Security update for php5

Announcement ID:	SUSE-SU-2016:1842-1
Rating:	moderate
References:	bsc#986004 bsc#986244 bsc#986246 bsc#986386 bsc#986388 bsc#986391 bsc#986392 bsc#986393 bsc#988486
Cross-References:	CVE-2015-8935 CVE-2016-5385 CVE-2016-5766 CVE-2016-5767 CVE-2016-5768 CVE-2016-5769 CVE-2016-5770 CVE-2016-5771 CVE-2016-5772
CVSS scores:	CVE-2016-5385 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-5385 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-5766 ( NVD ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2016-5767 ( NVD ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2016-5768 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2016-5768 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-5769 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-5770 ( SUSE ): 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2016-5770 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-5770 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-5771 ( SUSE ): 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2016-5771 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-5771 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-5772 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-5772 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 SP1 Web and Scripting Module 12

An update that solves nine vulnerabilities can now be installed.

Description:

This update for php5 fixes the following issues:

• It is possible to launch a web server with "php -S localhost:8080" It used to be possible to set an arbitrary $HTTP_PROXY environment variable for request handlers -- like CGI scripts -- by including a specially crafted HTTP header in the request (CVE-2016-5385). As a result, these server components would potentially direct all their outgoing HTTP traffic through a malicious proxy server. This patch fixes the issue: the updated php server ignores such HTTP headers and never sets $HTTP_PROXY for sub-processes. (bnc#988486)
• There was multiple cases where a remote attacker could trigger a double free and, given specific PHP code using callbacks, trigger code execution vectors. (bnc#986246,bnc#986244,CVE-2016-5768,CVE-2016-5772)
• It was possible to inject header or content information (XSS) when a user was using internet explorer as the browser. (bnc#986004, CVE-2015-8935)
• In several cases it was possible for a integer overflow to trigger an excessive memory allocation (bnc#986392, bnc#986388, bnc#986386, bnc#986393, CVE-2016-5770, CVE-2016-5769, CVE-2016-5766, CVE-2016-5767)
• It was possible for an attacker to abuse the garbage collector to free a target array. At this point an attacker could craft a fake zval object and exploit the PHP process by taking over the EIP/RIP. (bnc#986391, CVE-2016-5771)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Web and Scripting Module 12
  zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2016-1082=1
• SUSE Linux Enterprise Software Development Kit 12 SP1
  zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1082=1

Package List:

• Web and Scripting Module 12 (ppc64le s390x x86_64)
  • php5-bcmath-debuginfo-5.5.14-68.1
  • php5-xmlwriter-debuginfo-5.5.14-68.1
  • php5-ctype-debuginfo-5.5.14-68.1
  • php5-5.5.14-68.1
  • php5-sysvsem-debuginfo-5.5.14-68.1
  • php5-sysvshm-5.5.14-68.1
  • php5-iconv-5.5.14-68.1
  • php5-mcrypt-debuginfo-5.5.14-68.1
  • php5-mbstring-5.5.14-68.1
  • php5-posix-debuginfo-5.5.14-68.1
  • php5-gd-5.5.14-68.1
  • php5-sqlite-debuginfo-5.5.14-68.1
  • apache2-mod_php5-5.5.14-68.1
  • php5-phar-debuginfo-5.5.14-68.1
  • php5-ftp-5.5.14-68.1
  • php5-posix-5.5.14-68.1
  • php5-sockets-5.5.14-68.1
  • php5-sysvsem-5.5.14-68.1
  • php5-xmlreader-5.5.14-68.1
  • php5-calendar-debuginfo-5.5.14-68.1
  • php5-iconv-debuginfo-5.5.14-68.1
  • php5-tokenizer-5.5.14-68.1
  • php5-pspell-debuginfo-5.5.14-68.1
  • php5-suhosin-debuginfo-5.5.14-68.1
  • php5-mbstring-debuginfo-5.5.14-68.1
  • php5-gd-debuginfo-5.5.14-68.1
  • php5-bz2-5.5.14-68.1
  • php5-sysvshm-debuginfo-5.5.14-68.1
  • php5-sysvmsg-5.5.14-68.1
  • php5-mcrypt-5.5.14-68.1
  • php5-ctype-5.5.14-68.1
  • php5-curl-debuginfo-5.5.14-68.1
  • php5-sysvmsg-debuginfo-5.5.14-68.1
  • php5-snmp-5.5.14-68.1
  • php5-snmp-debuginfo-5.5.14-68.1
  • php5-pgsql-debuginfo-5.5.14-68.1
  • php5-dba-5.5.14-68.1
  • php5-enchant-debuginfo-5.5.14-68.1
  • php5-ldap-5.5.14-68.1
  • php5-fpm-5.5.14-68.1
  • php5-shmop-5.5.14-68.1
  • php5-pdo-5.5.14-68.1
  • php5-mysql-5.5.14-68.1
  • php5-fpm-debuginfo-5.5.14-68.1
  • php5-odbc-5.5.14-68.1
  • php5-intl-5.5.14-68.1
  • php5-tokenizer-debuginfo-5.5.14-68.1
  • php5-openssl-debuginfo-5.5.14-68.1
  • php5-pcntl-debuginfo-5.5.14-68.1
  • php5-suhosin-5.5.14-68.1
  • php5-soap-5.5.14-68.1
  • apache2-mod_php5-debuginfo-5.5.14-68.1
  • php5-fastcgi-5.5.14-68.1
  • php5-gmp-5.5.14-68.1
  • php5-xmlreader-debuginfo-5.5.14-68.1
  • php5-wddx-debuginfo-5.5.14-68.1
  • php5-imap-5.5.14-68.1
  • php5-xsl-debuginfo-5.5.14-68.1
  • php5-fastcgi-debuginfo-5.5.14-68.1
  • php5-fileinfo-debuginfo-5.5.14-68.1
  • php5-xmlwriter-5.5.14-68.1
  • php5-gettext-debuginfo-5.5.14-68.1
  • php5-enchant-5.5.14-68.1
  • php5-pcntl-5.5.14-68.1
  • php5-imap-debuginfo-5.5.14-68.1
  • php5-intl-debuginfo-5.5.14-68.1
  • php5-exif-debuginfo-5.5.14-68.1
  • php5-json-5.5.14-68.1
  • php5-zlib-debuginfo-5.5.14-68.1
  • php5-dba-debuginfo-5.5.14-68.1
  • php5-curl-5.5.14-68.1
  • php5-exif-5.5.14-68.1
  • php5-gmp-debuginfo-5.5.14-68.1
  • php5-dom-debuginfo-5.5.14-68.1
  • php5-sockets-debuginfo-5.5.14-68.1
  • php5-calendar-5.5.14-68.1
  • php5-zlib-5.5.14-68.1
  • php5-ftp-debuginfo-5.5.14-68.1
  • php5-bcmath-5.5.14-68.1
  • php5-phar-5.5.14-68.1
  • php5-zip-5.5.14-68.1
  • php5-json-debuginfo-5.5.14-68.1
  • php5-xmlrpc-debuginfo-5.5.14-68.1
  • php5-ldap-debuginfo-5.5.14-68.1
  • php5-pdo-debuginfo-5.5.14-68.1
  • php5-debuginfo-5.5.14-68.1
  • php5-pspell-5.5.14-68.1
  • php5-xmlrpc-5.5.14-68.1
  • php5-opcache-debuginfo-5.5.14-68.1
  • php5-debugsource-5.5.14-68.1
  • php5-opcache-5.5.14-68.1
  • php5-mysql-debuginfo-5.5.14-68.1
  • php5-gettext-5.5.14-68.1
  • php5-fileinfo-5.5.14-68.1
  • php5-zip-debuginfo-5.5.14-68.1
  • php5-openssl-5.5.14-68.1
  • php5-sqlite-5.5.14-68.1
  • php5-wddx-5.5.14-68.1
  • php5-bz2-debuginfo-5.5.14-68.1
  • php5-xsl-5.5.14-68.1
  • php5-shmop-debuginfo-5.5.14-68.1
  • php5-odbc-debuginfo-5.5.14-68.1
  • php5-soap-debuginfo-5.5.14-68.1
  • php5-pgsql-5.5.14-68.1
  • php5-dom-5.5.14-68.1
• Web and Scripting Module 12 (noarch)
  • php5-pear-5.5.14-68.1
• SUSE Linux Enterprise Software Development Kit 12 SP1 (ppc64le s390x x86_64)
  • php5-debugsource-5.5.14-68.1
  • php5-devel-5.5.14-68.1
  • php5-debuginfo-5.5.14-68.1

References:

• https://www.suse.com/security/cve/CVE-2015-8935.html
• https://www.suse.com/security/cve/CVE-2016-5385.html
• https://www.suse.com/security/cve/CVE-2016-5766.html
• https://www.suse.com/security/cve/CVE-2016-5767.html
• https://www.suse.com/security/cve/CVE-2016-5768.html
• https://www.suse.com/security/cve/CVE-2016-5769.html
• https://www.suse.com/security/cve/CVE-2016-5770.html
• https://www.suse.com/security/cve/CVE-2016-5771.html
• https://www.suse.com/security/cve/CVE-2016-5772.html
• https://bugzilla.suse.com/show_bug.cgi?id=986004
• https://bugzilla.suse.com/show_bug.cgi?id=986244
• https://bugzilla.suse.com/show_bug.cgi?id=986246
• https://bugzilla.suse.com/show_bug.cgi?id=986386
• https://bugzilla.suse.com/show_bug.cgi?id=986388
• https://bugzilla.suse.com/show_bug.cgi?id=986391
• https://bugzilla.suse.com/show_bug.cgi?id=986392
• https://bugzilla.suse.com/show_bug.cgi?id=986393
• https://bugzilla.suse.com/show_bug.cgi?id=988486