Vulnerabilities > CVE-2018-10546 - Infinite Loop vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. An infinite loop exists in ext/iconv/iconv.c because the iconv stream filter does not reject invalid multibyte sequences.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Misc. NASL id SECURITYCENTER_5_7_1_TNS_2018_12.NASL description According to its self-reported version, the Tenable SecurityCenter application installed on the remote host is prior to 5.7.1. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 117672 published 2018-09-24 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117672 title Tenable SecurityCenter < 5.7.1 Multiple Vulnerabilities (TNS-2018-12) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1249.NASL description According to the version of the php packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - An infinite loop vulnerability was found in ext/iconv/iconv.c in PHP due to the iconv stream not rejecting invalid multibyte sequences. A remote attacker could use this vulnerability to hang the php process and consume resources.i1/4^CVE-2018-10546i1/4%0 Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-19 modified 2019-04-04 plugin id 123717 published 2019-04-04 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123717 title EulerOS Virtualization 2.5.4 : php (EulerOS-SA-2019-1249) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2018-136-02.NASL description New php packages are available for Slackware 14.0, 14.1, and 14.2 to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 109871 published 2018-05-17 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109871 title Slackware 14.0 / 14.1 / 14.2 : php (SSA:2018-136-02) NASL family CGI abuses NASL id PHP_5_6_36.NASL description According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.36. It is, therefore, affected by multiple vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 109576 published 2018-05-04 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109576 title PHP 5.6.x < 5.6.36 Multiple Vulnerabilities NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1309.NASL description According to the version of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - An infinite loop vulnerability was found in ext/iconv/iconv.c in PHP due to the iconv stream not rejecting invalid multibyte sequences. A remote attacker could use this vulnerability to hang the php process and consume resources.(CVE-2018-10546) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2018-09-27 plugin id 117752 published 2018-09-27 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117752 title EulerOS 2.0 SP2 : php (EulerOS-SA-2018-1309) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1544.NASL description According to the versions of the php packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - An integer underflow flaw leading to out-of-bounds memory access was found in the way PHP last seen 2020-06-01 modified 2020-06-02 plugin id 124997 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124997 title EulerOS Virtualization 3.0.1.0 : php (EulerOS-SA-2019-1544) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1069.NASL description According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An infinite loop vulnerability was found in ext/iconv/iconv.c in PHP due to the iconv stream not rejecting invalid multibyte sequences. A remote attacker could use this vulnerability to hang the php process and consume resources.(CVE-2018-10546) - gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD) 2.2.5, as used in the imagecolormatch function in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1, has a heap-based buffer overflow. This can be exploited by an attacker who is able to trigger imagecolormatch calls with crafted image data.(CVE-2019-6977) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2019-03-08 plugin id 122692 published 2019-03-08 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122692 title EulerOS 2.0 SP5 : php (EulerOS-SA-2019-1069) NASL family CGI abuses NASL id PHP_7_0_30.NASL description According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.30. It is, therefore, affected by multiple vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 109577 published 2018-05-04 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109577 title PHP 7.0.x < 7.0.30 Multiple Vulnerabilities NASL family CGI abuses NASL id PHP_7_2_5.NASL description According to its banner, the version of PHP running on the remote web server is 7.2.x prior to 7.2.5. It is, therefore, affected by multiple vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 109579 published 2018-05-04 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109579 title PHP 7.2.x < 7.2.5 Stack Buffer Overflow NASL family Fedora Local Security Checks NASL id FEDORA_2018-EE6707D519.NASL description **PHP version 7.2.5** (26 Apr 2018) **Core:** - Fixed bug php#75722 (Convert valgrind detection to configure option). (Michael Heimpold) **Date:** - Fixed bug php#76131 (mismatch arginfo for date_create). (carusogabriel) **Exif:** - Fixed bug php#76130 (Heap Buffer Overflow (READ: 1786) in exif_iif_add_value). (Stas) **FPM:** - Fixed bug php#68440 (ERROR: failed to reload: execvp() failed: Argument list too long). (Jacob Hipps) - Fixed incorrect write to getenv result in FPM reload. (Jakub Zelenka) **GD:** - Fixed bug php#52070 (imagedashedline() - dashed line sometimes is not visible). (cmb) **intl:** - Fixed bug php#76153 (Intl compilation fails with icu4c 61.1). (Anatol) **iconv:** - Fixed bug php#76249 (stream filter convert.iconv leads to infinite loop on invalid sequence). (Stas) **ldap:** - Fixed bug php#76248 (Malicious LDAP-Server Response causes Crash). (Stas) **mbstring:** - Fixed bug php#75944 (Wrong cp1251 detection). (dmk001) - Fixed bug php#76113 (mbstring does not build with Oniguruma 6.8.1). (chrullrich, cmb) **ODBC:** - Fixed bug php#76088 (ODBC functions are not available by default on Windows). (cmb) **Opcache:** - Fixed bug php#76094 (Access violation when using opcache). (Laruence) **Phar:** - Fixed bug php#76129 (fix for CVE-2018-5712 may not be complete). (Stas) **phpdbg:** - Fixed bug php#76143 (Memory corruption: arbitrary NUL overwrite). (Laruence) **SPL:** - Fixed bug php#76131 (mismatch arginfo for splarray constructor). (carusogabriel) **standard:** - Fixed bug php#74139 (mail.add_x_header default inconsistent with docs). (cmb) - Fixed bug php#75996 (incorrect url in header for mt_rand). (tatarbj) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120886 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120886 title Fedora 28 : php (2018-ee6707d519) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1397.NASL description Several vulnerabilities were found in PHP, a widely-used open source general purpose scripting language : CVE-2018-7584 A stack-buffer-overflow while parsing HTTP response results in copying a large string and possible memory corruption and/or denial of service CVE-2018-10545 Dumpable FPM child processes allow bypassing opcache access controls resulting in potential information disclosure where one user can obtain information about another user last seen 2020-06-01 modified 2020-06-02 plugin id 110697 published 2018-06-27 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110697 title Debian DLA-1397-1 : php5 security update NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-1291-1.NASL description This update for php5 fixes the following issues: Security issues fixed : - CVE-2018-10545: Fix access controls in FPM child processes (bsc#1091367). - CVE-2018-10547: Fix Reflected XSS on the PHAR 403 and 404 error pages (bsc#1091362). - CVE-2018-10546: Fix an infinite loop exists in ext/iconv/iconv.c (bsc#1091363). - CVE-2018-10548: Fix remote denial of service in ext/ldap/ldap.c (bsc#1091355). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-21 modified 2019-01-02 plugin id 120023 published 2019-01-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120023 title SUSE SLES12 Security Update : php5 (SUSE-SU-2018:1291-1) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2018-1019.NASL description NULL pointer dereference due to mishandling of ldap_get_dn return value allows denial-of-service by malicious LDAP server or man-in-the-middle attacker An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. ext/ldap/ldap.c allows remote LDAP servers to cause a denial of service (NULL pointer dereference and application crash) because of mishandling of the ldap_get_dn return value.(CVE-2018-10548) Infinite loop in ext/iconv/iconv.c when using stream filter with convert.incov on invalid sequence leads to denial-of-service An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. An infinite loop exists in ext/iconv/iconv.c because the iconv stream filter does not reject invalid multibyte sequences.(CVE-2018-10546) Reflected XSS vulnerability on PHAR 403 and 404 error pages An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712 .(CVE-2018-10547) Out-of-bounds read in ext/exif/exif.c:exif_read_data() when reading crafted JPEG data An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. exif_read_data in ext/exif/exif.c has an out-of-bounds read for crafted JPEG data because exif_iif_add_value mishandles the case of a MakerNote that lacks a final last seen 2020-06-01 modified 2020-06-02 plugin id 109701 published 2018-05-11 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109701 title Amazon Linux AMI : php56 / php70,php71 (ALAS-2018-1019) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1310.NASL description According to the version of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - An infinite loop vulnerability was found in ext/iconv/iconv.c in PHP due to the iconv stream not rejecting invalid multibyte sequences. A remote attacker could use this vulnerability to hang the php process and consume resources.(CVE-2018-10546) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2018-09-27 plugin id 117753 published 2018-09-27 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117753 title EulerOS 2.0 SP3 : php (EulerOS-SA-2018-1310) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201812-01.NASL description The remote host is affected by the vulnerability described in GLSA-201812-01 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the referenced CVE identifiers for details. Impact : An attacker could cause a Denial of Service condition or obtain sensitive information. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 119320 published 2018-12-03 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119320 title GLSA-201812-01 : PHP: Multiple vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4240.NASL description Several vulnerabilities were found in PHP, a widely-used open source general purpose scripting language : - CVE-2018-7584 Buffer underread in parsing HTTP responses - CVE-2018-10545 Dumpable FPM child processes allowed the bypass of opcache access controls - CVE-2018-10546 Denial of service via infinite loop in convert.iconv stream filter - CVE-2018-10547 The fix for CVE-2018-5712 (shipped in DSA 4080) was incomplete - CVE-2018-10548 Denial of service via malformed LDAP server responses - CVE-2018-10549 Out-of-bounds read when parsing malformed JPEG files last seen 2020-06-01 modified 2020-06-02 plugin id 110928 published 2018-07-06 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110928 title Debian DSA-4240-1 : php7.0 - security update NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-1176-1.NASL description This update for php7 fixes the following issues: Security issues fixed : - CVE-2018-10545: Fix access controls in FPM child processes (bsc#1091367). - CVE-2018-10547: Fix Reflected XSS on the PHAR 403 and 404 error pages (bsc#1091362). - CVE-2018-10546: Fix an infinite loop exists in ext/iconv/iconv.c (bsc#1091363). - CVE-2018-10548: Fix remote denial of service in ext/ldap/ldap.c (bsc#1091355). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-21 modified 2019-01-02 plugin id 120021 published 2019-01-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120021 title SUSE SLES12 Security Update : php7 (SUSE-SU-2018:1176-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-1294-1.NASL description This update for php53 fixes the following issues: Security issues fixed : - CVE-2018-10545: Fix access controls in FPM child processes (bsc#1091367). - CVE-2018-10547: Fix Reflected XSS on the PHAR 403 and 404 error pages (bsc#1091362). - CVE-2018-10546: Fix an infinite loop exists in ext/iconv/iconv.c (bsc#1091363). - CVE-2018-10548: Fix remote denial of service in ext/ldap/ldap.c (bsc#1091355). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 109860 published 2018-05-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109860 title SUSE SLES11 Security Update : php53 (SUSE-SU-2018:1294-1) NASL family Fedora Local Security Checks NASL id FEDORA_2018-6071A600E8.NASL description **PHP version 7.1.17** (26 Apr 2018) **Date:** - Fixed bug php#76131 (mismatch arginfo for date_create). (carusogabriel) **Exif:** - Fixed bug php#76130 (Heap Buffer Overflow (READ: 1786) in exif_iif_add_value). (Stas) **FPM:** - Fixed bug php#68440 (ERROR: failed to reload: execvp() failed: Argument list too long). (Jacob Hipps) - Fixed incorrect write to getenv result in FPM reload. (Jakub Zelenka) **GD:** - Fixed bug php#52070 (imagedashedline() - dashed line sometimes is not visible). (cmb) **iconv:** - Fixed bug php#76249 (stream filter convert.iconv leads to infinite loop on invalid sequence). (Stas) **intl:** - Fixed bug php#76153 (Intl compilation fails with icu4c 61.1). (Anatol) **ldap:** - Fixed bug php#76248 (Malicious LDAP-Server Response causes Crash). (Stas) **mbstring:** - Fixed bug php#75944 (Wrong cp1251 detection). (dmk001) - Fixed bug php#76113 (mbstring does not build with Oniguruma 6.8.1). (chrullrich, cmb) **Phar:** - Fixed bug php#76129 (fix for CVE-2018-5712 may not be complete). (Stas) **phpdbg:** - Fixed bug php#76143 (Memory corruption: arbitrary NUL overwrite). (Laruence) **SPL:** - Fixed bug php#76131 (mismatch arginfo for splarray constructor). (carusogabriel) **standard:** - Fixed bug php#75996 (incorrect url in header for mt_rand). (tatarbj) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-05-04 plugin id 109560 published 2018-05-04 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109560 title Fedora 26 : php (2018-6071a600e8) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3646-1.NASL description It was discovered that PHP incorrectly handled opcache access controls when configured to use PHP-FPM. A local user could possibly use this issue to obtain sensitive information from another user last seen 2020-06-01 modified 2020-06-02 plugin id 109812 published 2018-05-15 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109812 title Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : php5, php7.0, php7.1, php7.2 vulnerabilities (USN-3646-1) NASL family Fedora Local Security Checks NASL id FEDORA_2018-04F6056C42.NASL description **PHP version 7.1.17** (26 Apr 2018) **Date:** - Fixed bug php#76131 (mismatch arginfo for date_create). (carusogabriel) **Exif:** - Fixed bug php#76130 (Heap Buffer Overflow (READ: 1786) in exif_iif_add_value). (Stas) **FPM:** - Fixed bug php#68440 (ERROR: failed to reload: execvp() failed: Argument list too long). (Jacob Hipps) - Fixed incorrect write to getenv result in FPM reload. (Jakub Zelenka) **GD:** - Fixed bug php#52070 (imagedashedline() - dashed line sometimes is not visible). (cmb) **iconv:** - Fixed bug php#76249 (stream filter convert.iconv leads to infinite loop on invalid sequence). (Stas) **intl:** - Fixed bug php#76153 (Intl compilation fails with icu4c 61.1). (Anatol) **ldap:** - Fixed bug php#76248 (Malicious LDAP-Server Response causes Crash). (Stas) **mbstring:** - Fixed bug php#75944 (Wrong cp1251 detection). (dmk001) - Fixed bug php#76113 (mbstring does not build with Oniguruma 6.8.1). (chrullrich, cmb) **Phar:** - Fixed bug php#76129 (fix for CVE-2018-5712 may not be complete). (Stas) **phpdbg:** - Fixed bug php#76143 (Memory corruption: arbitrary NUL overwrite). (Laruence) **SPL:** - Fixed bug php#76131 (mismatch arginfo for splarray constructor). (carusogabriel) **standard:** - Fixed bug php#75996 (incorrect url in header for mt_rand). (tatarbj) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-05-04 plugin id 109559 published 2018-05-04 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109559 title Fedora 27 : php (2018-04f6056c42) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-465.NASL description This update for php5 fixes the following issues : Security issues fixed : - CVE-2018-10545: Fix access controls in FPM child processes (bsc#1091367). - CVE-2018-10547: Fix Reflected XSS on the PHAR 403 and 404 error pages (bsc#1091362). - CVE-2018-10546: Fix an infinite loop exists in ext/iconv/iconv.c (bsc#1091363). - CVE-2018-10548: Fix remote denial of service in ext/ldap/ldap.c (bsc#1091355). This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2018-05-17 plugin id 109878 published 2018-05-17 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109878 title openSUSE Security Update : php5 (openSUSE-2018-465) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-441.NASL description This update for php7 fixes the following issues : Security issues fixed : - CVE-2018-10545: Fix access controls in FPM child processes (bsc#1091367). - CVE-2018-10547: Fix Reflected XSS on the PHAR 403 and 404 error pages (bsc#1091362). - CVE-2018-10546: Fix an infinite loop exists in ext/iconv/iconv.c (bsc#1091363). - CVE-2018-10548: Fix remote denial of service in ext/ldap/ldap.c (bsc#1091355). This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2018-05-11 plugin id 109714 published 2018-05-11 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109714 title openSUSE Security Update : php7 (openSUSE-2018-441) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1247.NASL description According to the version of the php packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - An infinite loop vulnerability was found in ext/iconv/iconv.c in PHP due to the iconv stream not rejecting invalid multibyte sequences. A remote attacker could use this vulnerability to hang the php process and consume resources.(CVE-2018-10546) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 123715 published 2019-04-04 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123715 title EulerOS Virtualization 2.5.3 : php (EulerOS-SA-2019-1247) NASL family CGI abuses NASL id PHP_7_1_17.NASL description According to its banner, the version of PHP running on the remote web server is 7.1.x prior to 7.1.17. It is, therefore, affected by multiple vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 109578 published 2018-05-04 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109578 title PHP 7.1.x < 7.1.17 Multiple Vulnerabilities
Redhat
advisories |
| ||||
rpms |
|
References
- http://php.net/ChangeLog-5.php
- http://php.net/ChangeLog-5.php
- http://php.net/ChangeLog-7.php
- http://php.net/ChangeLog-7.php
- http://www.securityfocus.com/bid/104019
- http://www.securityfocus.com/bid/104019
- http://www.securitytracker.com/id/1040807
- http://www.securitytracker.com/id/1040807
- https://access.redhat.com/errata/RHSA-2019:2519
- https://access.redhat.com/errata/RHSA-2019:2519
- https://bugs.php.net/bug.php?id=76249
- https://bugs.php.net/bug.php?id=76249
- https://lists.debian.org/debian-lts-announce/2018/06/msg00005.html
- https://lists.debian.org/debian-lts-announce/2018/06/msg00005.html
- https://security.gentoo.org/glsa/201812-01
- https://security.gentoo.org/glsa/201812-01
- https://security.netapp.com/advisory/ntap-20180607-0003/
- https://security.netapp.com/advisory/ntap-20180607-0003/
- https://usn.ubuntu.com/3646-1/
- https://usn.ubuntu.com/3646-1/
- https://www.debian.org/security/2018/dsa-4240
- https://www.debian.org/security/2018/dsa-4240
- https://www.tenable.com/security/tns-2018-12
- https://www.tenable.com/security/tns-2018-12