rh-php56-php-5.6.5-7.el7

PHP is an HTML-embedded scripting language. PHP attempts to make it
easy for developers to write dynamically generated web pages. PHP also
offers built-in database integration for several commercial and
non-commercial database management systems, so writing a
database-enabled webpage with PHP is fairly simple. The most common
use of PHP coding is probably as a replacement for CGI scripts.

This package contains the module (often referred to as mod_php)
which adds support for the PHP language to Apache HTTP 2.4 Server.

Security issues fixed with this release:

CVE-2015-2783
ext/phar/phar.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x
before 5.6.8 allows remote attackers to obtain sensitive information
from process memory or cause a denial of service (buffer over-read and
application crash) via a crafted length value in conjunction with
crafted serialized data in a phar archive, related to the
phar_parse_metadata and phar_parse_pharfile functions.
CVE-2015-3307
The phar_parse_metadata function in ext/phar/phar.c in PHP before
5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote
attackers to cause a denial of service (heap metadata corruption) or
possibly have unspecified other impact via a crafted tar archive.
CVE-2015-3329
Multiple stack-based buffer overflows in the phar_set_inode function
in phar_internal.h in PHP before 5.4.40, 5.5.x before 5.5.24, and
5.6.x before 5.6.8 allow remote attackers to execute arbitrary code
via a crafted length value in a (1) tar, (2) phar, or (3) ZIP archive.
CVE-2015-3330
The php_handler function in sapi/apache2handler/sapi_apache2.c in PHP
before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, when the
Apache HTTP Server 2.4.x is used, allows remote attackers to cause a
denial of service (application crash) or possibly execute arbitrary
code via pipelined HTTP requests that result in a "deconfigured
interpreter."
CVE-2015-3411
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-3412
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-4021
The phar_parse_tarfile function in ext/phar/tar.c in PHP before
5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 does not verify
that the first character of a filename is different from the \0
character, which allows remote attackers to cause a denial of service
(integer underflow and memory corruption) via a crafted entry in a tar
archive.
CVE-2015-4022
Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP
before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows
remote FTP servers to execute arbitrary code via a long reply to a
LIST command, leading to a heap-based buffer overflow.
CVE-2015-4024
Algorithmic complexity vulnerability in the multipart_buffer_headers
function in main/rfc1867.c in PHP before 5.4.41, 5.5.x before 5.5.25,
and 5.6.x before 5.6.9 allows remote attackers to cause a denial of
service (CPU consumption) via crafted form data that triggers an
improper order-of-growth outcome.
CVE-2015-4025
PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9
truncates a pathname upon encountering a \x00 character in certain
situations, which allows remote attackers to bypass intended extension
restrictions and access files or directories with unexpected names via
a crafted argument to (1) set_include_path, (2) tempnam, (3) rmdir, or
(4) readlink. NOTE: this vulnerability exists because of an incomplete
fix for CVE-2006-7243.
CVE-2015-4026
The pcntl_exec implementation in PHP before 5.4.41, 5.5.x before
5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering
a \x00 character, which might allow remote attackers to bypass
intended extension restrictions and execute files with unexpected
names via a crafted first argument. NOTE: this vulnerability exists
because of an incomplete fix for CVE-2006-7243.
CVE-2015-4598
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-4602
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-4603
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-4604
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-4605
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-4643
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-4644
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.