.5.11 PHP PHP 5.5.12 PHP PHP 5.5.13 PHP PHP 5.5.14 PHP PHP 5.5.18 PHP PHP 5.5.19 PHP PHP 5.5.20 PHP PHP 5.5.21 PHP PHP 5.5.22 PHP PHP 5.5.23 PHP PHP 5.5.24 PHP PHP 5.5.25 PHP PHP 5.5.26 PHP PHP 5.5.27 PHP PHP 5.5.28 PHP PHP 5.6.0 PHP PHP 5.6.1 PHP PHP 5.6.2 PHP PHP 5.6.3 PHP PHP 5.6.4 PHP PHP 5.6.5 PHP PHP 5.6.6 PHP PHP 5.6.7 PHP PHP 5.6.8 PHP PHP 5.6.9 PHP PHP 5.6.10 PHP PHP 5.6.11 PHP PHP 5.6.12	648
Application	Hiphop_Virtual_Machine_For_Php_Project Hiphop Virtual Machine FOR PHP Project Hiphop Virtual Machine FOR PHP 2.0.0 Hiphop Virtual Machine FOR PHP Project Hiphop Virtual Machine FOR PHP 2.0.1 Hiphop Virtual Machine FOR PHP Project Hiphop Virtual Machine FOR PHP 2.0.2 Hiphop Virtual Machine FOR PHP Project Hiphop Virtual Machine FOR PHP 2.1.0 Hiphop Virtual Machine FOR PHP Project Hiphop Virtual Machine FOR PHP 2.2.0 Hiphop Virtual Machine FOR PHP Project Hiphop Virtual Machine FOR PHP 2.3.0 Hiphop Virtual Machine FOR PHP Project Hiphop Virtual Machine FOR PHP 2.3.1 Hiphop Virtual Machine FOR PHP Project Hiphop Virtual Machine FOR PHP 2.3.2 Hiphop Virtual Machine FOR PHP Project Hiphop Virtual Machine FOR PHP 3.12	9

Common Weakness Enumeration (CWE)

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Common Attack Pattern Enumeration and Classification (CAPEC)

Relative Path Traversal
An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
Directory Traversal
An attacker with access to file system resources, either directly or via application logic, will use various file path specification or navigation mechanisms such as ".." in path strings and absolute paths to extend their range of access to inappropriate areas of the file system. The attacker attempts to either explore the file system for recon purposes or access directories and files that are intended to be restricted from their access. Exploring the file system can be achieved through constructing paths presented to directory listing programs, such as "ls" and 'dir', or through specially crafted programs that attempt to explore the file system. The attacker engaging in this type of activity is searching for information that can be used later in a more exploitive attack. Access to restricted directories or files can be achieved through modification of path references utilized by system applications.
File System Function Injection, Content Based
An attack of this type exploits the host's trust in executing remote content including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the attacker and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The attacker exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the attacker knows the standard handling routines and can identify vulnerabilities and entry points they can be exploited by otherwise seemingly normal content. Once the attack is executed, the attackers' program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus.
Using Slashes and URL Encoding Combined to Bypass Validation Logic
This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
Manipulating Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

Nessus

NASL family	CGI abuses
NASL id	PHP_7_0_0.NASL
description	According to its banner, the version of PHP running on the remote web server is 7.x prior to 7.0.0. It is, therefore, affected by the following vulnerabilities: - A directory traversal vulnerability in the ZipArchive::extractTo function of ext/zip/php_zip.c script. An unauthenticated, remote attacker can exploit this, by sending a crafted ZIP archive with empty directories, to disclose the contents of files located outside of the server
last seen	2020-06-01
modified	2020-06-02
plugin id	122536
published	2019-03-01
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/122536
title	PHP 7.0.x < 7.0.0 Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(122536); script_version("1.2"); script_cvs_date("Date: 2019/10/31 15:18:51"); script_cve_id( "CVE-2014-9767", "CVE-2015-8867", "CVE-2015-8874", "CVE-2015-8879" ); script_bugtraq_id( 76652, 87481, 90714, 90842 ); script_name(english:"PHP 7.0.x < 7.0.0 Multiple Vulnerabilities"); script_summary(english:"Checks the version of PHP."); script_set_attribute(attribute:"synopsis", value: "An application installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its banner, the version of PHP running on the remote web server is 7.x prior to 7.0.0. It is, therefore, affected by the following vulnerabilities: - A directory traversal vulnerability in the ZipArchive::extractTo function of ext/zip/php_zip.c script. An unauthenticated, remote attacker can exploit this, by sending a crafted ZIP archive with empty directories, to disclose the contents of files located outside of the server's restricted path. (CVE-2014-9767) - The openssl_random_pseudo_bytes() function in file openssl.c does not generate sufficiently random numbers. This allows an attacker to more easily predict the results, thus allowing further attacks to be carried out. (CVE-2015-8867) - A denial of service (DoS) vulnerability exists in the GD graphics library in the gdImageFillToBorder() function within file gd.c when handling crafted images that have an overly large negative coordinate. An unauthenticated, remote attacker can exploit this, via a crafted image, to crash processes linked against the library. (CVE-2015-8874) - A denial of service (DoS) vulnerability exists in odbc_bindcols function of the ext/odbc/php_odbc.c script due to mishandling driver behavior for SQL_WVARCHAR columns. An unauthenticated, remote attacker can exploit this issue, via the use of odbc_fetch_array function, to cause the application to stop responding. (CVE-2015-8879) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-7.php#7.0.0"); script_set_attribute(attribute:"solution", value: "Upgrade to PHP version 7.0.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-8867"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/12/03"); script_set_attribute(attribute:"patch_publication_date", value:"2015/12/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/01"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("php_version.nasl"); script_require_keys("www/PHP"); script_require_ports("Services/www", 80); exit(0); } include("vcf.inc"); include("vcf_extras.inc"); include("http.inc"); include("webapp_func.inc"); vcf::php::initialize(); port = get_http_port(default:80, php:TRUE); app_info = vcf::php::get_app_info(port:port); constraints = [ { "min_version" : "7.0.0alpha0", "fixed_version" : "7.0.0" } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);

NASL family	CGI abuses
NASL id	PHP_5_6_13.NASL
description	According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.13. It is, therefore, affected by multiple vulnerabilities : - A directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c could allow a remote attacker to create arbitrary empty directories via a crafted ZIP archive. (CVE-2014-9767) - Multiple use-after-free memory errors exist related to the unserialize() function, which a remote attacker can exploit to execute arbitrary code. (CVE-2015-6834) - A use-after-free memory error exists related to the php_var_unserialize() function. A remote attacker, using a crafted serialize string, can exploit this to execute arbitrary code. (CVE-2015-6835) - A type confusion error exists related to the serialize_function_call() function due to improper validation of the headers field, which a remote attacker can exploit to have unspecified impact. (CVE-2015-6836) - A flaw exists in the XSLTProcessor class due to improper validation of input from the libxslt library, which a remote attacker can exploit to have an unspecified impact. (CVE-2015-6837, CVE-2015-6838) - A flaw exists in the php_zip_extract_file() function in file php_zip.c due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this to create arbitrary directories outside of the restricted path. - A NULL pointer dereference flaw exists in the spl_autoload() function in file php_spl.c due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a PHP application to crash. - A flaw exists in the parse_ini_file() and parse_ini_string() functions due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a PHP application to crash. - A flaw exists in the CLI SAPI Web Server due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this to access arbitrary files outside of the restricted path. Note that Nessus has not tested for these issues but has instead relied only on the application
last seen	2020-06-01
modified	2020-06-02
plugin id	85887
published	2015-09-10
reporter	This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/85887
title	PHP 5.6.x < 5.6.13 Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(85887); script_version("1.12"); script_cvs_date("Date: 2019/11/22"); script_cve_id( "CVE-2014-9767", "CVE-2015-6834", "CVE-2015-6835", "CVE-2015-6836", "CVE-2015-6837", "CVE-2015-6838" ); script_bugtraq_id( 76644, 76649, 76652, 76733, 76734, 76738 ); script_name(english:"PHP 5.6.x < 5.6.13 Multiple Vulnerabilities"); script_summary(english:"Checks the version of PHP."); script_set_attribute(attribute:"synopsis", value: "The remote web server uses a version of PHP that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.13. It is, therefore, affected by multiple vulnerabilities : - A directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c could allow a remote attacker to create arbitrary empty directories via a crafted ZIP archive. (CVE-2014-9767) - Multiple use-after-free memory errors exist related to the unserialize() function, which a remote attacker can exploit to execute arbitrary code. (CVE-2015-6834) - A use-after-free memory error exists related to the php_var_unserialize() function. A remote attacker, using a crafted serialize string, can exploit this to execute arbitrary code. (CVE-2015-6835) - A type confusion error exists related to the serialize_function_call() function due to improper validation of the headers field, which a remote attacker can exploit to have unspecified impact. (CVE-2015-6836) - A flaw exists in the XSLTProcessor class due to improper validation of input from the libxslt library, which a remote attacker can exploit to have an unspecified impact. (CVE-2015-6837, CVE-2015-6838) - A flaw exists in the php_zip_extract_file() function in file php_zip.c due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this to create arbitrary directories outside of the restricted path. - A NULL pointer dereference flaw exists in the spl_autoload() function in file php_spl.c due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a PHP application to crash. - A flaw exists in the parse_ini_file() and parse_ini_string() functions due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a PHP application to crash. - A flaw exists in the CLI SAPI Web Server due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this to access arbitrary files outside of the restricted path. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-5.php#5.6.13"); script_set_attribute(attribute:"solution", value: "Upgrade to PHP version 5.6.13 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-6836"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/09/10"); script_set_attribute(attribute:"patch_publication_date", value:"2015/09/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/09/10"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("php_version.nasl"); script_require_keys("www/PHP"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("webapp_func.inc"); port = get_http_port(default:80, php:TRUE); php = get_php_from_kb( port : port, exit_on_fail : TRUE ); version = php["ver"]; source = php["src"]; backported = get_kb_item('www/php/'+port+'/'+version+'/backported'); if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install"); # Check that it is the correct version of PHP if (version =~ "^5(\.6)?$") audit(AUDIT_VER_NOT_GRANULAR, "PHP", port, version); if (version !~ "^5\.6\.") audit(AUDIT_NOT_DETECT, "PHP version 5.6.x", port); if (version =~ "^5\.6\.([0-9]\|1[0-2])($\|[^0-9])") { if (report_verbosity > 0) { report = '\n Version source : '+source + '\n Installed version : '+version + '\n Fixed version : 5.6.13' + '\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2016-517.NASL
description	This update for php5 fixes the following security issues : - CVE-2015-8838: mysqlnd was vulnerable to BACKRONYM (bnc#973792). - CVE-2015-8835: SoapClient s_call method suffered from a type confusion issue that could have lead to crashes [bsc#973351] - CVE-2016-2554: A NULL pointer dereference in phar_get_fp_offset could lead to crashes. [bsc#968284] Note: we do not ship the phar extension currently, so we are not affected. - CVE-2016-3141: A use-after-free / double-free in the WDDX deserialization could lead to crashes or potential code execution. [bsc#969821] - CVE-2016-3142: An Out-of-bounds read in phar_parse_zipfile() could lead to crashes. [bsc#971912] Note: we do not ship the phar extension currently, so we are not affected. - CVE-2014-9767: A directory traversal when extracting zip files was fixed that could lead to overwritten files. [bsc#971612] - CVE-2016-3185: A type confusion vulnerability in make_http_soap_request() could lead to crashes or potentially code execution. [bsc#971611] This update was imported from the SUSE:SLE-12:Update update project.
last seen	2020-06-05
modified	2016-04-29
plugin id	90782
published	2016-04-29
reporter	This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/90782
title	openSUSE Security Update : php5 (openSUSE-2016-517)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2016-517. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(90782); script_version("2.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2014-9767", "CVE-2015-8835", "CVE-2015-8838", "CVE-2016-2554", "CVE-2016-3141", "CVE-2016-3142", "CVE-2016-3185"); script_name(english:"openSUSE Security Update : php5 (openSUSE-2016-517)"); script_summary(english:"Check for the openSUSE-2016-517 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for php5 fixes the following security issues : - CVE-2015-8838: mysqlnd was vulnerable to BACKRONYM (bnc#973792). - CVE-2015-8835: SoapClient s_call method suffered from a type confusion issue that could have lead to crashes [bsc#973351] - CVE-2016-2554: A NULL pointer dereference in phar_get_fp_offset could lead to crashes. [bsc#968284] Note: we do not ship the phar extension currently, so we are not affected. - CVE-2016-3141: A use-after-free / double-free in the WDDX deserialization could lead to crashes or potential code execution. [bsc#969821] - CVE-2016-3142: An Out-of-bounds read in phar_parse_zipfile() could lead to crashes. [bsc#971912] Note: we do not ship the phar extension currently, so we are not affected. - CVE-2014-9767: A directory traversal when extracting zip files was fixed that could lead to overwritten files. [bsc#971612] - CVE-2016-3185: A type confusion vulnerability in make_http_soap_request() could lead to crashes or potentially code execution. [bsc#971611] This update was imported from the SUSE:SLE-12:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=968284" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=969821" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=971611" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=971612" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=971912" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=973351" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=973792" ); script_set_attribute(attribute:"solution", value:"Update the affected php5 packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-mod_php5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-mod_php5-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-bcmath-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-bz2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-bz2-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-calendar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-calendar-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ctype"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ctype-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-curl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-dba-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-dom"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-dom-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-enchant"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-enchant-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-exif"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-exif-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-fastcgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-fastcgi-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-fileinfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-fileinfo-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-firebird"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-firebird-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-fpm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-fpm-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ftp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ftp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-gd-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-gettext"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-gettext-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-gmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-gmp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-iconv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-iconv-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-imap-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-intl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-intl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-json"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-json-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ldap-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mbstring-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mcrypt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mcrypt-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mssql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mssql-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mysql-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-odbc-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-opcache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-opcache-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-openssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-openssl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pcntl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pcntl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pdo-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pear"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pgsql-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-phar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-phar-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-posix"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-posix-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pspell-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-readline"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-readline-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-shmop"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-shmop-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-snmp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-soap-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sockets"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sockets-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sqlite"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sqlite-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-suhosin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-suhosin-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sysvmsg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sysvmsg-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sysvsem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sysvsem-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sysvshm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sysvshm-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-tidy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-tidy-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-tokenizer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-tokenizer-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-wddx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-wddx-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xmlreader"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xmlreader-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xmlrpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xmlrpc-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xmlwriter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xmlwriter-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xsl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xsl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-zip"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-zip-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-zlib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-zlib-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.1"); script_set_attribute(attribute:"patch_publication_date", value:"2016/04/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release =~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586\|i686\|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.1", reference:"apache2-mod_php5-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"apache2-mod_php5-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-bcmath-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-bcmath-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-bz2-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-bz2-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-calendar-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-calendar-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-ctype-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-ctype-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-curl-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-curl-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-dba-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-dba-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-debugsource-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-devel-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-dom-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-dom-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-enchant-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-enchant-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-exif-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-exif-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-fastcgi-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-fastcgi-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-fileinfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-fileinfo-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-firebird-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-firebird-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-fpm-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-fpm-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-ftp-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-ftp-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-gd-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-gd-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-gettext-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-gettext-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-gmp-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-gmp-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-iconv-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-iconv-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-imap-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-imap-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-intl-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-intl-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-json-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-json-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-ldap-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-ldap-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-mbstring-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-mbstring-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-mcrypt-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-mcrypt-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-mssql-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-mssql-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-mysql-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-mysql-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-odbc-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-odbc-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-opcache-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-opcache-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-openssl-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-openssl-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-pcntl-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-pcntl-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-pdo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-pdo-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-pear-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-pgsql-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-pgsql-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-phar-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-phar-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-posix-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-posix-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-pspell-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-pspell-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-readline-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-readline-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-shmop-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-shmop-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-snmp-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-snmp-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-soap-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-soap-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-sockets-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-sockets-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-sqlite-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-sqlite-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-suhosin-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-suhosin-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-sysvmsg-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-sysvmsg-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-sysvsem-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-sysvsem-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-sysvshm-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-sysvshm-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-tidy-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-tidy-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-tokenizer-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-tokenizer-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-wddx-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-wddx-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-xmlreader-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-xmlreader-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-xmlrpc-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-xmlrpc-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-xmlwriter-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-xmlwriter-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-xsl-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-xsl-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-zip-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-zip-debuginfo-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-zlib-5.5.14-44.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"php5-zlib-debuginfo-5.5.14-44.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "apache2-mod_php5 / apache2-mod_php5-debuginfo / php5 / php5-bcmath / etc"); }

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2016-1638-1.NASL
description	This update for php53 to version 5.3.17 fixes the following issues : These security issues were fixed : - CVE-2016-5093: get_icu_value_internal out-of-bounds read (bnc#982010). - CVE-2016-5094: Don
last seen	2020-06-01
modified	2020-06-02
plugin id	93161
published	2016-08-29
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/93161
title	SUSE SLES11 Security Update : php53 (SUSE-SU-2016:1638-1) (BACKRONYM)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2016:1638-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(93161); script_version("2.8"); script_cvs_date("Date: 2019/09/11 11:22:13"); script_cve_id("CVE-2004-1019", "CVE-2006-7243", "CVE-2014-0207", "CVE-2014-3478", "CVE-2014-3479", "CVE-2014-3480", "CVE-2014-3487", "CVE-2014-3515", "CVE-2014-3597", "CVE-2014-3668", "CVE-2014-3669", "CVE-2014-3670", "CVE-2014-4049", "CVE-2014-4670", "CVE-2014-4698", "CVE-2014-4721", "CVE-2014-5459", "CVE-2014-8142", "CVE-2014-9652", "CVE-2014-9705", "CVE-2014-9709", "CVE-2014-9767", "CVE-2015-0231", "CVE-2015-0232", "CVE-2015-0273", "CVE-2015-1352", "CVE-2015-2301", "CVE-2015-2305", "CVE-2015-2783", "CVE-2015-2787", "CVE-2015-3152", "CVE-2015-3329", "CVE-2015-3411", "CVE-2015-3412", "CVE-2015-4021", "CVE-2015-4022", "CVE-2015-4024", "CVE-2015-4026", "CVE-2015-4116", "CVE-2015-4148", "CVE-2015-4598", "CVE-2015-4599", "CVE-2015-4600", "CVE-2015-4601", "CVE-2015-4602", "CVE-2015-4603", "CVE-2015-4643", "CVE-2015-4644", "CVE-2015-5161", "CVE-2015-5589", "CVE-2015-5590", "CVE-2015-6831", "CVE-2015-6833", "CVE-2015-6836", "CVE-2015-6837", "CVE-2015-6838", "CVE-2015-7803", "CVE-2015-8835", "CVE-2015-8838", "CVE-2015-8866", "CVE-2015-8867", "CVE-2015-8873", "CVE-2015-8874", "CVE-2015-8879", "CVE-2016-2554", "CVE-2016-3141", "CVE-2016-3142", "CVE-2016-3185", "CVE-2016-4070", "CVE-2016-4073", "CVE-2016-4342", "CVE-2016-4346", "CVE-2016-4537", "CVE-2016-4538", "CVE-2016-4539", "CVE-2016-4540", "CVE-2016-4541", "CVE-2016-4542", "CVE-2016-4543", "CVE-2016-4544", "CVE-2016-5093", "CVE-2016-5094", "CVE-2016-5095", "CVE-2016-5096", "CVE-2016-5114"); script_bugtraq_id(44951, 68007, 68120, 68237, 68238, 68239, 68241, 68243, 68423, 68511, 68513, 69322, 69388, 70611, 70665, 70666, 71791, 71932, 72505, 72539, 72541, 72611, 72701, 73031, 73037, 73306, 73431, 74239, 74240, 74398, 74413, 74700, 74902, 74903, 75056, 75103, 75244, 75246, 75249, 75250, 75251, 75252, 75255, 75291, 75292, 75970, 75974); script_name(english:"SUSE SLES11 Security Update : php53 (SUSE-SU-2016:1638-1) (BACKRONYM)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for php53 to version 5.3.17 fixes the following issues : These security issues were fixed : - CVE-2016-5093: get_icu_value_internal out-of-bounds read (bnc#982010). - CVE-2016-5094: Don't create strings with lengths outside int range (bnc#982011). - CVE-2016-5095: Don't create strings with lengths outside int range (bnc#982012). - CVE-2016-5096: int/size_t confusion in fread (bsc#982013). - CVE-2016-5114: fpm_log.c memory leak and buffer overflow (bnc#982162). - CVE-2015-8879: The odbc_bindcols function in ext/odbc/php_odbc.c in PHP mishandles driver behavior for SQL_WVARCHAR columns, which allowed remote attackers to cause a denial of service (application crash) in opportunistic circumstances by leveraging use of the odbc_fetch_array function to access a certain type of Microsoft SQL Server table (bsc#981050). - CVE-2015-4116: Use-after-free vulnerability in the spl_ptr_heap_insert function in ext/spl/spl_heap.c in PHP allowed remote attackers to execute arbitrary code by triggering a failed SplMinHeap::compare operation (bsc#980366). - CVE-2015-8874: Stack consumption vulnerability in GD in PHP allowed remote attackers to cause a denial of service via a crafted imagefilltoborder call (bsc#980375). - CVE-2015-8873: Stack consumption vulnerability in Zend/zend_exceptions.c in PHP allowed remote attackers to cause a denial of service (segmentation fault) via recursive method calls (bsc#980373). - CVE-2016-4540: The grapheme_stripos function in ext/intl/grapheme/grapheme_string.c in PHP allowed remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a negative offset (bsc#978829). - CVE-2016-4541: The grapheme_strpos function in ext/intl/grapheme/grapheme_string.c in PHP allowed remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a negative offset (bsc#978829. - CVE-2016-4542: The exif_process_IFD_TAG function in ext/exif/exif.c in PHP did not properly construct spprintf arguments, which allowed remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data (bsc#978830). - CVE-2016-4543: The exif_process_IFD_in_JPEG function in ext/exif/exif.c in PHP did not validate IFD sizes, which allowed remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data (bsc#978830. - CVE-2016-4544: The exif_process_TIFF_in_JPEG function in ext/exif/exif.c in PHP did not validate TIFF start data, which allowed remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data (bsc#978830. - CVE-2016-4537: The bcpowmod function in ext/bcmath/bcmath.c in PHP accepted a negative integer for the scale argument, which allowed remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call (bsc#978827). - CVE-2016-4538: The bcpowmod function in ext/bcmath/bcmath.c in PHP modified certain data structures without considering whether they are copies of the _zero_, _one_, or _two_ global variable, which allowed remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call (bsc#978827). - CVE-2016-4539: The xml_parse_into_struct function in ext/xml/xml.c in PHP allowed remote attackers to cause a denial of service (buffer under-read and segmentation fault) or possibly have unspecified other impact via crafted XML data in the second argument, leading to a parser level of zero (bsc#978828). - CVE-2016-4342: ext/phar/phar_object.c in PHP mishandles zero-length uncompressed data, which allowed remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted (1) TAR, (2) ZIP, or (3) PHAR archive (bsc#977991). - CVE-2016-4346: Integer overflow in the str_pad function in ext/standard/string.c in PHP allowed remote attackers to cause a denial of service or possibly have unspecified other impact via a long string, leading to a heap-based buffer overflow (bsc#977994). - CVE-2016-4073: Multiple integer overflows in the mbfl_strcut function in ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP allowed remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted mb_strcut call (bsc#977003). - CVE-2015-8867: The openssl_random_pseudo_bytes function in ext/openssl/openssl.c in PHP incorrectly relied on the deprecated RAND_pseudo_bytes function, which made it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors (bsc#977005). - CVE-2016-4070: Integer overflow in the php_raw_url_encode function in ext/standard/url.c in PHP allowed remote attackers to cause a denial of service (application crash) via a long string to the rawurlencode function (bsc#976997). - CVE-2015-8866: ext/libxml/libxml.c in PHP when PHP-FPM is used, did not isolate each thread from libxml_disable_entity_loader changes in other threads, which allowed remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161 (bsc#976996). - CVE-2015-8838: ext/mysqlnd/mysqlnd.c in PHP used a client SSL option to mean that SSL is optional, which allowed man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152 (bsc#973792). - CVE-2015-8835: The make_http_soap_request function in ext/soap/php_http.c in PHP did not properly retrieve keys, which allowed remote attackers to cause a denial of service (NULL pointer dereference, type confusion, and application crash) or possibly execute arbitrary code via crafted serialized data representing a numerically indexed _cookies array, related to the SoapClient::__call method in ext/soap/soap.c (bsc#973351). - CVE-2016-3141: Use-after-free vulnerability in wddx.c in the WDDX extension in PHP allowed remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact by triggering a wddx_deserialize call on XML data containing a crafted var element (bsc#969821). - CVE-2016-3142: The phar_parse_zipfile function in zip.c in the PHAR extension in PHP allowed remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and application crash) by placing a PK\x05\x06 signature at an invalid location (bsc#971912). - CVE-2014-9767: Directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c in PHP ext/zip/ext_zip.cpp in HHVM allowed remote attackers to create arbitrary empty directories via a crafted ZIP archive (bsc#971612). - CVE-2016-3185: The make_http_soap_request function in ext/soap/php_http.c in PHP allowed remote attackers to obtain sensitive information from process memory or cause a denial of service (type confusion and application crash) via crafted serialized _cookies data, related to the SoapClient::__call method in ext/soap/soap.c (bsc#971611). - CVE-2016-2554: Stack-based buffer overflow in ext/phar/tar.c in PHP allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TAR archive (bsc#968284). - CVE-2015-7803: The phar_get_entry_data function in ext/phar/util.c in PHP allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a .phar file with a crafted TAR archive entry in which the Link indicator references a file that did not exist (bsc#949961). - CVE-2015-6831: Multiple use-after-free vulnerabilities in SPL in PHP allowed remote attackers to execute arbitrary code via vectors involving (1) ArrayObject, (2) SplObjectStorage, and (3) SplDoublyLinkedList, which are mishandled during unserialization (bsc#942291). - CVE-2015-6833: Directory traversal vulnerability in the PharData class in PHP allowed remote attackers to write to arbitrary files via a .. (dot dot) in a ZIP archive entry that is mishandled during an extractTo call (bsc#942296. - CVE-2015-6836: The SoapClient __call method in ext/soap/soap.c in PHP did not properly manage headers, which allowed remote attackers to execute arbitrary code via crafted serialized data that triggers a 'type confusion' in the serialize_function_call function (bsc#945428). - CVE-2015-6837: The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP when libxml2 is used, did not consider the possibility of a NULL valuePop return value proceeding with a free operation during initial error checking, which allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6838 (bsc#945412). - CVE-2015-6838: The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP when libxml2 is used, did not consider the possibility of a NULL valuePop return value proceeding with a free operation after the principal argument loop, which allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6837 (bsc#945412). - CVE-2015-5590: Stack-based buffer overflow in the phar_fix_filepath function in ext/phar/phar.c in PHP allowed remote attackers to cause a denial of service or possibly have unspecified other impact via a large length value, as demonstrated by mishandling of an e-mail attachment by the imap PHP extension (bsc#938719). - CVE-2015-5589: The phar_convert_to_other function in ext/phar/phar_object.c in PHP did not validate a file pointer a close operation, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted TAR archive that is mishandled in a Phar::convertToData call (bsc#938721). - CVE-2015-4602: The __PHP_Incomplete_Class function in ext/standard/incomplete_class.c in PHP allowed remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, related to a 'type confusion' issue (bsc#935224). - CVE-2015-4599: The SoapFault::__toString method in ext/soap/soap.c in PHP allowed remote attackers to obtain sensitive information, cause a denial of service (application crash), or possibly execute arbitrary code via an unexpected data type, related to a 'type confusion' issue (bsc#935226). - CVE-2015-4600: The SoapClient implementation in PHP allowed remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, related to 'type confusion' issues in the (1) SoapClient::__getLastRequest, (2) SoapClient::__getLastResponse, (3) SoapClient::__getLastRequestHeaders, (4) SoapClient::__getLastResponseHeaders, (5) SoapClient::__getCookies, and (6) SoapClient::__setCookie methods (bsc#935226). - CVE-2015-4601: PHP allowed remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, related to 'type confusion' issues in (1) ext/soap/php_encoding.c, (2) ext/soap/php_http.c, and (3) ext/soap/soap.c, a different issue than CVE-2015-4600 (bsc#935226. - CVE-2015-4603: The exception::getTraceAsString function in Zend/zend_exceptions.c in PHP allowed remote attackers to execute arbitrary code via an unexpected data type, related to a 'type confusion' issue (bsc#935234). - CVE-2015-4644: The php_pgsql_meta_data function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP did not validate token extraction for table names, which might allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted name. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1352 (bsc#935274). - CVE-2015-4643: Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP allowed remote FTP servers to execute arbitrary code via a long reply to a LIST command, leading to a heap-based buffer overflow. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-4022 (bsc#935275). - CVE-2015-3411: PHP did not ensure that pathnames lack %00 sequences, which might have allowed remote attackers to read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument load method, (2) the xmlwriter_open_uri function, (3) the finfo_file function, or (4) the hash_hmac_file function, as demonstrated by a filename\0.xml attack that bypasses an intended configuration in which client users may read only .xml files (bsc#935227). - CVE-2015-3412: PHP did not ensure that pathnames lack %00 sequences, which might have allowed remote attackers to read arbitrary files via crafted input to an application that calls the stream_resolve_include_path function in ext/standard/streamsfuncs.c, as demonstrated by a filename\0.extension attack that bypasses an intended configuration in which client users may read files with only one specific extension (bsc#935229). - CVE-2015-4598: PHP did not ensure that pathnames lack %00 sequences, which might have allowed remote attackers to read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument save method or (2) the GD imagepsloadfont function, as demonstrated by a filename\0.html attack that bypasses an intended configuration in which client users may write to only .html files (bsc#935232). - CVE-2015-4148: The do_soap_call function in ext/soap/soap.c in PHP did not verify that the uri property is a string, which allowed remote attackers to obtain sensitive information by providing crafted serialized data with an int data type, related to a 'type confusion' issue (bsc#933227). - CVE-2015-4024: Algorithmic complexity vulnerability in the multipart_buffer_headers function in main/rfc1867.c in PHP allowed remote attackers to cause a denial of service (CPU consumption) via crafted form data that triggers an improper order-of-growth outcome (bsc#931421). - CVE-2015-4026: The pcntl_exec implementation in PHP truncates a pathname upon encountering a \x00 character, which might allowed remote attackers to bypass intended extension restrictions and execute files with unexpected names via a crafted first argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243 (bsc#931776). - CVE-2015-4022: Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP allowed remote FTP servers to execute arbitrary code via a long reply to a LIST command, leading to a heap-based buffer overflow (bsc#931772). - CVE-2015-4021: The phar_parse_tarfile function in ext/phar/tar.c in PHP did not verify that the first character of a filename is different from the \0 character, which allowed remote attackers to cause a denial of service (integer underflow and memory corruption) via a crafted entry in a tar archive (bsc#931769). - CVE-2015-3329: Multiple stack-based buffer overflows in the phar_set_inode function in phar_internal.h in PHP allowed remote attackers to execute arbitrary code via a crafted length value in a (1) tar, (2) phar, or (3) ZIP archive (bsc#928506). - CVE-2015-2783: ext/phar/phar.c in PHP allowed remote attackers to obtain sensitive information from process memory or cause a denial of service (buffer over-read and application crash) via a crafted length value in conjunction with crafted serialized data in a phar archive, related to the phar_parse_metadata and phar_parse_pharfile functions (bsc#928511). - CVE-2015-2787: Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP allowed remote attackers to execute arbitrary code via a crafted unserialize call that leverages use of the unset function within an __wakeup function, a related issue to CVE-2015-0231 (bsc#924972). - CVE-2014-9709: The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP allowed remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function (bsc#923945). - CVE-2015-2301: Use-after-free vulnerability in the phar_rename_archive function in phar_object.c in PHP allowed remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an attempted renaming of a Phar archive to the name of an existing file (bsc#922452). - CVE-2015-2305: Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) 32-bit platforms might have allowed context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow (bsc#921950). - CVE-2014-9705: Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP allowed remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries (bsc#922451). - CVE-2015-0273: Multiple use-after-free vulnerabilities in ext/date/php_date.c in PHP allowed remote attackers to execute arbitrary code via crafted serialized input containing a (1) R or (2) r type specifier in (a) DateTimeZone data handled by the php_date_timezone_initialize_from_hash function or (b) DateTime data handled by the php_date_initialize_from_hash function (bsc#918768). - CVE-2014-9652: The mconvert function in softmagic.c in file as used in the Fileinfo component in PHP did not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allowed remote attackers to cause a denial of service (out-of-bounds memory access and application crash) via a crafted file (bsc#917150). - CVE-2014-8142: Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP allowed remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019 (bsc#910659). - CVE-2015-0231: Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP allowed remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142 (bsc#910659). - CVE-2014-8142: Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP allowed remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019 (bsc#910659). - CVE-2015-0232: The exif_process_unicode function in ext/exif/exif.c in PHP allowed remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free and application crash) via crafted EXIF data in a JPEG image (bsc#914690). - CVE-2014-3670: The exif_ifd_make_value function in exif.c in the EXIF extension in PHP operates on floating-point arrays incorrectly, which allowed remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a crafted JPEG image with TIFF thumbnail data that is improperly handled by the exif_thumbnail function (bsc#902357). - CVE-2014-3669: Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP allowed remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function that triggers calculation of a large length value (bsc#902360). - CVE-2014-3668: Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP allowed remote attackers to cause a denial of service (application crash) via (1) a crafted first argument to the xmlrpc_set_type function or (2) a crafted argument to the xmlrpc_decode function, related to an out-of-bounds read operation (bsc#902368). - CVE-2014-5459: The PEAR_REST class in REST.php in PEAR in PHP allowed local users to write to arbitrary files via a symlink attack on a (1) rest.cachefile or (2) rest.cacheid file in /tmp/pear/cache/, related to the retrieveCacheFirst and useLocalCache functions (bsc#893849). - CVE-2014-3597: Multiple buffer overflows in the php_parserr function in ext/standard/dns.c in PHP allowed remote DNS servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted DNS record, related to the dns_get_record function and the dn_expand function. NOTE: this issue exists because of an incomplete fix for CVE-2014-4049 (bsc#893853). - CVE-2014-4670: Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL component in PHP allowed context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted iterator usage within applications in certain web-hosting environments (bsc#886059). - CVE-2014-4698: Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP allowed context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted ArrayIterator usage within applications in certain web-hosting environments (bsc#886060). - CVE-2014-4721: The phpinfo implementation in ext/standard/info.c in PHP did not ensure use of the string data type for the PHP_AUTH_PW, PHP_AUTH_TYPE, PHP_AUTH_USER, and PHP_SELF variables, which might allowed context-dependent attackers to obtain sensitive information from process memory by using the integer data type with crafted values, related to a 'type confusion' vulnerability, as demonstrated by reading a private SSL key in an Apache HTTP Server web-hosting environment with mod_ssl and a PHP 5.3.x mod_php (bsc#885961). - CVE-2014-0207: The cdf_read_short_sector function in cdf.c in file as used in the Fileinfo component in PHP allowed remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file (bsc#884986). - CVE-2014-3478: Buffer overflow in the mconvert function in softmagic.c in file as used in the Fileinfo component in PHP allowed remote attackers to cause a denial of service (application crash) via a crafted Pascal string in a FILE_PSTRING conversion (bsc#884987). - CVE-2014-3479: The cdf_check_stream_offset function in cdf.c in file as used in the Fileinfo component in PHP relies on incorrect sector-size data, which allowed remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file (bsc#884989). - CVE-2014-3480: The cdf_count_chain function in cdf.c in file as used in the Fileinfo component in PHP did not properly validate sector-count data, which allowed remote attackers to cause a denial of service (application crash) via a crafted CDF file (bsc#884990). - CVE-2014-3487: The cdf_read_property_info function in file as used in the Fileinfo component in PHP did not properly validate a stream offset, which allowed remote attackers to cause a denial of service (application crash) via a crafted CDF file (bsc#884991). - CVE-2014-3515: The SPL component in PHP incorrectly anticipates that certain data structures will have the array data type after unserialization, which allowed remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to 'type confusion' issues in (1) ArrayObject and (2) SPLObjectStorage (bsc#884992). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=884986" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=884987" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=884989" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=884990" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=884991" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=884992" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=885961" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=886059" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=886060" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=893849" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=893853" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=902357" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=902360" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=902368" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=910659" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=914690" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=917150" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=918768" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=919080" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=921950" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=922451" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=922452" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=923945" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=924972" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=925109" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=928506" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=928511" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=931421" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=931769" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=931772" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=931776" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=933227" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=935074" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=935224" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=935226" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=935227" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=935229" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=935232" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=935234" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=935274" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=935275" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=938719" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=938721" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=942291" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=942296" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=945412" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=945428" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=949961" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=968284" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=969821" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=971611" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=971612" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=971912" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=973351" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=973792" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=976996" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=976997" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=977003" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=977005" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=977991" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=977994" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=978827" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=978828" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=978829" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=978830" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=980366" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=980373" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=980375" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=981050" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=982010" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=982011" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=982012" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=982013" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=982162" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2004-1019/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2006-7243/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2014-0207/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2014-3478/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2014-3479/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2014-3480/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2014-3487/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2014-3515/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2014-3597/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2014-3668/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2014-3669/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2014-3670/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2014-4049/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2014-4670/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2014-4698/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2014-4721/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2014-5459/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2014-8142/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2014-9652/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2014-9705/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2014-9709/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2014-9767/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-0231/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-0232/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-0273/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-1352/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-2301/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-2305/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-2783/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-2787/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-3152/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-3329/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-3411/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-3412/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4021/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4022/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4024/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4026/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4116/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4148/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4598/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4599/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4600/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4601/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4602/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4603/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4643/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4644/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-5161/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-5589/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-5590/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-6831/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-6833/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-6836/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-6837/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-6838/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-7803/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8835/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8838/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8866/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8867/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8873/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8874/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8879/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-2554/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-3141/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-3142/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-3185/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-4070/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-4073/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-4342/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-4346/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-4537/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-4538/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-4539/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-4540/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-4541/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-4542/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-4543/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-4544/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-5093/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-5094/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-5095/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-5096/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-5114/" ); # https://www.suse.com/support/update/announcement/2016/suse-su-20161638-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?dc947fb9" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server 11-SP2-LTSS : zypper in -t patch slessp2-php53-12621=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:apache2-mod_php53"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-bz2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-calendar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-ctype"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-dom"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-exif"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-fastcgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-fileinfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-ftp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-gettext"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-gmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-iconv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-intl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-json"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-mcrypt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-openssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-pcntl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-pear"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-shmop"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-suhosin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-sysvmsg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-sysvsem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-sysvshm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-tokenizer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-wddx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-xmlreader"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-xmlrpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-xmlwriter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-xsl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-zip"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-zlib"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/01/10"); script_set_attribute(attribute:"patch_publication_date", value:"2016/06/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/29"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release !~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S\|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES11" && (! preg(pattern:"^(2)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP2", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES11", sp:"2", reference:"apache2-mod_php53-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-bcmath-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-bz2-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-calendar-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-ctype-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-curl-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-dba-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-dom-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-exif-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-fastcgi-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-fileinfo-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-ftp-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-gd-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-gettext-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-gmp-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-iconv-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-intl-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-json-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-ldap-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-mbstring-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-mcrypt-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-mysql-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-odbc-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-openssl-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-pcntl-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-pdo-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-pear-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-pgsql-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-pspell-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-shmop-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-snmp-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-soap-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-suhosin-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-sysvmsg-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-sysvsem-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-sysvshm-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-tokenizer-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-wddx-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-xmlreader-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-xmlrpc-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-xmlwriter-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-xsl-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-zip-5.3.17-47.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"php53-zlib-5.3.17-47.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php53"); }

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-2649.NASL
description	According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - DISPUTED Integer overflow in the php_raw_url_encode function in ext/standard/url.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to cause a denial of service (application crash) via a long string to the rawurlencode function. NOTE: the vendor says
last seen	2020-05-08
modified	2019-12-18
plugin id	132184
published	2019-12-18
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/132184
title	EulerOS 2.0 SP3 : php (EulerOS-SA-2019-2649)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(132184); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07"); script_cve_id( "CVE-2011-4718", "CVE-2014-9767", "CVE-2014-9912", "CVE-2015-4116", "CVE-2015-5589", "CVE-2015-6831", "CVE-2015-6832", "CVE-2015-6833", "CVE-2015-7803", "CVE-2015-7804", "CVE-2015-8835", "CVE-2015-8866", "CVE-2015-8874", "CVE-2015-8879", "CVE-2015-8935", "CVE-2016-10158", "CVE-2016-10159", "CVE-2016-10161", "CVE-2016-10397", "CVE-2016-2554", "CVE-2016-3141", "CVE-2016-3142", "CVE-2016-3185", "CVE-2016-4070", "CVE-2016-4539", "CVE-2016-4540", "CVE-2016-4541", "CVE-2016-4542", "CVE-2016-4543", "CVE-2016-5093", "CVE-2016-5094", "CVE-2016-6288", "CVE-2016-6291", "CVE-2016-6292", "CVE-2016-6294", "CVE-2016-7124", "CVE-2016-7125", "CVE-2016-7128", "CVE-2016-7411", "CVE-2016-7412", "CVE-2016-7414", "CVE-2016-7418", "CVE-2016-7480", "CVE-2016-9934", "CVE-2016-9935", "CVE-2017-11143", "CVE-2017-11144", "CVE-2017-11147", "CVE-2017-11628", "CVE-2017-12933", "CVE-2017-16642", "CVE-2017-7272", "CVE-2017-9224", "CVE-2017-9226", "CVE-2017-9227", "CVE-2017-9228", "CVE-2017-9229", "CVE-2018-10545", "CVE-2018-10547", "CVE-2018-14851", "CVE-2018-17082", "CVE-2018-5711", "CVE-2018-5712", "CVE-2019-11043" ); script_bugtraq_id( 61929, 75974 ); script_name(english:"EulerOS 2.0 SP3 : php (EulerOS-SA-2019-2649)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - DISPUTED Integer overflow in the php_raw_url_encode function in ext/standard/url.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to cause a denial of service (application crash) via a long string to the rawurlencode function. NOTE: the vendor says 'Not sure if this qualifies as security issue (probably not).'(CVE-2016-4070) - An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712.(CVE-2018-10547) - An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs in bitset_set_range() during regular expression compilation due to an uninitialized variable from an incorrect state transition. An incorrect state transition in parse_char_class() could create an execution path that leaves a critical local variable uninitialized until it's used as an index, resulting in an out-of-bounds write memory corruption.(CVE-2017-9228) - An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write or read occurs in next_state_val() during regular expression compilation. Octal numbers larger than 0xff are not handled correctly in fetch_token() and fetch_token_in_cc(). A malformed regular expression containing an octal number in the form of '\700' would produce an invalid code point value larger than 0xff in next_state_val(), resulting in an out-of-bounds write memory corruption.(CVE-2017-9226) - An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV occurs in left_adjust_char_head() during regular expression compilation. Invalid handling of reg->dmax in forward_search_range() could result in an invalid pointer dereference, normally as an immediate denial-of-service condition.(CVE-2017-9229) - An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in match_at() during regular expression searching. A logical error involving order of validation and access in match_at() could result in an out-of-bounds read from a stack buffer.(CVE-2017-9224) - An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in mbc_enc_len() during regular expression searching. Invalid handling of reg->dmin in forward_search_range() could result in an invalid pointer dereference, as an out-of-bounds read from a stack buffer.(CVE-2017-9227) - An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.(CVE-2018-5712) - An issue was discovered in PHP before 5.6.35, 7.0.x before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before 7.2.4. Dumpable FPM child processes allow bypassing opcache access controls because fpm_unix.c makes a PR_SET_DUMPABLE prctl call, allowing one user (in a multiuser environment) to obtain sensitive information from the process memory of a second user's PHP applications by running gcore on the PID of the PHP-FPM worker process.(CVE-2018-10545) - Directory traversal vulnerability in the PharData class in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to write to arbitrary files via a .. (dot dot) in a ZIP archive entry that is mishandled during an extractTo call.(CVE-2015-6833) - Directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 and ext/zip/ext_zip.cpp in HHVM before 3.12.1 allows remote attackers to create arbitrary empty directories via a crafted ZIP archive.(CVE-2014-9767) - exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file.(CVE-2018-14851) - ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161.(CVE-2015-8866) - ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x before 7.0.11 does not verify that a BIT field has the UNSIGNED_FLAG flag, which allows remote MySQL servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted field metadata.(CVE-2016-7412) - ext/session/session.c in PHP before 5.6.25 and 7.x before 7.0.10 skips invalid session names in a way that triggers incorrect parsing, which allows remote attackers to inject arbitrary-type session data by leveraging control of a session name, as demonstrated by object injection.(CVE-2016-7125) - ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.(CVE-2016-7124) - ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an unserialize call that references a partially constructed object.(CVE-2016-7411) - ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as demonstrated by a PDORow string.(CVE-2016-9934) - gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1, has an integer signedness error that leads to an infinite loop via a crafted GIF file, as demonstrated by a call to the imagecreatefromgif or imagecreatefromstring PHP function. This is related to GetCode_ and gdImageCreateFromGifCtx.(CVE-2018-5711) - In PHP before 5.6.28 and 7.x before 7.0.13, incorrect handling of various URI components in the URL parser could be used by attackers to bypass hostname-specific URL checks, as demonstrated by evil.example.com:80#@good.example.com/ and evil.example.com:[email protected]/ inputs to the parse_url function (implemented in the php_url_parse_ex function in ext/standard/url.c).(CVE-2016-10397) - In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler could be used by attackers supplying malicious archive files to crash the PHP interpreter or potentially disclose information due to a buffer over-read in the phar_parse_pharfile function in ext/phar/phar.c.(CVE-2017-11147) - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, a stack-based buffer overflow in the zend_ini_do_op() function in Zend/zend_ini_parser.c could cause a denial of service or potentially allow executing code. NOTE: this is only relevant for PHP applications that accept untrusted input (instead of the system's php.ini file) for the parse_ini_string or parse_ini_file function, e.g., a web application for syntax validation of php.ini directives.(CVE-2017-11628) - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function, which could lead to a crash of the PHP interpreter, related to an interpretation conflict for a negative number in ext/openssl/openssl.c, and an OpenSSL documentation omission.(CVE-2017-11144) - In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter, related to an invalid free for an empty boolean element in ext/wddx/wddx.c.(CVE-2017-11143) - In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's timelib_meridian handling of 'front of' and 'back of' directives could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: this is a different issue than CVE-2017-11145.(CVE-2017-16642) - In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.(CVE-2019-11043) - Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory consumption or application crash) via a truncated manifest entry in a PHAR archive.(CVE-2016-10159) - Integer overflow in the php_html_entities function in ext/standard/html.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering a large output string from the htmlspecialchars function.(CVE-2016-5094) - Multiple use-after-free vulnerabilities in SPL in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allow remote attackers to execute arbitrary code via vectors involving (1) ArrayObject, (2) SplObjectStorage, and (3) SplDoublyLinkedList, which are mishandled during unserialization.(CVE-2015-6831) - Off-by-one error in the phar_parse_zipfile function in ext/phar/zip.c in PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers to cause a denial of service (uninitialized pointer dereference and application crash) by including the / filename in a .zip PHAR archive.(CVE-2015-7804) - PHP through 7.1.11 enables potential SSRF in applications that accept an fsockopen or pfsockopen hostname argument with an expectation that the port number is constrained. Because a :port syntax is recognized, fsockopen will use the port number that is specified in the hostname argument, instead of the port number in the second argument of the function.(CVE-2017-7272) - Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by specifying a session ID.(CVE-2011-4718) - Stack consumption vulnerability in GD in PHP before 5.6.12 allows remote attackers to cause a denial of service via a crafted imagefilltoborder call.(CVE-2015-8874) - Stack-based buffer overflow in ext/phar/tar.c in PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TAR archive.(CVE-2016-2554) - The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a 'Transfer-Encoding: chunked' request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.(CVE-2018-17082) - The exif_convert_any_to_int function in ext/exif/exif.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (application crash) via crafted EXIF data that triggers an attempt to divide the minimum representable negative integer by -1.(CVE-2016-10158) - The exif_process_IFD_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate IFD sizes, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data.(CVE-2016-4543) - The exif_process_IFD_in_MAKERNOTE function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds array access and memory corruption), obtain sensitive information from process memory, or possibly have unspecified other impact via a crafted JPEG image.(CVE-2016-6291) - The exif_process_IFD_in_TIFF function in ext/exif/exif.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles the case of a thumbnail offset that exceeds the file size, which allows remote attackers to obtain sensitive information from process memory via a crafted TIFF image.(CVE-2016-7128) - The exif_process_IFD_TAG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not properly construct spprintf arguments, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data.(CVE-2016-4542) - The exif_process_user_comment function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted JPEG image.(CVE-2016-6292) - The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue can have an unspecified impact on the integrity of PHP.(CVE-2017-12933) - The get_icu_disp_value_src_php function in ext/intl/locale/locale_methods.c in PHP before 5.3.29, 5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not properly restrict calls to the ICU uresbund.cpp component, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a locale_get_display_name call with a long first argument.(CVE-2014-9912) - The get_icu_value_internal function in ext/intl/locale/locale_methods.c in PHP before 5.5.36, 5.6.x before 5.6.22, and 7.x before 7.0.7 does not ensure the presence of a '\0' character, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted locale_get_primary_language call.(CVE-2016-5093) - The grapheme_stripos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a negative offset.(CVE-2016-4540) - The grapheme_strpos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a negative offset.(CVE-2016-4541) - The locale_accept_from_http function in ext/intl/locale/locale_methods.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly restrict calls to the ICU uloc_acceptLanguageFromHTTP function, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long argument.(CVE-2016-6294) - The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28, 5.6.x before 5.6.12, and 7.x before 7.0.4 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (type confusion and application crash) via crafted serialized _cookies data, related to the SoapClient::__call method in ext/soap/soap.c.(CVE-2016-3185) - The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 does not properly retrieve keys, which allows remote attackers to cause a denial of service (NULL pointer dereference, type confusion, and application crash) or possibly execute arbitrary code via crafted serialized data representing a numerically indexed _cookies array, related to the SoapClient::__call method in ext/soap/soap.c.(CVE-2015-8835) - The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finish_nested_data call.(CVE-2016-10161) - The odbc_bindcols function in ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles driver behavior for SQL_WVARCHAR columns, which allows remote attackers to cause a denial of service (application crash) in opportunistic circumstances by leveraging use of the odbc_fetch_array function to access a certain type of Microsoft SQL Server table.(CVE-2015-8879) - The phar_convert_to_other function in ext/phar/phar_object.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 does not validate a file pointer before a close operation, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted TAR archive that is mishandled in a Phar::convertToData call.(CVE-2015-5589) - The phar_get_entry_data function in ext/phar/util.c in PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a .phar file with a crafted TAR archive entry in which the Link indicator references a file that does not exist.(CVE-2015-7803) - The phar_parse_zipfile function in zip.c in the PHAR extension in PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and application crash) by placing a PK\x05\x06 signature at an invalid location.(CVE-2016-3142) - The php_url_parse_ex function in ext/standard/url.c in PHP before 5.5.38 allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via vectors involving the smart_str data type.(CVE-2016-6288) - The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service (invalid pointer access and out-of-bounds read) or possibly have unspecified other impact via an incorrect boolean element in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call.(CVE-2016-7418) - The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have unspecified other impact via an empty boolean element in a wddxPacket XML document.(CVE-2016-9935) - The sapi_header_op function in main/SAPI.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 supports deprecated line folding without considering browser compatibility, which allows remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer by leveraging (1) %0A%20 or (2) %0D%0A%20 mishandling in the header function.(CVE-2015-8935) - The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.(CVE-2016-7480) - The xml_parse_into_struct function in ext/xml/xml.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (buffer under-read and segmentation fault) or possibly have unspecified other impact via crafted XML data in the second argument, leading to a parser level of zero.(CVE-2016-4539) - The ZIP signature-verification feature in PHP before 5.6.26 and 7.x before 7.0.11 does not ensure that the uncompressed_filesize field is large enough, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via a crafted PHAR archive, related to ext/phar/util.c and ext/phar/zip.c.(CVE-2016-7414) - Use-after-free vulnerability in the SPL unserialize implementation in ext/spl/spl_array.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to execute arbitrary code via crafted serialized data that triggers misuse of an array field.(CVE-2015-6832) - Use-after-free vulnerability in the spl_ptr_heap_insert function in ext/spl/spl_heap.c in PHP before 5.5.27 and 5.6.x before 5.6.11 allows remote attackers to execute arbitrary code by triggering a failed SplMinHeap::compare operation.(CVE-2015-4116) - Use-after-free vulnerability in wddx.c in the WDDX extension in PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact by triggering a wddx_deserialize call on XML data containing a crafted var element.(CVE-2016-3141) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2649 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?cd44f4b5"); script_set_attribute(attribute:"solution", value: "Update the affected php packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'PHP-FPM Underflow RCE'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"patch_publication_date", value:"2019/12/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/18"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-process"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-recode"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-xml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-xmlrpc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) \|\| release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D\|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) \|\| sp !~ "^(3)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["php-5.4.16-42.h51", "php-cli-5.4.16-42.h51", "php-common-5.4.16-42.h51", "php-gd-5.4.16-42.h51", "php-ldap-5.4.16-42.h51", "php-mysql-5.4.16-42.h51", "php-odbc-5.4.16-42.h51", "php-pdo-5.4.16-42.h51", "php-pgsql-5.4.16-42.h51", "php-process-5.4.16-42.h51", "php-recode-5.4.16-42.h51", "php-soap-5.4.16-42.h51", "php-xml-5.4.16-42.h51", "php-xmlrpc-5.4.16-42.h51"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"3", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php"); }

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2016-1166-1.NASL
description	This update for php5 fixes the following security issues : - CVE-2015-8838: mysqlnd was vulnerable to BACKRONYM (bnc#973792). - CVE-2015-8835: SoapClient s_call method suffered from a type confusion issue that could have lead to crashes [bsc#973351] - CVE-2016-2554: A NULL pointer dereference in phar_get_fp_offset could lead to crashes. [bsc#968284] Note: we do not ship the phar extension currently, so we are not affected. - CVE-2016-3141: A use-after-free / double-free in the WDDX deserialization could lead to crashes or potential code execution. [bsc#969821] - CVE-2016-3142: An Out-of-bounds read in phar_parse_zipfile() could lead to crashes. [bsc#971912] Note: we do not ship the phar extension currently, so we are not affected. - CVE-2014-9767: A directory traversal when extracting zip files was fixed that could lead to overwritten files. [bsc#971612] - CVE-2016-3185: A type confusion vulnerability in make_http_soap_request() could lead to crashes or potentially code execution. [bsc#971611] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-03-24
modified	2019-01-02
plugin id	119975
published	2019-01-02
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/119975
title	SUSE SLES12 Security Update : php5 (SUSE-SU-2016:1166-1)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2016:1166-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(119975); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/23"); script_cve_id("CVE-2014-9767", "CVE-2015-8835", "CVE-2015-8838", "CVE-2016-2554", "CVE-2016-3141", "CVE-2016-3142", "CVE-2016-3185"); script_name(english:"SUSE SLES12 Security Update : php5 (SUSE-SU-2016:1166-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for php5 fixes the following security issues : - CVE-2015-8838: mysqlnd was vulnerable to BACKRONYM (bnc#973792). - CVE-2015-8835: SoapClient s_call method suffered from a type confusion issue that could have lead to crashes [bsc#973351] - CVE-2016-2554: A NULL pointer dereference in phar_get_fp_offset could lead to crashes. [bsc#968284] Note: we do not ship the phar extension currently, so we are not affected. - CVE-2016-3141: A use-after-free / double-free in the WDDX deserialization could lead to crashes or potential code execution. [bsc#969821] - CVE-2016-3142: An Out-of-bounds read in phar_parse_zipfile() could lead to crashes. [bsc#971912] Note: we do not ship the phar extension currently, so we are not affected. - CVE-2014-9767: A directory traversal when extracting zip files was fixed that could lead to overwritten files. [bsc#971612] - CVE-2016-3185: A type confusion vulnerability in make_http_soap_request() could lead to crashes or potentially code execution. [bsc#971611] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=968284" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=969821" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=971611" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=971612" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=971912" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=973351" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=973792" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2014-9767/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8835/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8838/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-2554/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-3141/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-3142/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-3185/" ); # https://www.suse.com/support/update/announcement/2016/suse-su-20161166-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?0f6bf5ef" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Software Development Kit 12-SP1 : zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-688=1 SUSE Linux Enterprise Software Development Kit 12 : zypper in -t patch SUSE-SLE-SDK-12-2016-688=1 SUSE Linux Enterprise Module for Web Scripting 12 : zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2016-688=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:apache2-mod_php5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:apache2-mod_php5-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-bcmath-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-bz2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-bz2-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-calendar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-calendar-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-ctype"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-ctype-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-curl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-dba-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-dom"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-dom-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-enchant"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-enchant-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-exif"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-exif-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-fastcgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-fastcgi-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-fileinfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-fileinfo-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-fpm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-fpm-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-ftp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-ftp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-gd-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-gettext"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-gettext-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-gmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-gmp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-iconv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-iconv-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-intl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-intl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-json"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-json-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-ldap-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-mbstring-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-mcrypt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-mcrypt-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-mysql-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-odbc-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-opcache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-opcache-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-openssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-openssl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pcntl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pcntl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pdo-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pgsql-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-posix"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-posix-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pspell-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-shmop"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-shmop-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-snmp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-soap-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sockets"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sockets-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sqlite"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sqlite-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-suhosin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-suhosin-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sysvmsg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sysvmsg-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sysvsem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sysvsem-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sysvshm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sysvshm-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-tokenizer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-tokenizer-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-wddx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-wddx-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xmlreader"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xmlreader-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xmlrpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xmlrpc-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xmlwriter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xmlwriter-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xsl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xsl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-zip"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-zip-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-zlib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-zlib-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/31"); script_set_attribute(attribute:"patch_publication_date", value:"2016/04/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/02"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release !~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S\|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"0", reference:"apache2-mod_php5-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"apache2-mod_php5-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-bcmath-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-bcmath-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-bz2-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-bz2-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-calendar-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-calendar-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-ctype-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-ctype-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-curl-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-curl-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-dba-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-dba-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-debugsource-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-dom-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-dom-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-enchant-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-enchant-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-exif-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-exif-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-fastcgi-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-fastcgi-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-fileinfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-fileinfo-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-fpm-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-fpm-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-ftp-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-ftp-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-gd-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-gd-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-gettext-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-gettext-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-gmp-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-gmp-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-iconv-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-iconv-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-intl-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-intl-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-json-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-json-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-ldap-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-ldap-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-mbstring-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-mbstring-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-mcrypt-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-mcrypt-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-mysql-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-mysql-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-odbc-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-odbc-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-opcache-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-opcache-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-openssl-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-openssl-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pcntl-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pcntl-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pdo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pdo-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pgsql-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pgsql-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-posix-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-posix-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pspell-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pspell-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-shmop-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-shmop-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-snmp-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-snmp-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-soap-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-soap-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sockets-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sockets-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sqlite-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sqlite-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-suhosin-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-suhosin-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sysvmsg-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sysvmsg-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sysvsem-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sysvsem-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sysvshm-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sysvshm-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-tokenizer-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-tokenizer-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-wddx-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-wddx-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xmlreader-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xmlreader-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xmlrpc-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xmlrpc-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xmlwriter-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xmlwriter-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xsl-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xsl-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-zip-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-zip-debuginfo-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-zlib-5.5.14-53.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-zlib-debuginfo-5.5.14-53.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php5"); }

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2016-516.NASL
description	This update for php5 fixes the following security issues : - bsc#974305: buffer overflow in libmagic - CVE-2015-8838: mysqlnd was vulnerable to BACKRONYM (bnc#973792). - CVE-2015-8835: SoapClient s__call method suffered from type confusion issue (bnc#973351). - CVE-2016-3141: A use-after-free / double-free in the WDDX deserialization could lead to crashes or potential code execution. [bsc#969821] - CVE-2016-3142: An Out-of-bounds read in phar_parse_zipfile() could lead to crashes. [bsc#971912] - CVE-2014-9767: A directory traversal when extracting zip files was fixed that could lead to overwritten files. [bsc#971612] - CVE-2016-3185: A type confusion vulnerability in make_http_soap_request() could lead to crashes or potentially code execution. [bsc#971611]
last seen	2020-06-05
modified	2016-04-28
plugin id	90772
published	2016-04-28
reporter	This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/90772
title	openSUSE Security Update : php5 (openSUSE-2016-516)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2016-516. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(90772); script_version("2.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2014-9767", "CVE-2015-8835", "CVE-2015-8838", "CVE-2016-3141", "CVE-2016-3142", "CVE-2016-3185"); script_name(english:"openSUSE Security Update : php5 (openSUSE-2016-516)"); script_summary(english:"Check for the openSUSE-2016-516 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for php5 fixes the following security issues : - bsc#974305: buffer overflow in libmagic - CVE-2015-8838: mysqlnd was vulnerable to BACKRONYM (bnc#973792). - CVE-2015-8835: SoapClient s__call method suffered from type confusion issue (bnc#973351). - CVE-2016-3141: A use-after-free / double-free in the WDDX deserialization could lead to crashes or potential code execution. [bsc#969821] - CVE-2016-3142: An Out-of-bounds read in phar_parse_zipfile() could lead to crashes. [bsc#971912] - CVE-2014-9767: A directory traversal when extracting zip files was fixed that could lead to overwritten files. [bsc#971612] - CVE-2016-3185: A type confusion vulnerability in make_http_soap_request() could lead to crashes or potentially code execution. [bsc#971611]" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=969821" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=971611" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=971612" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=971912" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=973351" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=973792" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=974305" ); script_set_attribute(attribute:"solution", value:"Update the affected php5 packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-mod_php5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-mod_php5-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-bcmath-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-bz2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-bz2-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-calendar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-calendar-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ctype"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ctype-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-curl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-dba-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-dom"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-dom-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-enchant"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-enchant-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-exif"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-exif-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-fastcgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-fastcgi-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-fileinfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-fileinfo-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-firebird"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-firebird-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-fpm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-fpm-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ftp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ftp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-gd-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-gettext"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-gettext-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-gmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-gmp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-iconv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-iconv-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-imap-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-intl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-intl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-json"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-json-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-ldap-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mbstring-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mcrypt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mcrypt-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mssql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mssql-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-mysql-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-odbc-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-opcache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-opcache-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-openssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-openssl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pcntl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pcntl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pdo-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pear"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pgsql-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-phar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-phar-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-posix"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-posix-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-pspell-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-readline"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-readline-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-shmop"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-shmop-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-snmp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-soap-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sockets"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sockets-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sqlite"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sqlite-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-suhosin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-suhosin-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sysvmsg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sysvmsg-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sysvsem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sysvsem-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sysvshm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-sysvshm-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-tidy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-tidy-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-tokenizer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-tokenizer-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-wddx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-wddx-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xmlreader"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xmlreader-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xmlrpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xmlrpc-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xmlwriter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xmlwriter-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xsl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-xsl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-zip"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-zip-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-zlib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php5-zlib-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.2"); script_set_attribute(attribute:"patch_publication_date", value:"2016/04/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/28"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release =~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE13\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586\|i686\|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE13.2", reference:"apache2-mod_php5-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"apache2-mod_php5-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-bcmath-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-bcmath-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-bz2-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-bz2-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-calendar-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-calendar-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-ctype-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-ctype-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-curl-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-curl-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-dba-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-dba-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-debugsource-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-devel-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-dom-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-dom-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-enchant-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-enchant-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-exif-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-exif-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-fastcgi-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-fastcgi-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-fileinfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-fileinfo-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-firebird-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-firebird-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-fpm-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-fpm-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-ftp-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-ftp-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-gd-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-gd-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-gettext-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-gettext-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-gmp-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-gmp-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-iconv-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-iconv-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-imap-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-imap-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-intl-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-intl-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-json-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-json-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-ldap-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-ldap-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-mbstring-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-mbstring-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-mcrypt-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-mcrypt-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-mssql-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-mssql-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-mysql-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-mysql-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-odbc-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-odbc-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-opcache-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-opcache-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-openssl-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-openssl-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-pcntl-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-pcntl-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-pdo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-pdo-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-pear-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-pgsql-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-pgsql-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-phar-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-phar-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-posix-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-posix-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-pspell-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-pspell-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-readline-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-readline-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-shmop-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-shmop-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-snmp-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-snmp-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-soap-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-soap-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-sockets-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-sockets-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-sqlite-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-sqlite-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-suhosin-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-suhosin-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-sysvmsg-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-sysvmsg-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-sysvsem-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-sysvsem-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-sysvshm-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-sysvshm-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-tidy-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-tidy-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-tokenizer-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-tokenizer-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-wddx-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-wddx-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-xmlreader-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-xmlreader-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-xmlrpc-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-xmlrpc-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-xmlwriter-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-xmlwriter-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-xsl-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-xsl-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-zip-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-zip-debuginfo-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-zlib-5.6.1-53.3") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"php5-zlib-debuginfo-5.6.1-53.3") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "apache2-mod_php5 / apache2-mod_php5-debuginfo / php5 / php5-bcmath / etc"); }

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-2221.NASL
description	According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.(CVE-2016-7124) - Stack-based buffer overflow in ext/phar/tar.c in PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TAR archive.(CVE-2016-2554) - A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.(CVE-2015-6831) - The sapi_header_op function in main/SAPI.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 supports deprecated line folding without considering browser compatibility, which allows remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer by leveraging (1) %0A%20 or (2) %0D%0A%20 mishandling in the header function.(CVE-2015-8935) - The openssl_random_pseudo_bytes function in ext/openssl/openssl.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 incorrectly relies on the deprecated RAND_pseudo_bytes function, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors.(CVE-2015-8867) - Use-after-free vulnerability in the SPL unserialize implementation in ext/spl/spl_array.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to execute arbitrary code via crafted serialized data that triggers misuse of an array field.(CVE-2015-6832) - Directory traversal vulnerability in the PharData class in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to write to arbitrary files via a .. (dot dot) in a ZIP archive entry that is mishandled during an extractTo call.(CVE-2015-6833) - Directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 and ext/zip/ext_zip.cpp in HHVM before 3.12.1 allows remote attackers to create arbitrary empty directories via a crafted ZIP archive.(CVE-2014-9767) - The ZIP signature-verification feature in PHP before 5.6.26 and 7.x before 7.0.11 does not ensure that the uncompressed_filesize field is large enough, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via a crafted PHAR archive, related to ext/phar/util.c and ext/phar/zip.c.(CVE-2016-7414) - ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as demonstrated by a PDORow string.(CVE-2016-9934) - The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have unspecified other impact via an empty boolean element in a wddxPacket XML document.(CVE-2016-9935) - In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter, related to an invalid free for an empty boolean element in ext/wddx/wddx.c.(CVE-2017-11143) - Integer overflow in the php_html_entities function in ext/standard/html.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering a large output string from the htmlspecialchars function.(CVE-2016-5094) - The get_icu_value_internal function in ext/intl/locale/locale_methods.c in PHP before 5.5.36, 5.6.x before 5.6.22, and 7.x before 7.0.7 does not ensure the presence of a
last seen	2020-05-08
modified	2019-11-08
plugin id	130683
published	2019-11-08
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/130683
title	EulerOS 2.0 SP5 : php (EulerOS-SA-2019-2221)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(130683); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07"); script_cve_id( "CVE-2014-9767", "CVE-2015-6831", "CVE-2015-6832", "CVE-2015-6833", "CVE-2015-8867", "CVE-2015-8879", "CVE-2015-8935", "CVE-2016-10161", "CVE-2016-2554", "CVE-2016-3141", "CVE-2016-3142", "CVE-2016-3185", "CVE-2016-4070", "CVE-2016-4539", "CVE-2016-4540", "CVE-2016-4541", "CVE-2016-4542", "CVE-2016-4543", "CVE-2016-5093", "CVE-2016-5094", "CVE-2016-7124", "CVE-2016-7414", "CVE-2016-9934", "CVE-2016-9935", "CVE-2017-11143", "CVE-2017-11144", "CVE-2017-11147", "CVE-2017-12933", "CVE-2017-9226" ); script_name(english:"EulerOS 2.0 SP5 : php (EulerOS-SA-2019-2221)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.(CVE-2016-7124) - Stack-based buffer overflow in ext/phar/tar.c in PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TAR archive.(CVE-2016-2554) - A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.(CVE-2015-6831) - The sapi_header_op function in main/SAPI.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 supports deprecated line folding without considering browser compatibility, which allows remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer by leveraging (1) %0A%20 or (2) %0D%0A%20 mishandling in the header function.(CVE-2015-8935) - The openssl_random_pseudo_bytes function in ext/openssl/openssl.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 incorrectly relies on the deprecated RAND_pseudo_bytes function, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors.(CVE-2015-8867) - Use-after-free vulnerability in the SPL unserialize implementation in ext/spl/spl_array.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to execute arbitrary code via crafted serialized data that triggers misuse of an array field.(CVE-2015-6832) - Directory traversal vulnerability in the PharData class in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to write to arbitrary files via a .. (dot dot) in a ZIP archive entry that is mishandled during an extractTo call.(CVE-2015-6833) - Directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 and ext/zip/ext_zip.cpp in HHVM before 3.12.1 allows remote attackers to create arbitrary empty directories via a crafted ZIP archive.(CVE-2014-9767) - The ZIP signature-verification feature in PHP before 5.6.26 and 7.x before 7.0.11 does not ensure that the uncompressed_filesize field is large enough, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via a crafted PHAR archive, related to ext/phar/util.c and ext/phar/zip.c.(CVE-2016-7414) - ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as demonstrated by a PDORow string.(CVE-2016-9934) - The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have unspecified other impact via an empty boolean element in a wddxPacket XML document.(CVE-2016-9935) - In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter, related to an invalid free for an empty boolean element in ext/wddx/wddx.c.(CVE-2017-11143) - Integer overflow in the php_html_entities function in ext/standard/html.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering a large output string from the htmlspecialchars function.(CVE-2016-5094) - The get_icu_value_internal function in ext/intl/locale/locale_methods.c in PHP before 5.5.36, 5.6.x before 5.6.22, and 7.x before 7.0.7 does not ensure the presence of a '\0' character, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted locale_get_primary_language call.(CVE-2016-5093) - The grapheme_strpos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a negative offset.(CVE-2016-4541) - The exif_process_IFD_TAG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not properly construct spprintf arguments, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data.(CVE-2016-4542) - The phar_parse_zipfile function in zip.c in the PHAR extension in PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and application crash) by placing a PK\x05\x06 signature at an invalid location.(CVE-2016-3142) - DISPUTED Integer overflow in the php_raw_url_encode function in ext/standard/url.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to cause a denial of service (application crash) via a long string to the rawurlencode function. NOTE: the vendor says 'Not sure if this qualifies as security issue (probably not).'(CVE-2016-4070) - The xml_parse_into_struct function in ext/xml/xml.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (buffer under-read and segmentation fault) or possibly have unspecified other impact via crafted XML data in the second argument, leading to a parser level of zero.(CVE-2016-4539) - The grapheme_stripos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a negative offset.(CVE-2016-4540) - Use-after-free vulnerability in wddx.c in the WDDX extension in PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact by triggering a wddx_deserialize call on XML data containing a crafted var element.(CVE-2016-3141) - In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler could be used by attackers supplying malicious archive files to crash the PHP interpreter or potentially disclose information due to a buffer over-read in the phar_parse_pharfile function in ext/phar/phar.c.(CVE-2017-11147) - The exif_process_IFD_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate IFD sizes, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data.(CVE-2016-4543) - The odbc_bindcols function in ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles driver behavior for SQL_WVARCHAR columns, which allows remote attackers to cause a denial of service (application crash) in opportunistic circumstances by leveraging use of the odbc_fetch_array function to access a certain type of Microsoft SQL Server table.(CVE-2015-8879) - An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write or read occurs in next_state_val() during regular expression compilation. Octal numbers larger than 0xff are not handled correctly in fetch_token() and fetch_token_in_cc(). A malformed regular expression containing an octal number in the form of '\700' would produce an invalid code point value larger than 0xff in next_state_val(), resulting in an out-of-bounds write memory corruption.(CVE-2017-9226) - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function, which could lead to a crash of the PHP interpreter, related to an interpretation conflict for a negative number in ext/openssl/openssl.c, and an OpenSSL documentation omission.(CVE-2017-11144) - The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28, 5.6.x before 5.6.12, and 7.x before 7.0.4 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (type confusion and application crash) via crafted serialized _cookies data, related to the SoapClient::__call method in ext/soap/soap.c.(CVE-2016-3185) - The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finish_nested_data call.(CVE-2016-10161) - The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue can have an unspecified impact on the integrity of PHP.(CVE-2017-12933) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2221 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ce72047f"); script_set_attribute(attribute:"solution", value: "Update the affected php packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"patch_publication_date", value:"2019/10/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/08"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-process"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-recode"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-xml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-xmlrpc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) \|\| release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D\|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) \|\| sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["php-5.4.16-45.h19.eulerosv2r7", "php-cli-5.4.16-45.h19.eulerosv2r7", "php-common-5.4.16-45.h19.eulerosv2r7", "php-gd-5.4.16-45.h19.eulerosv2r7", "php-ldap-5.4.16-45.h19.eulerosv2r7", "php-mysql-5.4.16-45.h19.eulerosv2r7", "php-odbc-5.4.16-45.h19.eulerosv2r7", "php-pdo-5.4.16-45.h19.eulerosv2r7", "php-pgsql-5.4.16-45.h19.eulerosv2r7", "php-process-5.4.16-45.h19.eulerosv2r7", "php-recode-5.4.16-45.h19.eulerosv2r7", "php-soap-5.4.16-45.h19.eulerosv2r7", "php-xml-5.4.16-45.h19.eulerosv2r7", "php-xmlrpc-5.4.16-45.h19.eulerosv2r7"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php"); }

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-2952-1.NASL
description	It was discovered that the PHP Zip extension incorrectly handled directories when processing certain zip files. A remote attacker could possibly use this issue to create arbitrary directories. (CVE-2014-9767) It was discovered that the PHP Soap client incorrectly validated data types. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-8835, CVE-2016-3185) It was discovered that the PHP MySQL native driver incorrectly handled TLS connections to MySQL databases. A man in the middle attacker could possibly use this issue to downgrade and snoop on TLS connections. This vulnerability is known as BACKRONYM. (CVE-2015-8838) It was discovered that PHP incorrectly handled the imagerotate function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly obtain sensitive information. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2016-1903) Hans Jerry Illikainen discovered that the PHP phar extension incorrectly handled certain tar archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-2554) It was discovered that the PHP WDDX extension incorrectly handled certain malformed XML data. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-3141) It was discovered that the PHP phar extension incorrectly handled certain zip files. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2016-3142) It was discovered that the PHP libxml_disable_entity_loader() setting was shared between threads. When running under PHP-FPM, this could result in XML external entity injection and entity expansion issues. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (No CVE number) It was discovered that the PHP openssl_random_pseudo_bytes() function did not return cryptographically strong pseudo-random bytes. (No CVE number) It was discovered that the PHP Fileinfo component incorrectly handled certain magic files. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending) It was discovered that the PHP php_snmp_error() function incorrectly handled string formatting. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE number pending) It was discovered that the PHP rawurlencode() function incorrectly handled large strings. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE number pending) It was discovered that the PHP phar extension incorrectly handled certain filenames in archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending) It was discovered that the PHP mb_strcut() function incorrectly handled string formatting. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	90677
published	2016-04-22
reporter	Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90677
title	Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : php5 vulnerabilities (USN-2952-1)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-2952-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(90677); script_version("2.11"); script_cvs_date("Date: 2019/09/18 12:31:45"); script_cve_id("CVE-2014-9767", "CVE-2015-8835", "CVE-2015-8838", "CVE-2016-1903", "CVE-2016-2554", "CVE-2016-3141", "CVE-2016-3142", "CVE-2016-3185"); script_xref(name:"USN", value:"2952-1"); script_name(english:"Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : php5 vulnerabilities (USN-2952-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "It was discovered that the PHP Zip extension incorrectly handled directories when processing certain zip files. A remote attacker could possibly use this issue to create arbitrary directories. (CVE-2014-9767) It was discovered that the PHP Soap client incorrectly validated data types. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-8835, CVE-2016-3185) It was discovered that the PHP MySQL native driver incorrectly handled TLS connections to MySQL databases. A man in the middle attacker could possibly use this issue to downgrade and snoop on TLS connections. This vulnerability is known as BACKRONYM. (CVE-2015-8838) It was discovered that PHP incorrectly handled the imagerotate function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly obtain sensitive information. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2016-1903) Hans Jerry Illikainen discovered that the PHP phar extension incorrectly handled certain tar archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-2554) It was discovered that the PHP WDDX extension incorrectly handled certain malformed XML data. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-3141) It was discovered that the PHP phar extension incorrectly handled certain zip files. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2016-3142) It was discovered that the PHP libxml_disable_entity_loader() setting was shared between threads. When running under PHP-FPM, this could result in XML external entity injection and entity expansion issues. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (No CVE number) It was discovered that the PHP openssl_random_pseudo_bytes() function did not return cryptographically strong pseudo-random bytes. (No CVE number) It was discovered that the PHP Fileinfo component incorrectly handled certain magic files. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending) It was discovered that the PHP php_snmp_error() function incorrectly handled string formatting. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE number pending) It was discovered that the PHP rawurlencode() function incorrectly handled large strings. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE number pending) It was discovered that the PHP phar extension incorrectly handled certain filenames in archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending) It was discovered that the PHP mb_strcut() function incorrectly handled string formatting. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/2952-1/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libapache2-mod-php5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-cgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-fpm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-mysqlnd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-snmp"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:15.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/01/19"); script_set_attribute(attribute:"patch_publication_date", value:"2016/04/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(12\.04\|14\.04\|15\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04 / 14.04 / 15.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"12.04", pkgname:"libapache2-mod-php5", pkgver:"5.3.10-1ubuntu3.22")) flag++; if (ubuntu_check(osver:"12.04", pkgname:"php5-cgi", pkgver:"5.3.10-1ubuntu3.22")) flag++; if (ubuntu_check(osver:"12.04", pkgname:"php5-cli", pkgver:"5.3.10-1ubuntu3.22")) flag++; if (ubuntu_check(osver:"12.04", pkgname:"php5-fpm", pkgver:"5.3.10-1ubuntu3.22")) flag++; if (ubuntu_check(osver:"12.04", pkgname:"php5-gd", pkgver:"5.3.10-1ubuntu3.22")) flag++; if (ubuntu_check(osver:"12.04", pkgname:"php5-mysqlnd", pkgver:"5.3.10-1ubuntu3.22")) flag++; if (ubuntu_check(osver:"12.04", pkgname:"php5-snmp", pkgver:"5.3.10-1ubuntu3.22")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"libapache2-mod-php5", pkgver:"5.5.9+dfsg-1ubuntu4.16")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"php5-cgi", pkgver:"5.5.9+dfsg-1ubuntu4.16")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"php5-cli", pkgver:"5.5.9+dfsg-1ubuntu4.16")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"php5-fpm", pkgver:"5.5.9+dfsg-1ubuntu4.16")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"php5-gd", pkgver:"5.5.9+dfsg-1ubuntu4.16")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"php5-mysqlnd", pkgver:"5.5.9+dfsg-1ubuntu4.16")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"php5-snmp", pkgver:"5.5.9+dfsg-1ubuntu4.16")) flag++; if (ubuntu_check(osver:"15.10", pkgname:"libapache2-mod-php5", pkgver:"5.6.11+dfsg-1ubuntu3.2")) flag++; if (ubuntu_check(osver:"15.10", pkgname:"php5-cgi", pkgver:"5.6.11+dfsg-1ubuntu3.2")) flag++; if (ubuntu_check(osver:"15.10", pkgname:"php5-cli", pkgver:"5.6.11+dfsg-1ubuntu3.2")) flag++; if (ubuntu_check(osver:"15.10", pkgname:"php5-fpm", pkgver:"5.6.11+dfsg-1ubuntu3.2")) flag++; if (ubuntu_check(osver:"15.10", pkgname:"php5-gd", pkgver:"5.6.11+dfsg-1ubuntu3.2")) flag++; if (ubuntu_check(osver:"15.10", pkgname:"php5-mysqlnd", pkgver:"5.6.11+dfsg-1ubuntu3.2")) flag++; if (ubuntu_check(osver:"15.10", pkgname:"php5-snmp", pkgver:"5.6.11+dfsg-1ubuntu3.2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libapache2-mod-php5 / php5-cgi / php5-cli / php5-fpm / php5-gd / etc"); }

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-2952-2.NASL
description	USN-2952-1 fixed vulnerabilities in PHP. One of the backported patches caused a regression in the PHP Soap client. This update fixes the problem. We apologize for the inconvenience. It was discovered that the PHP Zip extension incorrectly handled directories when processing certain zip files. A remote attacker could possibly use this issue to create arbitrary directories. (CVE-2014-9767) It was discovered that the PHP Soap client incorrectly validated data types. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-8835, CVE-2016-3185) It was discovered that the PHP MySQL native driver incorrectly handled TLS connections to MySQL databases. A man in the middle attacker could possibly use this issue to downgrade and snoop on TLS connections. This vulnerability is known as BACKRONYM. (CVE-2015-8838) It was discovered that PHP incorrectly handled the imagerotate function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly obtain sensitive information. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2016-1903) Hans Jerry Illikainen discovered that the PHP phar extension incorrectly handled certain tar archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-2554) It was discovered that the PHP WDDX extension incorrectly handled certain malformed XML data. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-3141) It was discovered that the PHP phar extension incorrectly handled certain zip files. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2016-3142) It was discovered that the PHP libxml_disable_entity_loader() setting was shared between threads. When running under PHP-FPM, this could result in XML external entity injection and entity expansion issues. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (No CVE number) It was discovered that the PHP openssl_random_pseudo_bytes() function did not return cryptographically strong pseudo-random bytes. (No CVE number) It was discovered that the PHP Fileinfo component incorrectly handled certain magic files. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending) It was discovered that the PHP php_snmp_error() function incorrectly handled string formatting. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE number pending) It was discovered that the PHP rawurlencode() function incorrectly handled large strings. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE number pending) It was discovered that the PHP phar extension incorrectly handled certain filenames in archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending) It was discovered that the PHP mb_strcut() function incorrectly handled string formatting. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	90825
published	2016-05-02
reporter	Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90825
title	Ubuntu 15.10 : php5 regression (USN-2952-2)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-2952-2. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(90825); script_version("2.10"); script_cvs_date("Date: 2019/09/18 12:31:45"); script_cve_id("CVE-2014-9767", "CVE-2015-8835", "CVE-2015-8838", "CVE-2016-1903", "CVE-2016-2554", "CVE-2016-3141", "CVE-2016-3142", "CVE-2016-3185"); script_xref(name:"USN", value:"2952-2"); script_name(english:"Ubuntu 15.10 : php5 regression (USN-2952-2)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "USN-2952-1 fixed vulnerabilities in PHP. One of the backported patches caused a regression in the PHP Soap client. This update fixes the problem. We apologize for the inconvenience. It was discovered that the PHP Zip extension incorrectly handled directories when processing certain zip files. A remote attacker could possibly use this issue to create arbitrary directories. (CVE-2014-9767) It was discovered that the PHP Soap client incorrectly validated data types. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-8835, CVE-2016-3185) It was discovered that the PHP MySQL native driver incorrectly handled TLS connections to MySQL databases. A man in the middle attacker could possibly use this issue to downgrade and snoop on TLS connections. This vulnerability is known as BACKRONYM. (CVE-2015-8838) It was discovered that PHP incorrectly handled the imagerotate function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly obtain sensitive information. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2016-1903) Hans Jerry Illikainen discovered that the PHP phar extension incorrectly handled certain tar archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-2554) It was discovered that the PHP WDDX extension incorrectly handled certain malformed XML data. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-3141) It was discovered that the PHP phar extension incorrectly handled certain zip files. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2016-3142) It was discovered that the PHP libxml_disable_entity_loader() setting was shared between threads. When running under PHP-FPM, this could result in XML external entity injection and entity expansion issues. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (No CVE number) It was discovered that the PHP openssl_random_pseudo_bytes() function did not return cryptographically strong pseudo-random bytes. (No CVE number) It was discovered that the PHP Fileinfo component incorrectly handled certain magic files. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending) It was discovered that the PHP php_snmp_error() function incorrectly handled string formatting. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE number pending) It was discovered that the PHP rawurlencode() function incorrectly handled large strings. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE number pending) It was discovered that the PHP phar extension incorrectly handled certain filenames in archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending) It was discovered that the PHP mb_strcut() function incorrectly handled string formatting. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE number pending). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/2952-2/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libapache2-mod-php5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-cgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-fpm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-mysqlnd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-snmp"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:15.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/01/19"); script_set_attribute(attribute:"patch_publication_date", value:"2016/04/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/05/02"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(15\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 15.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"15.10", pkgname:"libapache2-mod-php5", pkgver:"5.6.11+dfsg-1ubuntu3.3")) flag++; if (ubuntu_check(osver:"15.10", pkgname:"php5-cgi", pkgver:"5.6.11+dfsg-1ubuntu3.3")) flag++; if (ubuntu_check(osver:"15.10", pkgname:"php5-cli", pkgver:"5.6.11+dfsg-1ubuntu3.3")) flag++; if (ubuntu_check(osver:"15.10", pkgname:"php5-fpm", pkgver:"5.6.11+dfsg-1ubuntu3.3")) flag++; if (ubuntu_check(osver:"15.10", pkgname:"php5-gd", pkgver:"5.6.11+dfsg-1ubuntu3.3")) flag++; if (ubuntu_check(osver:"15.10", pkgname:"php5-mysqlnd", pkgver:"5.6.11+dfsg-1ubuntu3.3")) flag++; if (ubuntu_check(osver:"15.10", pkgname:"php5-snmp", pkgver:"5.6.11+dfsg-1ubuntu3.3")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libapache2-mod-php5 / php5-cgi / php5-cli / php5-fpm / php5-gd / etc"); }

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2016-1581-1.NASL
description	This update for php53 fixes the following issues : - CVE-2016-5093: A get_icu_value_internal out-of-bounds read could crash the php interpreter (bsc#982010) - CVE-2016-5094,CVE-2016-5095: Don
last seen	2020-06-01
modified	2020-06-02
plugin id	91665
published	2016-06-17
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/91665
title	SUSE SLES11 Security Update : php53 (SUSE-SU-2016:1581-1)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2016:1581-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(91665); script_version("2.9"); script_cvs_date("Date: 2019/09/11 11:22:13"); script_cve_id("CVE-2014-9767", "CVE-2015-4116", "CVE-2015-7803", "CVE-2015-8835", "CVE-2015-8838", "CVE-2015-8866", "CVE-2015-8867", "CVE-2015-8873", "CVE-2015-8874", "CVE-2015-8879", "CVE-2016-2554", "CVE-2016-3141", "CVE-2016-3142", "CVE-2016-3185", "CVE-2016-4070", "CVE-2016-4073", "CVE-2016-4342", "CVE-2016-4346", "CVE-2016-4537", "CVE-2016-4538", "CVE-2016-4539", "CVE-2016-4540", "CVE-2016-4541", "CVE-2016-4542", "CVE-2016-4543", "CVE-2016-4544", "CVE-2016-5093", "CVE-2016-5094", "CVE-2016-5095", "CVE-2016-5096", "CVE-2016-5114"); script_name(english:"SUSE SLES11 Security Update : php53 (SUSE-SU-2016:1581-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for php53 fixes the following issues : - CVE-2016-5093: A get_icu_value_internal out-of-bounds read could crash the php interpreter (bsc#982010) - CVE-2016-5094,CVE-2016-5095: Don't allow creating strings with lengths outside int range, avoids overflows (bsc#982011,bsc#982012) - CVE-2016-5096: A int/size_t confusion in fread could corrupt memory (bsc#982013) - CVE-2016-5114: A fpm_log.c memory leak and buffer overflow could leak information out of the php process or overwrite a buffer by 1 byte (bsc#982162) - CVE-2016-4346: A heap overflow was fixed in ext/standard/string.c (bsc#977994) - CVE-2016-4342: A heap corruption was fixed in tar/zip/phar parser (bsc#977991) - CVE-2016-4537, CVE-2016-4538: bcpowmod accepted negative scale causing heap buffer overflow corrupting _one_ definition (bsc#978827) - CVE-2016-4539: Malformed input causes segmentation fault in xml_parse_into_struct() function (bsc#978828) - CVE-2016-4540, CVE-2016-4541: Out-of-bounds memory read in zif_grapheme_stripos when given negative offset (bsc#978829) - CVE-2016-4542, CVE-2016-4543, CVE-2016-4544: Out-of-bounds heap memory read in exif_read_data() caused by malformed input (bsc#978830) - CVE-2015-4116: Use-after-free vulnerability in the spl_ptr_heap_insert function (bsc#980366) - CVE-2015-8873: Stack consumption vulnerability in Zend/zend_exceptions.c (bsc#980373) - CVE-2015-8874: Stack consumption vulnerability in GD (bsc#980375) - CVE-2015-8879: odbc_bindcols function in ext/odbc/php_odbc.c mishandles driver behavior for SQL_WVARCHAR (bsc#981050) Also fixed previously on SUSE Linux Enterprise 11 SP4, but not yet shipped to SUSE Linux Enterprise Server 11 SP3 LTSS : - CVE-2015-8838: mysqlnd was vulnerable to BACKRONYM (bnc#973792). - CVE-2015-8835: SoapClient s_call method suffered from a type confusion issue that could have lead to crashes [bsc#973351] - CVE-2016-2554: A NULL pointer dereference in phar_get_fp_offset could lead to crashes. [bsc#968284] - CVE-2015-7803: A Stack overflow vulnerability when decompressing tar phar archives could potentially lead to code execution. [bsc#949961] - CVE-2016-3141: A use-after-free / double-free in the WDDX deserialization could lead to crashes or potential code execution. [bsc#969821] - CVE-2016-3142: An Out-of-bounds read in phar_parse_zipfile() could lead to crashes. [bsc#971912] - CVE-2014-9767: A directory traversal when extracting zip files was fixed that could lead to overwritten files. [bsc#971612] - CVE-2016-3185: A type confusion vulnerability in make_http_soap_request() could lead to crashes or potentially code execution. [bsc#971611] - CVE-2016-4073: A remote attacker could have caused denial of service, or possibly execute arbitrary code, due to incorrect handling of string length calculations in mb_strcut() (bsc#977003) - CVE-2015-8867: The PHP function openssl_random_pseudo_bytes() did not return cryptographically secure random bytes (bsc#977005) - CVE-2016-4070: The libxml_disable_entity_loader() setting was shared between threads, which could have resulted in XML external entity injection and entity expansion issues (bsc#976997) - CVE-2015-8866: A remote attacker could have caused denial of service due to incorrect handling of large strings in php_raw_url_encode() (bsc#976996) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=949961" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=968284" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=969821" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=971611" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=971612" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=971912" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=973351" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=973792" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=976996" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=976997" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=977003" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=977005" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=977991" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=977994" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=978827" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=978828" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=978829" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=978830" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=980366" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=980373" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=980375" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=981050" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=982010" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=982011" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=982012" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=982013" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=982162" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2014-9767/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4116/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-7803/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8835/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8838/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8866/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8867/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8873/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8874/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8879/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-2554/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-3141/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-3142/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-3185/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-4070/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-4073/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-4342/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-4346/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-4537/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-4538/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-4539/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-4540/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-4541/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-4542/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-4543/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-4544/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-5093/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-5094/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-5095/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-5096/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-5114/" ); # https://www.suse.com/support/update/announcement/2016/suse-su-20161581-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?bc359603" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE OpenStack Cloud 5 : zypper in -t patch sleclo50sp3-php53-12611=1 SUSE Manager Proxy 2.1 : zypper in -t patch slemap21-php53-12611=1 SUSE Manager 2.1 : zypper in -t patch sleman21-php53-12611=1 SUSE Linux Enterprise Software Development Kit 11-SP4 : zypper in -t patch sdksp4-php53-12611=1 SUSE Linux Enterprise Server 11-SP4 : zypper in -t patch slessp4-php53-12611=1 SUSE Linux Enterprise Server 11-SP3-LTSS : zypper in -t patch slessp3-php53-12611=1 SUSE Linux Enterprise Debuginfo 11-SP4 : zypper in -t patch dbgsp4-php53-12611=1 SUSE Linux Enterprise Debuginfo 11-SP3 : zypper in -t patch dbgsp3-php53-12611=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:apache2-mod_php53"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-bz2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-calendar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-ctype"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-dom"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-exif"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-fastcgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-fileinfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-ftp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-gettext"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-gmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-iconv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-intl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-json"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-mcrypt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-openssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-pcntl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-pear"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-shmop"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-suhosin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-sysvmsg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-sysvsem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-sysvshm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-tokenizer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-wddx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-xmlreader"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-xmlrpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-xmlwriter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-xsl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-zip"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-zlib"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/12/11"); script_set_attribute(attribute:"patch_publication_date", value:"2016/06/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/06/17"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release !~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S\|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES11" && (! preg(pattern:"^(3\|4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP3/4", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES11", sp:"4", reference:"apache2-mod_php53-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-bcmath-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-bz2-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-calendar-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-ctype-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-curl-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-dba-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-dom-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-exif-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-fastcgi-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-fileinfo-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-ftp-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-gd-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-gettext-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-gmp-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-iconv-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-intl-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-json-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-ldap-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-mbstring-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-mcrypt-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-mysql-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-odbc-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-openssl-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-pcntl-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-pdo-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-pear-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-pgsql-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-pspell-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-shmop-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-snmp-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-soap-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-suhosin-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-sysvmsg-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-sysvsem-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-sysvshm-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-tokenizer-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-wddx-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-xmlreader-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-xmlrpc-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-xmlwriter-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-xsl-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-zip-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-zlib-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"apache2-mod_php53-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-bcmath-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-bz2-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-calendar-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-ctype-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-curl-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-dba-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-dom-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-exif-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-fastcgi-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-fileinfo-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-ftp-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-gd-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-gettext-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-gmp-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-iconv-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-intl-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-json-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-ldap-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-mbstring-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-mcrypt-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-mysql-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-odbc-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-openssl-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-pcntl-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-pdo-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-pear-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-pgsql-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-pspell-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-shmop-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-snmp-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-soap-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-suhosin-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-sysvmsg-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-sysvsem-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-sysvshm-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-tokenizer-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-wddx-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-xmlreader-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-xmlrpc-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-xmlwriter-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-xsl-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-zip-5.3.17-71.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"php53-zlib-5.3.17-71.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php53"); }

NASL family	CGI abuses
NASL id	PHP_5_5_29.NASL
description	According to its banner, the version of PHP running on the remote web server is 5.5.x prior to 5.5.29. It is, therefore, affected by the following vulnerabilities : - A directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c could allow a remote attacker to create arbitrary empty directories via a crafted ZIP archive. (CVE-2014-9767) - Multiple use-after-free memory errors exist related to the unserialize() function. A remote attacker can exploit these errors to execute arbitrary code. (CVE-2015-6834) - A use-after-free memory error exists related to the php_var_unserialize() function. A remote attacker, using a crafted serialize string, can exploit this to execute arbitrary code. (CVE-2015-6835) - A type confusion error exists related to the serialize_function_call() function due to improper validation of the headers field. A remote attacker can exploit this to have unspecified impact. (CVE-2015-6836) - Multiple flaws exist in the XSLTProcessor class due to improper validation of input from the libxslt library. A remote attacker can exploit thse flaws to have an unspecified impact. (CVE-2015-6837, CVE-2015-6838) - A flaw exists in the php_zip_extract_file() function in file php_zip.c due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this to create arbitrary directories outside of the restricted path. Note that Nessus has not tested for these issues but has instead relied only on the application
last seen	2020-06-01
modified	2020-06-02
plugin id	85886
published	2015-09-10
reporter	This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/85886
title	PHP 5.5.x < 5.5.29 Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(85886); script_version("1.18"); script_cvs_date("Date: 2019/11/22"); script_cve_id( "CVE-2014-9767", "CVE-2015-6834", "CVE-2015-6835", "CVE-2015-6836", "CVE-2015-6837", "CVE-2015-6838" ); script_bugtraq_id( 76644, 76649, 76652, 76733, 76734, 76738 ); script_name(english:"PHP 5.5.x < 5.5.29 Multiple Vulnerabilities"); script_summary(english:"Checks the version of PHP."); script_set_attribute(attribute:"synopsis", value: "The remote web server uses a version of PHP that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its banner, the version of PHP running on the remote web server is 5.5.x prior to 5.5.29. It is, therefore, affected by the following vulnerabilities : - A directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c could allow a remote attacker to create arbitrary empty directories via a crafted ZIP archive. (CVE-2014-9767) - Multiple use-after-free memory errors exist related to the unserialize() function. A remote attacker can exploit these errors to execute arbitrary code. (CVE-2015-6834) - A use-after-free memory error exists related to the php_var_unserialize() function. A remote attacker, using a crafted serialize string, can exploit this to execute arbitrary code. (CVE-2015-6835) - A type confusion error exists related to the serialize_function_call() function due to improper validation of the headers field. A remote attacker can exploit this to have unspecified impact. (CVE-2015-6836) - Multiple flaws exist in the XSLTProcessor class due to improper validation of input from the libxslt library. A remote attacker can exploit thse flaws to have an unspecified impact. (CVE-2015-6837, CVE-2015-6838) - A flaw exists in the php_zip_extract_file() function in file php_zip.c due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this to create arbitrary directories outside of the restricted path. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-5.php#5.5.29"); script_set_attribute(attribute:"solution", value: "Upgrade to PHP version 5.5.29 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-6836"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/09/10"); script_set_attribute(attribute:"patch_publication_date", value:"2015/09/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/09/10"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("php_version.nasl"); script_require_keys("www/PHP"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("webapp_func.inc"); port = get_http_port(default:80, php:TRUE); php = get_php_from_kb( port : port, exit_on_fail : TRUE ); version = php["ver"]; source = php["src"]; backported = get_kb_item('www/php/'+port+'/'+version+'/backported'); if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install"); # Check that it is the correct version of PHP if (version =~ "^5(\.5)?$") audit(AUDIT_VER_NOT_GRANULAR, "PHP", port, version); if (version !~ "^5\.5\.") audit(AUDIT_NOT_DETECT, "PHP version 5.5.x", port); if (version =~ "^5\.5\.([0-9]\|1[0-9]\|2[0-8])($\|[^0-9])") { if (report_verbosity > 0) { report = '\n Version source : ' + source + '\n Installed version : ' + version + '\n Fixed version : 5.5.29' + '\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-2438.NASL
description	According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.(CVE-2019-11043) - The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue can have an unspecified impact on the integrity of PHP.(CVE-2017-12933) - ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.(CVE-2016-7124) - The match function in pcre_exec.c in PCRE before 8.37 mishandles the /(?:((abcd))\|(((?:(?:(?:(?:abc\|(?:abcdef))))b)abcdefghi )abc)\|((ACCEPT)))/ pattern and related patterns involving (ACCEPT), which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (partially initialized memory and application crash) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-2547.(CVE-2015-8382) - An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.(CVE-2018-5712) - exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file.(CVE-2018-14851) - The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.(CVE-2016-7480) - ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an unserialize call that references a partially constructed object.(CVE-2016-7411) - The odbc_bindcols function in ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles driver behavior for SQL_WVARCHAR columns, which allows remote attackers to cause a denial of service (application crash) in opportunistic circumstances by leveraging use of the odbc_fetch_array function to access a certain type of Microsoft SQL Server table.(CVE-2015-8879) - In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension
last seen	2020-05-08
modified	2019-12-04
plugin id	131592
published	2019-12-04
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/131592
title	EulerOS 2.0 SP2 : php (EulerOS-SA-2019-2438)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(131592); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07"); script_cve_id( "CVE-2011-4718", "CVE-2014-9767", "CVE-2014-9912", "CVE-2015-5589", "CVE-2015-6831", "CVE-2015-6832", "CVE-2015-6833", "CVE-2015-7803", "CVE-2015-7804", "CVE-2015-8382", "CVE-2015-8835", "CVE-2015-8867", "CVE-2015-8874", "CVE-2015-8879", "CVE-2015-8935", "CVE-2016-10397", "CVE-2016-2554", "CVE-2016-3141", "CVE-2016-3142", "CVE-2016-3185", "CVE-2016-4070", "CVE-2016-4539", "CVE-2016-4540", "CVE-2016-4541", "CVE-2016-4542", "CVE-2016-4543", "CVE-2016-5093", "CVE-2016-5094", "CVE-2016-6288", "CVE-2016-6291", "CVE-2016-6292", "CVE-2016-6293", "CVE-2016-6294", "CVE-2016-7124", "CVE-2016-7125", "CVE-2016-7128", "CVE-2016-7411", "CVE-2016-7412", "CVE-2016-7414", "CVE-2016-7418", "CVE-2016-7480", "CVE-2016-9934", "CVE-2016-9935", "CVE-2017-11143", "CVE-2017-11144", "CVE-2017-11147", "CVE-2017-11628", "CVE-2017-12933", "CVE-2017-16642", "CVE-2017-7272", "CVE-2017-9224", "CVE-2017-9226", "CVE-2017-9227", "CVE-2017-9228", "CVE-2017-9229", "CVE-2018-10545", "CVE-2018-10547", "CVE-2018-14851", "CVE-2018-17082", "CVE-2018-5712", "CVE-2019-11040", "CVE-2019-11041", "CVE-2019-11042", "CVE-2019-11043" ); script_bugtraq_id( 61929, 75974 ); script_name(english:"EulerOS 2.0 SP2 : php (EulerOS-SA-2019-2438)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.(CVE-2019-11043) - The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue can have an unspecified impact on the integrity of PHP.(CVE-2017-12933) - ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.(CVE-2016-7124) - The match function in pcre_exec.c in PCRE before 8.37 mishandles the /(?:((abcd))\|(((?:(?:(?:(?:abc\|(?:abcdef))))b)abcdefghi )abc)\|((ACCEPT)))/ pattern and related patterns involving (ACCEPT), which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (partially initialized memory and application crash) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-2547.(CVE-2015-8382) - An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.(CVE-2018-5712) - exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file.(CVE-2018-14851) - The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.(CVE-2016-7480) - ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an unserialize call that references a partially constructed object.(CVE-2016-7411) - The odbc_bindcols function in ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles driver behavior for SQL_WVARCHAR columns, which allows remote attackers to cause a denial of service (application crash) in opportunistic circumstances by leveraging use of the odbc_fetch_array function to access a certain type of Microsoft SQL Server table.(CVE-2015-8879) - In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's timelib_meridian handling of 'front of' and 'back of' directives could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: this is a different issue than CVE-2017-11145.(CVE-2017-16642) - The exif_process_IFD_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate IFD sizes, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data.(CVE-2016-4543) - The exif_process_IFD_TAG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not properly construct spprintf arguments, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data.(CVE-2016-4542) - The grapheme_strpos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a negative offset.(CVE-2016-4541) - The grapheme_stripos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a negative offset.(CVE-2016-4540) - The xml_parse_into_struct function in ext/xml/xml.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (buffer under-read and segmentation fault) or possibly have unspecified other impact via crafted XML data in the second argument, leading to a parser level of zero.(CVE-2016-4539) - DISPUTED Integer overflow in the php_raw_url_encode function in ext/standard/url.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to cause a denial of service (application crash) via a long string to the rawurlencode function. NOTE: the vendor says 'Not sure if this qualifies as security issue (probably not).'(CVE-2016-4070) - Use-after-free vulnerability in wddx.c in the WDDX extension in PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact by triggering a wddx_deserialize call on XML data containing a crafted var element.(CVE-2016-3141) - In PHP before 5.6.28 and 7.x before 7.0.13, incorrect handling of various URI components in the URL parser could be used by attackers to bypass hostname-specific URL checks, as demonstrated by evil.example.com:80#@good.example.com/ and evil.example.com:[email protected]/ inputs to the parse_url function (implemented in the php_url_parse_ex function in ext/standard/url.c).(CVE-2016-10397) - Multiple use-after-free vulnerabilities in SPL in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allow remote attackers to execute arbitrary code via vectors involving (1) ArrayObject, (2) SplObjectStorage, and (3) SplDoublyLinkedList, which are mishandled during unserialization.(CVE-2015-6831) - An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs in bitset_set_range() during regular expression compilation due to an uninitialized variable from an incorrect state transition. An incorrect state transition in parse_char_class() could create an execution path that leaves a critical local variable uninitialized until it's used as an index, resulting in an out-of-bounds write memory corruption.(CVE-2017-9228) - An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in mbc_enc_len() during regular expression searching. Invalid handling of reg->dmin in forward_search_range() could result in an invalid pointer dereference, as an out-of-bounds read from a stack buffer.(CVE-2017-9227) - An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write or read occurs in next_state_val() during regular expression compilation. Octal numbers larger than 0xff are not handled correctly in fetch_token() and fetch_token_in_cc(). A malformed regular expression containing an octal number in the form of '\700' would produce an invalid code point value larger than 0xff in next_state_val(), resulting in an out-of-bounds write memory corruption.(CVE-2017-9226) - An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in match_at() during regular expression searching. A logical error involving order of validation and access in match_at() could result in an out-of-bounds read from a stack buffer.(CVE-2017-9224) - The exif_process_IFD_in_MAKERNOTE function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds array access and memory corruption), obtain sensitive information from process memory, or possibly have unspecified other impact via a crafted JPEG image.(CVE-2016-6291) - The php_url_parse_ex function in ext/standard/url.c in PHP before 5.5.38 allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via vectors involving the smart_str data type.(CVE-2016-6288) - Integer overflow in the php_html_entities function in ext/standard/html.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering a large output string from the htmlspecialchars function.(CVE-2016-5094) - The get_icu_value_internal function in ext/intl/locale/locale_methods.c in PHP before 5.5.36, 5.6.x before 5.6.22, and 7.x before 7.0.7 does not ensure the presence of a '\0' character, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted locale_get_primary_language call.(CVE-2016-5093) - In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter, related to an invalid free for an empty boolean element in ext/wddx/wddx.c.(CVE-2017-11143) - The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have unspecified other impact via an empty boolean element in a wddxPacket XML document.(CVE-2016-9935) - ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as demonstrated by a PDORow string.(CVE-2016-9934) - The ZIP signature-verification feature in PHP before 5.6.26 and 7.x before 7.0.11 does not ensure that the uncompressed_filesize field is large enough, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via a crafted PHAR archive, related to ext/phar/util.c and ext/phar/zip.c.(CVE-2016-7414) - ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x before 7.0.11 does not verify that a BIT field has the UNSIGNED_FLAG flag, which allows remote MySQL servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted field metadata.(CVE-2016-7412) - An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV occurs in left_adjust_char_head() during regular expression compilation. Invalid handling of reg->dmax in forward_search_range() could result in an invalid pointer dereference, normally as an immediate denial-of-service condition.(CVE-2017-9229) - The openssl_random_pseudo_bytes function in ext/openssl/openssl.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 incorrectly relies on the deprecated RAND_pseudo_bytes function, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors.(CVE-2015-8867) - The sapi_header_op function in main/SAPI.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 supports deprecated line folding without considering browser compatibility, which allows remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer by leveraging (1) %0A%20 or (2) %0D%0A%20 mishandling in the header function.(CVE-2015-8935) - An issue was discovered in PHP before 5.6.35, 7.0.x before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before 7.2.4. Dumpable FPM child processes allow bypassing opcache access controls because fpm_unix.c makes a PR_SET_DUMPABLE prctl call, allowing one user (in a multiuser environment) to obtain sensitive information from the process memory of a second user's PHP applications by running gcore on the PID of the PHP-FPM worker process.(CVE-2018-10545) - An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712.(CVE-2018-10547) - The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a 'Transfer-Encoding: chunked' request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.(CVE-2018-17082) - PHP through 7.1.11 enables potential SSRF in applications that accept an fsockopen or pfsockopen hostname argument with an expectation that the port number is constrained. Because a :port syntax is recognized, fsockopen will use the port number that is specified in the hostname argument, instead of the port number in the second argument of the function.(CVE-2017-7272 ) - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, a stack-based buffer overflow in the zend_ini_do_op() function in Zend/zend_ini_parser.c could cause a denial of service or potentially allow executing code. NOTE: this is only relevant for PHP applications that accept untrusted input (instead of the system's php.ini file) for the parse_ini_string or parse_ini_file function, e.g., a web application for syntax validation of php.ini directives.(CVE-2017-11628) - In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler could be used by attackers supplying malicious archive files to crash the PHP interpreter or potentially disclose information due to a buffer over-read in the phar_parse_pharfile function in ext/phar/phar.c.(CVE-2017-11147) - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function, which could lead to a crash of the PHP interpreter, related to an interpretation conflict for a negative number in ext/openssl/openssl.c, and an OpenSSL documentation omission.(CVE-2017-11144) - The locale_accept_from_http function in ext/intl/locale/locale_methods.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly restrict calls to the ICU uloc_acceptLanguageFromHTTP function, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long argument.(CVE-2016-6294) - Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by specifying a session ID.(CVE-2011-4718) - Off-by-one error in the phar_parse_zipfile function in ext/phar/zip.c in PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers to cause a denial of service (uninitialized pointer dereference and application crash) by including the / filename in a .zip PHAR archive.(CVE-2015-7804) - The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service (invalid pointer access and out-of-bounds read) or possibly have unspecified other impact via an incorrect boolean element in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call.(CVE-2016-7418) - The exif_process_user_comment function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted JPEG image.(CVE-2016-6292) - The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28, 5.6.x before 5.6.12, and 7.x before 7.0.4 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (type confusion and application crash) via crafted serialized _cookies data, related to the SoapClient::__call method in ext/soap/soap.c.(CVE-2016-3185) - Directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 and ext/zip/ext_zip.cpp in HHVM before 3.12.1 allows remote attackers to create arbitrary empty directories via a crafted ZIP archive.(CVE-2014-9767) - The phar_convert_to_other function in ext/phar/phar_object.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 does not validate a file pointer before a close operation, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted TAR archive that is mishandled in a Phar::convertToData call.(CVE-2015-5589) - Directory traversal vulnerability in the PharData class in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to write to arbitrary files via a .. (dot dot) in a ZIP archive entry that is mishandled during an extractTo call.(CVE-2015-6833) - The phar_get_entry_data function in ext/phar/util.c in PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a .phar file with a crafted TAR archive entry in which the Link indicator references a file that does not exist.(CVE-2015-7803) - Stack consumption vulnerability in GD in PHP before 5.6.12 allows remote attackers to cause a denial of service via a crafted imagefilltoborder call.(CVE-2015-8874) - Stack-based buffer overflow in ext/phar/tar.c in PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TAR archive.(CVE-2016-2554) - The phar_parse_zipfile function in zip.c in the PHAR extension in PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and application crash) by placing a PK\x05\x06 signature at an invalid location.(CVE-2016-3142) - ext/session/session.c in PHP before 5.6.25 and 7.x before 7.0.10 skips invalid session names in a way that triggers incorrect parsing, which allows remote attackers to inject arbitrary-type session data by leveraging control of a session name, as demonstrated by object injection.(CVE-2016-7125) - The exif_process_IFD_in_TIFF function in ext/exif/exif.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles the case of a thumbnail offset that exceeds the file size, which allows remote attackers to obtain sensitive information from process memory via a crafted TIFF image.(CVE-2016-7128) - The get_icu_disp_value_src_php function in ext/intl/locale/locale_methods.c in PHP before 5.3.29, 5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not properly restrict calls to the ICU uresbund.cpp component, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a locale_get_display_name call with a long first argument.(CVE-2014-9912) - Use-after-free vulnerability in the SPL unserialize implementation in ext/spl/spl_array.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to execute arbitrary code via crafted serialized data that triggers misuse of an array field.(CVE-2015-6832) - The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 does not properly retrieve keys, which allows remote attackers to cause a denial of service (NULL pointer dereference, type confusion, and application crash) or possibly execute arbitrary code via crafted serialized data representing a numerically indexed _cookies array, related to the SoapClient::__call method in ext/soap/soap.c.(CVE-2015-8835) - The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ does not ensure that there is a '\0' character at the end of a certain temporary array, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long httpAcceptLanguage argument.(CVE-2016-6293) - When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.(CVE-2019-11040) - When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.(CVE-2019-11041) - When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.(CVE-2019-11042) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2438 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?72902c09"); script_set_attribute(attribute:"solution", value: "Update the affected php packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'PHP-FPM Underflow RCE'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"patch_publication_date", value:"2019/12/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/04"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-process"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-recode"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-xml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-xmlrpc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) \|\| release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D\|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) \|\| sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["php-5.4.16-42.h63", "php-cli-5.4.16-42.h63", "php-common-5.4.16-42.h63", "php-gd-5.4.16-42.h63", "php-ldap-5.4.16-42.h63", "php-mysql-5.4.16-42.h63", "php-odbc-5.4.16-42.h63", "php-pdo-5.4.16-42.h63", "php-pgsql-5.4.16-42.h63", "php-process-5.4.16-42.h63", "php-recode-5.4.16-42.h63", "php-soap-5.4.16-42.h63", "php-xml-5.4.16-42.h63", "php-xmlrpc-5.4.16-42.h63"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php"); }

NASL family	CGI abuses
NASL id	PHP_5_4_45.NASL
description	According to its banner, the version of PHP running on the remote web server is 5.4.x prior to 5.4.45. It is, therefore, affected by the following vulnerabilities : - A directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c could allow a remote attacker to create arbitrary empty directories via a crafted ZIP archive. (CVE-2014-9767) - Multiple use-after-free memory errors exist related to the unserialize() function. A remote attacker can exploit these errors to execute arbitrary code. (CVE-2015-6834) - A use-after-free memory error exists related to the php_var_unserialize() function. A remote attacker, using a crafted serialize string, can exploit this to execute arbitrary code. (CVE-2015-6835) - A type confusion error exists related to the serialize_function_call() function due to improper validation of the headers field. A remote attacker can exploit this to have unspecified impact. (CVE-2015-6836) - Multiple flaws exist in the XSLTProcessor class due to improper validation of input from the libxslt library. A remote attacker can exploit thse flaws to have an unspecified impact. (CVE-2015-6837, CVE-2015-6838) - A flaw exists in the php_zip_extract_file() function in file php_zip.c due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this to create arbitrary directories outside of the restricted path. Note that Nessus has not tested for these issues but has instead relied only on the application
last seen	2020-06-01
modified	2020-06-02
plugin id	85885
published	2015-09-10
reporter	This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/85885
title	PHP 5.4.x < 5.4.45 Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(85885); script_version("1.12"); script_cvs_date("Date: 2019/11/22"); script_cve_id( "CVE-2014-9767", "CVE-2015-6834", "CVE-2015-6835", "CVE-2015-6836", "CVE-2015-6837", "CVE-2015-6838" ); script_bugtraq_id( 76644, 76649, 76652, 76733, 76734, 76738 ); script_name(english:"PHP 5.4.x < 5.4.45 Multiple Vulnerabilities"); script_summary(english:"Checks the version of PHP."); script_set_attribute(attribute:"synopsis", value: "The remote web server uses a version of PHP that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its banner, the version of PHP running on the remote web server is 5.4.x prior to 5.4.45. It is, therefore, affected by the following vulnerabilities : - A directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c could allow a remote attacker to create arbitrary empty directories via a crafted ZIP archive. (CVE-2014-9767) - Multiple use-after-free memory errors exist related to the unserialize() function. A remote attacker can exploit these errors to execute arbitrary code. (CVE-2015-6834) - A use-after-free memory error exists related to the php_var_unserialize() function. A remote attacker, using a crafted serialize string, can exploit this to execute arbitrary code. (CVE-2015-6835) - A type confusion error exists related to the serialize_function_call() function due to improper validation of the headers field. A remote attacker can exploit this to have unspecified impact. (CVE-2015-6836) - Multiple flaws exist in the XSLTProcessor class due to improper validation of input from the libxslt library. A remote attacker can exploit thse flaws to have an unspecified impact. (CVE-2015-6837, CVE-2015-6838) - A flaw exists in the php_zip_extract_file() function in file php_zip.c due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this to create arbitrary directories outside of the restricted path. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-5.php#5.4.45"); script_set_attribute(attribute:"solution", value: "Upgrade to PHP version 5.4.45 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-6836"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/09/10"); script_set_attribute(attribute:"patch_publication_date", value:"2015/09/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/09/10"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("php_version.nasl"); script_require_keys("www/PHP"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("webapp_func.inc"); port = get_http_port(default:80, php:TRUE); php = get_php_from_kb( port : port, exit_on_fail : TRUE ); version = php["ver"]; source = php["src"]; backported = get_kb_item('www/php/'+port+'/'+version+'/backported'); if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install"); # Check that it is the correct version of PHP if (version =~ "^5(\.4)?$") audit(AUDIT_VER_NOT_GRANULAR, "PHP", port, version); if (version !~ "^5\.4\.") audit(AUDIT_NOT_DETECT, "PHP version 5.4.x", port); if (version =~ "^5\.4\.([0-9]\|[1-3][0-9]\|4[0-4])($\|[^0-9])") { if (report_verbosity > 0) { report = '\n Version source : ' + source + '\n Installed version : ' + version + '\n Fixed version : 5.4.45' + '\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2016-1145-1.NASL
description	This update for php53 fixes the following issues : - CVE-2015-8838: mysqlnd was vulnerable to BACKRONYM (bnc#973792). - CVE-2015-8835: SoapClient s_call method suffered from a type confusion issue that could have lead to crashes [bsc#973351] - CVE-2016-2554: A NULL pointer dereference in phar_get_fp_offset could lead to crashes. [bsc#968284] Note: we do not ship the phar extension currently, so we are not affected. - CVE-2015-7803: A Stack overflow vulnerability when decompressing tar phar archives could potentially lead to code execution. [bsc#949961] Note: we do not ship the phar extension currently, so we are not affected. - CVE-2016-3141: A use-after-free / double-free in the WDDX deserialization could lead to crashes or potential code execution. [bsc#969821] - CVE-2016-3142: An Out-of-bounds read in phar_parse_zipfile() could lead to crashes. [bsc#971912] Note: we do not ship the phar extension currently, so we are not affected. - CVE-2014-9767: A directory traversal when extracting zip files was fixed that could lead to overwritten files. [bsc#971612] - CVE-2016-3185: A type confusion vulnerability in make_http_soap_request() could lead to crashes or potentially code execution. [bsc#971611] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	90757
published	2016-04-27
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90757
title	SUSE SLES11 Security Update : php53 (SUSE-SU-2016:1145-1)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2016:1145-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(90757); script_version("2.11"); script_cvs_date("Date: 2019/09/11 11:22:13"); script_cve_id("CVE-2014-9767", "CVE-2015-7803", "CVE-2015-8835", "CVE-2015-8838", "CVE-2016-2554", "CVE-2016-3141", "CVE-2016-3142", "CVE-2016-3185"); script_name(english:"SUSE SLES11 Security Update : php53 (SUSE-SU-2016:1145-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for php53 fixes the following issues : - CVE-2015-8838: mysqlnd was vulnerable to BACKRONYM (bnc#973792). - CVE-2015-8835: SoapClient s_call method suffered from a type confusion issue that could have lead to crashes [bsc#973351] - CVE-2016-2554: A NULL pointer dereference in phar_get_fp_offset could lead to crashes. [bsc#968284] Note: we do not ship the phar extension currently, so we are not affected. - CVE-2015-7803: A Stack overflow vulnerability when decompressing tar phar archives could potentially lead to code execution. [bsc#949961] Note: we do not ship the phar extension currently, so we are not affected. - CVE-2016-3141: A use-after-free / double-free in the WDDX deserialization could lead to crashes or potential code execution. [bsc#969821] - CVE-2016-3142: An Out-of-bounds read in phar_parse_zipfile() could lead to crashes. [bsc#971912] Note: we do not ship the phar extension currently, so we are not affected. - CVE-2014-9767: A directory traversal when extracting zip files was fixed that could lead to overwritten files. [bsc#971612] - CVE-2016-3185: A type confusion vulnerability in make_http_soap_request() could lead to crashes or potentially code execution. [bsc#971611] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=949961" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=968284" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=969821" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=971611" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=971612" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=971912" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=973351" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=973792" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2014-9767/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-7803/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8835/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8838/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-2554/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-3141/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-3142/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-3185/" ); # https://www.suse.com/support/update/announcement/2016/suse-su-20161145-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?0f5669a4" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Software Development Kit 11-SP4 : zypper in -t patch sdksp4-php53-12527=1 SUSE Linux Enterprise Server 11-SP4 : zypper in -t patch slessp4-php53-12527=1 SUSE Linux Enterprise Debuginfo 11-SP4 : zypper in -t patch dbgsp4-php53-12527=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:apache2-mod_php53"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-bz2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-calendar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-ctype"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-dom"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-exif"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-fastcgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-fileinfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-ftp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-gettext"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-gmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-iconv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-intl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-json"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-mcrypt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-openssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-pcntl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-pear"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-shmop"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-suhosin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-sysvmsg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-sysvsem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-sysvshm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-tokenizer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-wddx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-xmlreader"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-xmlrpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-xmlwriter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-xsl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-zip"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-zlib"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/12/11"); script_set_attribute(attribute:"patch_publication_date", value:"2016/04/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/27"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release !~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S\|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES11" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP4", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES11", sp:"4", reference:"apache2-mod_php53-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-bcmath-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-bz2-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-calendar-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-ctype-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-curl-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-dba-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-dom-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-exif-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-fastcgi-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-fileinfo-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-ftp-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-gd-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-gettext-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-gmp-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-iconv-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-intl-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-json-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-ldap-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-mbstring-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-mcrypt-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-mysql-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-odbc-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-openssl-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-pcntl-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-pdo-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-pear-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-pgsql-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-pspell-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-shmop-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-snmp-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-soap-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-suhosin-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-sysvmsg-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-sysvsem-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-sysvshm-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-tokenizer-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-wddx-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-xmlreader-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-xmlrpc-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-xmlwriter-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-xsl-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-zip-5.3.17-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"php53-zlib-5.3.17-59.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php53"); }

Redhat

advisories

rhsa

id	RHSA-2016:2750

rpms

rh-php56-0:2.3-1.el6
rh-php56-0:2.3-1.el7
rh-php56-php-0:5.6.25-1.el6
rh-php56-php-0:5.6.25-1.el7
rh-php56-php-bcmath-0:5.6.25-1.el6
rh-php56-php-bcmath-0:5.6.25-1.el7
rh-php56-php-cli-0:5.6.25-1.el6
rh-php56-php-cli-0:5.6.25-1.el7
rh-php56-php-common-0:5.6.25-1.el6
rh-php56-php-common-0:5.6.25-1.el7
rh-php56-php-dba-0:5.6.25-1.el6
rh-php56-php-dba-0:5.6.25-1.el7
rh-php56-php-dbg-0:5.6.25-1.el6
rh-php56-php-dbg-0:5.6.25-1.el7
rh-php56-php-debuginfo-0:5.6.25-1.el6
rh-php56-php-debuginfo-0:5.6.25-1.el7
rh-php56-php-devel-0:5.6.25-1.el6
rh-php56-php-devel-0:5.6.25-1.el7
rh-php56-php-embedded-0:5.6.25-1.el6
rh-php56-php-embedded-0:5.6.25-1.el7
rh-php56-php-enchant-0:5.6.25-1.el6
rh-php56-php-enchant-0:5.6.25-1.el7
rh-php56-php-fpm-0:5.6.25-1.el6
rh-php56-php-fpm-0:5.6.25-1.el7
rh-php56-php-gd-0:5.6.25-1.el6
rh-php56-php-gd-0:5.6.25-1.el7
rh-php56-php-gmp-0:5.6.25-1.el6
rh-php56-php-gmp-0:5.6.25-1.el7
rh-php56-php-imap-0:5.6.25-1.el6
rh-php56-php-intl-0:5.6.25-1.el6
rh-php56-php-intl-0:5.6.25-1.el7
rh-php56-php-ldap-0:5.6.25-1.el6
rh-php56-php-ldap-0:5.6.25-1.el7
rh-php56-php-mbstring-0:5.6.25-1.el6
rh-php56-php-mbstring-0:5.6.25-1.el7
rh-php56-php-mysqlnd-0:5.6.25-1.el6
rh-php56-php-mysqlnd-0:5.6.25-1.el7
rh-php56-php-odbc-0:5.6.25-1.el6
rh-php56-php-odbc-0:5.6.25-1.el7
rh-php56-php-opcache-0:5.6.25-1.el6
rh-php56-php-opcache-0:5.6.25-1.el7
rh-php56-php-pdo-0:5.6.25-1.el6
rh-php56-php-pdo-0:5.6.25-1.el7
rh-php56-php-pear-1:1.9.5-4.el6
rh-php56-php-pear-1:1.9.5-4.el7
rh-php56-php-pgsql-0:5.6.25-1.el6
rh-php56-php-pgsql-0:5.6.25-1.el7
rh-php56-php-process-0:5.6.25-1.el6
rh-php56-php-process-0:5.6.25-1.el7
rh-php56-php-pspell-0:5.6.25-1.el6
rh-php56-php-pspell-0:5.6.25-1.el7
rh-php56-php-recode-0:5.6.25-1.el6
rh-php56-php-recode-0:5.6.25-1.el7
rh-php56-php-snmp-0:5.6.25-1.el6
rh-php56-php-snmp-0:5.6.25-1.el7
rh-php56-php-soap-0:5.6.25-1.el6
rh-php56-php-soap-0:5.6.25-1.el7
rh-php56-php-tidy-0:5.6.25-1.el6
rh-php56-php-xml-0:5.6.25-1.el6
rh-php56-php-xml-0:5.6.25-1.el7
rh-php56-php-xmlrpc-0:5.6.25-1.el6
rh-php56-php-xmlrpc-0:5.6.25-1.el7
rh-php56-runtime-0:2.3-1.el6
rh-php56-runtime-0:2.3-1.el7
rh-php56-scldevel-0:2.3-1.el6
rh-php56-scldevel-0:2.3-1.el7

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

Redhat

References