Security update for php7 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2016:2941-1 Final 1 1 2016-11-29T12:42:58Z current 2016-11-29T12:42:58Z 2016-11-29T12:42:58Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for php7 This update for php7 fixes the following security issues: - CVE-2016-5385: Setting HTTP_PROXY environment variable via Proxy header (httpoxy) (bsc#988486). - CVE-2016-9137: Fixing a Use After Free in unserialize() (bsc#1008029). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Module-Web-Scripting-12-2016-1722,SUSE-SLE-SDK-12-SP1-2016-1722,SUSE-SLE-SDK-12-SP2-2016-1722 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2016/suse-su-20162941-1/ Link for SUSE-SU-2016:2941-1 https://lists.suse.com/pipermail/sle-security-updates/2016-November/002428.html E-Mail link for SUSE-SU-2016:2941-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1008029 SUSE Bug 1008029 https://bugzilla.suse.com/988486 SUSE Bug 988486 https://www.suse.com/security/cve/CVE-2016-5385/ SUSE CVE CVE-2016-5385 page https://www.suse.com/security/cve/CVE-2016-9137/ SUSE CVE CVE-2016-9137 page SUSE Linux Enterprise Module for Web and Scripting 12 SUSE Linux Enterprise Software Development Kit 12 SP1 SUSE Linux Enterprise Software Development Kit 12 SP2 apache2-mod_php7-7.0.7-25.1 php7-7.0.7-25.1 php7-bcmath-7.0.7-25.1 php7-bz2-7.0.7-25.1 php7-calendar-7.0.7-25.1 php7-ctype-7.0.7-25.1 php7-curl-7.0.7-25.1 php7-dba-7.0.7-25.1 php7-dom-7.0.7-25.1 php7-enchant-7.0.7-25.1 php7-exif-7.0.7-25.1 php7-fastcgi-7.0.7-25.1 php7-fileinfo-7.0.7-25.1 php7-fpm-7.0.7-25.1 php7-ftp-7.0.7-25.1 php7-gd-7.0.7-25.1 php7-gettext-7.0.7-25.1 php7-gmp-7.0.7-25.1 php7-iconv-7.0.7-25.1 php7-imap-7.0.7-25.1 php7-intl-7.0.7-25.1 php7-json-7.0.7-25.1 php7-ldap-7.0.7-25.1 php7-mbstring-7.0.7-25.1 php7-mcrypt-7.0.7-25.1 php7-mysql-7.0.7-25.1 php7-odbc-7.0.7-25.1 php7-opcache-7.0.7-25.1 php7-openssl-7.0.7-25.1 php7-pcntl-7.0.7-25.1 php7-pdo-7.0.7-25.1 php7-pear-7.0.7-25.1 php7-pear-Archive_Tar-7.0.7-25.1 php7-pgsql-7.0.7-25.1 php7-phar-7.0.7-25.1 php7-posix-7.0.7-25.1 php7-pspell-7.0.7-25.1 php7-shmop-7.0.7-25.1 php7-snmp-7.0.7-25.1 php7-soap-7.0.7-25.1 php7-sockets-7.0.7-25.1 php7-sqlite-7.0.7-25.1 php7-sysvmsg-7.0.7-25.1 php7-sysvsem-7.0.7-25.1 php7-sysvshm-7.0.7-25.1 php7-tokenizer-7.0.7-25.1 php7-wddx-7.0.7-25.1 php7-xmlreader-7.0.7-25.1 php7-xmlrpc-7.0.7-25.1 php7-xmlwriter-7.0.7-25.1 php7-xsl-7.0.7-25.1 php7-zip-7.0.7-25.1 php7-zlib-7.0.7-25.1 php7-devel-7.0.7-25.1 apache2-mod_php7-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-bcmath-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-bz2-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-calendar-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-ctype-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-curl-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-dba-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-dom-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-enchant-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-exif-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-fastcgi-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-fileinfo-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-fpm-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-ftp-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-gd-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-gettext-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-gmp-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-iconv-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-imap-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-intl-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-json-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-ldap-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-mbstring-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-mcrypt-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-mysql-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-odbc-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-opcache-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-openssl-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-pcntl-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-pdo-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-pear-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-pear-Archive_Tar-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-pgsql-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-phar-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-posix-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-pspell-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-shmop-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-snmp-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-soap-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-sockets-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-sqlite-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-sysvmsg-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-sysvsem-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-sysvshm-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-tokenizer-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-wddx-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-xmlreader-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-xmlrpc-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-xmlwriter-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-xsl-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-zip-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-zlib-7.0.7-25.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 php7-devel-7.0.7-25.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP1 php7-devel-7.0.7-25.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue. CVE-2016-5385 SUSE Linux Enterprise Module for Web and Scripting 12:apache2-mod_php7-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-bcmath-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-bz2-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-calendar-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-ctype-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-curl-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-dba-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-dom-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-enchant-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-exif-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-fastcgi-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-fileinfo-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-fpm-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-ftp-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-gd-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-gettext-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-gmp-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-iconv-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-imap-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-intl-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-json-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-ldap-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-mbstring-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-mcrypt-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-mysql-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-odbc-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-opcache-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-openssl-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-pcntl-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-pdo-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-pear-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-pear-Archive_Tar-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-pgsql-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-phar-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-posix-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-pspell-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-shmop-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-snmp-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-soap-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-sockets-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-sqlite-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-sysvmsg-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-sysvsem-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-sysvshm-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-tokenizer-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-wddx-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-xmlreader-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-xmlrpc-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-xmlwriter-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-xsl-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-zip-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-zlib-7.0.7-25.1 SUSE Linux Enterprise Software Development Kit 12 SP1:php7-devel-7.0.7-25.1 SUSE Linux Enterprise Software Development Kit 12 SP2:php7-devel-7.0.7-25.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20162941-1/ https://www.suse.com/security/cve/CVE-2016-5385.html CVE-2016-5385 https://bugzilla.suse.com/988484 SUSE Bug 988484 https://bugzilla.suse.com/988486 SUSE Bug 988486 https://bugzilla.suse.com/988487 SUSE Bug 988487 https://bugzilla.suse.com/988488 SUSE Bug 988488 https://bugzilla.suse.com/988489 SUSE Bug 988489 https://bugzilla.suse.com/988491 SUSE Bug 988491 https://bugzilla.suse.com/988492 SUSE Bug 988492 https://bugzilla.suse.com/989125 SUSE Bug 989125 https://bugzilla.suse.com/989174 SUSE Bug 989174 Use-after-free vulnerability in the CURLFile implementation in ext/curl/curl_file.c in PHP before 5.6.27 and 7.x before 7.0.12 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that is mishandled during __wakeup processing. CVE-2016-9137 SUSE Linux Enterprise Module for Web and Scripting 12:apache2-mod_php7-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-bcmath-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-bz2-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-calendar-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-ctype-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-curl-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-dba-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-dom-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-enchant-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-exif-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-fastcgi-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-fileinfo-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-fpm-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-ftp-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-gd-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-gettext-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-gmp-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-iconv-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-imap-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-intl-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-json-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-ldap-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-mbstring-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-mcrypt-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-mysql-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-odbc-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-opcache-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-openssl-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-pcntl-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-pdo-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-pear-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-pear-Archive_Tar-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-pgsql-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-phar-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-posix-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-pspell-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-shmop-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-snmp-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-soap-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-sockets-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-sqlite-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-sysvmsg-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-sysvsem-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-sysvshm-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-tokenizer-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-wddx-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-xmlreader-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-xmlrpc-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-xmlwriter-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-xsl-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-zip-7.0.7-25.1 SUSE Linux Enterprise Module for Web and Scripting 12:php7-zlib-7.0.7-25.1 SUSE Linux Enterprise Software Development Kit 12 SP1:php7-devel-7.0.7-25.1 SUSE Linux Enterprise Software Development Kit 12 SP2:php7-devel-7.0.7-25.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20162941-1/ https://www.suse.com/security/cve/CVE-2016-9137.html CVE-2016-9137 https://bugzilla.suse.com/1008026 SUSE Bug 1008026 https://bugzilla.suse.com/1008029 SUSE Bug 1008029