rh-php56-php-5.6.5-8.AXS4

エラータID: AXSA:2016-144:01

Release date: 
Thursday, March 17, 2016 - 18:58
Subject: 
rh-php56-php-5.6.5-8.AXS4
Affected Channels: 
Asianux Server 4 for x86_64
Severity: 
Moderate
Description: 

PHP is an HTML-embedded scripting language. PHP attempts to make it
easy for developers to write dynamically generated web pages. PHP also
offers built-in database integration for several commercial and
non-commercial database management systems, so writing a
database-enabled webpage with PHP is fairly simple. The most common
use of PHP coding is probably as a replacement for CGI scripts.

This package contains the module (often referred to as mod_php)
which adds support for the PHP language to Apache HTTP 2.4 Server.

Security issues fixed with this release:

CVE-2015-5589
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-5590
Stack-based buffer overflow in the phar_fix_filepath function in
ext/phar/phar.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x
before 5.6.11 allows remote attackers to cause a denial of service or
possibly have unspecified other impact via a large length value, as
demonstrated by mishandling of an e-mail attachment by the imap PHP
extension.
CVE-2015-6831
Multiple use-after-free vulnerabilities in SPL in PHP before 5.4.44,
5.5.x before 5.5.28, and 5.6.x before 5.6.12 allow remote attackers to
execute arbitrary code via vectors involving (1) ArrayObject, (2)
SplObjectStorage, and (3) SplDoublyLinkedList, which are mishandled
during unserialization.
CVE-2015-6832
Use-after-free vulnerability in the SPL unserialize implementation in
ext/spl/spl_array.c in PHP before 5.4.44, 5.5.x before 5.5.28, and
5.6.x before 5.6.12 allows remote attackers to execute arbitrary code
via crafted serialized data that triggers misuse of an array field.
CVE-2015-6833
Directory traversal vulnerability in the PharData class in PHP before
5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote
attackers to write to arbitrary files via a .. (dot dot) in a ZIP
archive entry that is mishandled during an extractTo call.
CVE-2015-6834
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-6835
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-6836
The SoapClient __call method in ext/soap/soap.c in PHP before 5.4.45,
5.5.x before 5.5.29, and 5.6.x before 5.6.13 does not properly manage
headers, which allows remote attackers to execute arbitrary code via
crafted serialized data that triggers a "type confusion" in the
serialize_function_call function.
CVE-2015-6837
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-6838
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-7803
The phar_get_entry_data function in ext/phar/util.c in PHP before
5.5.30 and 5.6.x before 5.6.14 allows remote attackers to cause a
denial of service (NULL pointer dereference and application crash) via
a .phar file with a crafted TAR archive entry in which the Link
indicator references a file that does not exist.
CVE-2015-7804
Off-by-one error in the phar_parse_zipfile function in ext/phar/zip.c
in PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers
to cause a denial of service (uninitialized pointer dereference and
application crash) by including the / filename in a .zip PHAR archive.

Solution: 

Update packages.

CVEs: 
CVE-2015-5589
The phar_convert_to_other function in ext/phar/phar_object.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 does not validate a file pointer before a close operation, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted TAR archive that is mishandled in a Phar::convertToData call.
CVE-2015-5590
Stack-based buffer overflow in the phar_fix_filepath function in ext/phar/phar.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large length value, as demonstrated by mishandling of an e-mail attachment by the imap PHP extension.
CVE-2015-6831
Multiple use-after-free vulnerabilities in SPL in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allow remote attackers to execute arbitrary code via vectors involving (1) ArrayObject, (2) SplObjectStorage, and (3) SplDoublyLinkedList, which are mishandled during unserialization.
CVE-2015-6832
Use-after-free vulnerability in the SPL unserialize implementation in ext/spl/spl_array.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to execute arbitrary code via crafted serialized data that triggers misuse of an array field.
CVE-2015-6833
Directory traversal vulnerability in the PharData class in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to write to arbitrary files via a .. (dot dot) in a ZIP archive entry that is mishandled during an extractTo call.
CVE-2015-6834
Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 allow remote attackers to execute arbitrary code via vectors related to (1) the Serializable interface, (2) the SplObjectStorage class, and (3) the SplDoublyLinkedList class, which are mishandled during unserialization.
CVE-2015-6835
The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 mishandles multiple php_var_unserialize calls, which allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted session content.
CVE-2015-6836
The SoapClient __call method in ext/soap/soap.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 does not properly manage headers, which allows remote attackers to execute arbitrary code via crafted serialized data that triggers a "type confusion" in the serialize_function_call function.
CVE-2015-6837
The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation during initial error checking, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6838.
CVE-2015-6838
The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation after the principal argument loop, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6837.
CVE-2015-7803
The phar_get_entry_data function in ext/phar/util.c in PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a .phar file with a crafted TAR archive entry in which the Link indicator references a file that does not exist.
CVE-2015-7804
Off-by-one error in the phar_parse_zipfile function in ext/phar/zip.c in PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers to cause a denial of service (uninitialized pointer dereference and application crash) by including the / filename in a .zip PHAR archive.
Additional Info: 

N/A

Download: 

SRPMS
  1. rh-php56-php-5.6.5-8.AXS4.src.rpm
    MD5: 86fafbe38092c8313f84f1ceeed6b080
    SHA-256: c7812b16df1953c88b98d6c7badf89c839d9246dab10c2e78bd6926845636c7b
    Size: 10.99 MB

Asianux Server 4 for x86_64
  1. rh-php56-php-5.6.5-8.AXS4.x86_64.rpm
    MD5: 85a05c2ddff90f7a30af98a270f9b50c
    SHA-256: ddd9d6834fdce5f6d81721bce0daf51e48dade104715d1b3193a2d79f095c51b
    Size: 1.28 MB
  2. rh-php56-php-bcmath-5.6.5-8.AXS4.x86_64.rpm
    MD5: b2f10b55f084d3ed9bf38b737232138c
    SHA-256: d5f984892e7a31b77c9bd40e8b38af320a47eb1b92a36b065d04707882009e78
    Size: 56.47 kB
  3. rh-php56-php-cli-5.6.5-8.AXS4.x86_64.rpm
    MD5: 01f0f9fa7ebfe6a31f59a9a751e722d1
    SHA-256: 42736c303a8a50ef1b630fd785b8ada479142f5f000ed2d1f9825c30b6827045
    Size: 2.48 MB
  4. rh-php56-php-common-5.6.5-8.AXS4.x86_64.rpm
    MD5: 6f6ec133e01e166098c9337400ed1b44
    SHA-256: 1b31cdf74da5ed4d56dc08a3cb7af5d4cab97413ea97c4ffe8a0bd2347c4d6e4
    Size: 721.18 kB
  5. rh-php56-php-dba-5.6.5-8.AXS4.x86_64.rpm
    MD5: 536258a9bbe6195a327dbe83e0ea5c1e
    SHA-256: c95d12bcf544366ecc9bdef4108ec88ebd3fa185afa0234ef7889ac9f273dfa4
    Size: 54.26 kB
  6. rh-php56-php-dbg-5.6.5-8.AXS4.x86_64.rpm
    MD5: 2ed06625cfafa30b086d9b56c82846a9
    SHA-256: 019174ac79fecd07529609fef262e83f41dbb078336c1921a9bf5d8f85f4972a
    Size: 1.28 MB
  7. rh-php56-php-devel-5.6.5-8.AXS4.x86_64.rpm
    MD5: c772e1f00355c8ee3913935e71c33ff8
    SHA-256: 3f000290ef12b342af4dc908ad2b108676610b78478983cbb24065ddf60ea4cc
    Size: 672.08 kB
  8. rh-php56-php-embedded-5.6.5-8.AXS4.x86_64.rpm
    MD5: e28167660d3a846ba68c5da68e883dce
    SHA-256: ca45f0f141cebb0db2926027c29cd47165c43f035dddfc701141db533a30839c
    Size: 1.27 MB
  9. rh-php56-php-enchant-5.6.5-8.AXS4.x86_64.rpm
    MD5: ef4adf0756fc83fdb15b378537844ccd
    SHA-256: 27b55cbf0ea112c1077d1fcc0cb41033d54aed756bae08f983e808dec6502f7e
    Size: 41.31 kB
  10. rh-php56-php-fpm-5.6.5-8.AXS4.x86_64.rpm
    MD5: 71f718b3cfd0085100f8916d9328e3cf
    SHA-256: be192d6ba4578b20b108c183ccafc7a09014d57e0c081bec5686dd138621f011
    Size: 1.29 MB
  11. rh-php56-php-gd-5.6.5-8.AXS4.x86_64.rpm
    MD5: 7424240ec24cd0b5c5580dc999281514
    SHA-256: 04b2b6a51fdad9d2708a38eec1639f64c0e6073838f7b5fd077ddb5703e4d209
    Size: 145.07 kB
  12. rh-php56-php-gmp-5.6.5-8.AXS4.x86_64.rpm
    MD5: c95a9c51abfcfaf6233e60b7c6ac39dc
    SHA-256: 9c4959a7fb51ab5c09bea417e07770e6bcf45b4c2c1d56c0a5e80641c57192b4
    Size: 50.80 kB
  13. rh-php56-php-imap-5.6.5-8.AXS4.x86_64.rpm
    MD5: 686c6cad224a65d1ff406e2f554318ae
    SHA-256: 17c6c871779e11bfbc97f1000a3ddd1621bfe6b94efdcd79e9dd4c5eda4a9765
    Size: 62.62 kB
  14. rh-php56-php-intl-5.6.5-8.AXS4.x86_64.rpm
    MD5: 40253883d87e60d0285b81571042dd6b
    SHA-256: a9ddff7681405268db62dc333b165bda4c8b6d736a70078f72292a3c06914431
    Size: 137.86 kB
  15. rh-php56-php-ldap-5.6.5-8.AXS4.x86_64.rpm
    MD5: d32e967c4c6489b52c0d563052f52f83
    SHA-256: 25c5d6cfeb46af6a3467d55cd4939eef14e30888a121f23b2b7ff0ac472c2ccf
    Size: 53.92 kB
  16. rh-php56-php-mbstring-5.6.5-8.AXS4.x86_64.rpm
    MD5: 962e4e837f1c43c1ab7a2688de39f429
    SHA-256: 9edd3e21a4c0d30125ea747004c17c53bcd81a0ef24e0f5c3cd44d3d3b12e912
    Size: 507.66 kB
  17. rh-php56-php-mysqlnd-5.6.5-8.AXS4.x86_64.rpm
    MD5: f52499a0f3a2cb8cc117c05c550e6b2e
    SHA-256: 8b3778b133e91205ed619fcbff7932416461f3d1e41a1b0dbbb87ce4c9610b75
    Size: 1.85 MB
  18. rh-php56-php-odbc-5.6.5-8.AXS4.x86_64.rpm
    MD5: 1b8c23010136ab684fb601b21f26bea1
    SHA-256: 02a421a34c354228244b4989d9b64e1ffb9949daf71c329e46e466c3d5290ed8
    Size: 63.45 kB
  19. rh-php56-php-opcache-5.6.5-8.AXS4.x86_64.rpm
    MD5: 75896ab5ec6505e41004073f7c6c010f
    SHA-256: 91aadc7ea2cd9aadcd4b337770faa250a946c0a7e0beb923d7af61620b3966b7
    Size: 94.66 kB
  20. rh-php56-php-pdo-5.6.5-8.AXS4.x86_64.rpm
    MD5: c9a9749f5afe89141b63a9184b40aa73
    SHA-256: e07dc35d39efb4e534cccf01f9e0942fbd397df9969a02414848308301345bae
    Size: 89.36 kB
  21. rh-php56-php-pgsql-5.6.5-8.AXS4.x86_64.rpm
    MD5: f0137f212be527b6961164f62138935d
    SHA-256: 353cb69329a4649bd222b90a56087000fc05a88d58da52afb90c4b016d1d27af
    Size: 87.57 kB
  22. rh-php56-php-process-5.6.5-8.AXS4.x86_64.rpm
    MD5: ec7a325b9d441723d58b208579033e30
    SHA-256: 95cbab452ca52fe1e0e9b4f60cf2566d181c7369649ee9bfefcd80e8a1ee5e7c
    Size: 54.94 kB
  23. rh-php56-php-pspell-5.6.5-8.AXS4.x86_64.rpm
    MD5: 4a47d7918dcf080cf10400939ba87e02
    SHA-256: 929991c229b689d998d7bc481e615cb6774bf504c53599b31562e5ab123764ad
    Size: 40.73 kB
  24. rh-php56-php-recode-5.6.5-8.AXS4.x86_64.rpm
    MD5: 26d0da58931116d856c28cdcac0a2488
    SHA-256: b570d09e36a9d0e95c7a6343ea8523a047ea9d0693ccd2b556a5f7a675044ea1
    Size: 37.75 kB
  25. rh-php56-php-snmp-5.6.5-8.AXS4.x86_64.rpm
    MD5: b883838f448db4aa161b102c26e7c214
    SHA-256: 0adc58e55d995a5a2fa37710b452e6573f53b275395c1b1d867297136d0f70b2
    Size: 51.35 kB
  26. rh-php56-php-soap-5.6.5-8.AXS4.x86_64.rpm
    MD5: 5b94298e182a464984b8f5fb4174b296
    SHA-256: 12e846c0d4054d55c15b54dede565fb3c90de77723242d28b32748aff019747f
    Size: 154.27 kB
  27. rh-php56-php-tidy-5.6.5-8.AXS4.x86_64.rpm
    MD5: f9eae1776d98875f2a6b4ca109f24204
    SHA-256: 38f1a5dc8bd03b47eb95814a4b4f99033a642916d720fd0327529745b32fbe48
    Size: 48.80 kB
  28. rh-php56-php-xml-5.6.5-8.AXS4.x86_64.rpm
    MD5: b2eeef43e7732d1c9f9d3d237ff6ba0b
    SHA-256: 7007fb6d79a2801b6e9de7a8f15a7b668bb5278e4c6b2af92b391f3af9c53f94
    Size: 145.80 kB
  29. rh-php56-php-xmlrpc-5.6.5-8.AXS4.x86_64.rpm
    MD5: d452097836905b08a86802d6ed4d014f
    SHA-256: b99b5960bf49ad795953b967cd75aaed87a6f7f45504f3332291144b689a5abc
    Size: 65.01 kB