1. Ubuntu Security Notices
  2. USN-3382-2

USN-3382-2: PHP vulnerabilities

Publication date

18 December 2017

Overview

Several security issues were fixed in PHP.

Releases

Packages

  • php5 - HTML-embedded scripting language interpreter

Details

USN-3382-1 fixed several vulnerabilities in PHP. This update provides
the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

It was discovered that the PHP URL parser incorrectly handled certain URI
components. A remote attacker could possibly use this issue to bypass
hostname-specific URL checks. (CVE-2016-10397)

It was discovered that PHP incorrectly handled certain boolean parameters
when unserializing data. A remote attacker could possibly use this issue to
cause PHP to crash, resulting in a denial of service. (CVE-2017-11143)

Sebastian Li, Wei Lei, Xie Xiaofei, and Liu Yang discovered that PHP
incorrectly handled the OpenSSL sealing function. A remote attacker could
possibly use this issue to cause PHP to crash, resulting in a denial of
service. (CVE-2017-11144)

Wei...

USN-3382-1 fixed several vulnerabilities in PHP. This update provides
the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

It was discovered that the PHP URL parser incorrectly handled certain URI
components. A remote attacker could possibly use this issue to bypass
hostname-specific URL checks. (CVE-2016-10397)

It was discovered that PHP incorrectly handled certain boolean parameters
when unserializing data. A remote attacker could possibly use this issue to
cause PHP to crash, resulting in a denial of service. (CVE-2017-11143)

Sebastian Li, Wei Lei, Xie Xiaofei, and Liu Yang discovered that PHP
incorrectly handled the OpenSSL sealing function. A remote attacker could
possibly use this issue to cause PHP to crash, resulting in a denial of
service. (CVE-2017-11144)

Wei Lei and Liu Yang discovered that the PHP date extension incorrectly
handled memory. A remote attacker could possibly use this issue to disclose
sensitive information from the server. (CVE-2017-11145)

It was discovered that PHP incorrectly handled certain PHAR archives. A
remote attacker could use this issue to cause PHP to crash or disclose
sensitive information. This issue only affected Ubuntu 14.04 LTS.
(CVE-2017-11147)

Wei Lei and Liu Yang discovered that PHP incorrectly handled parsing ini
files. An attacker could possibly use this issue to cause PHP to crash,
resulting in a denial of service. (CVE-2017-11628)

It was discovered that PHP mbstring incorrectly handled certain regular
expressions. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229)

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
12.04 precise php5-cli –  5.3.10-1ubuntu3.28
php5 –  5.3.10-1ubuntu3.28
libapache2-mod-php5 –  5.3.10-1ubuntu3.28
php5-fpm –  5.3.10-1ubuntu3.28
php5-cgi –  5.3.10-1ubuntu3.28

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›