Security update for php5

Announcement ID:	SUSE-SU-2015:1253-1
Rating:	important
References:	bsc#919080 bsc#927147 bsc#931421 bsc#931769 bsc#931772 bsc#931776 bsc#933227 bsc#935224 bsc#935226 bsc#935227 bsc#935232 bsc#935234 bsc#935274 bsc#935275
Cross-References:	CVE-2015-3411 CVE-2015-3412 CVE-2015-4021 CVE-2015-4022 CVE-2015-4024 CVE-2015-4026 CVE-2015-4148 CVE-2015-4598 CVE-2015-4599 CVE-2015-4600 CVE-2015-4601 CVE-2015-4602 CVE-2015-4603 CVE-2015-4643 CVE-2015-4644
CVSS scores:	CVE-2015-3411 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2015-3412 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2015-4598 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2015-4602 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2015-4603 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2015-4643 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2015-4644 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 Web and Scripting Module 12

An update that solves 15 vulnerabilities can now be installed.

Description:

This security update of PHP fixes the following issues:

Security issues fixed:

• CVE-2015-4024 [bnc#931421]: Fixed multipart/form-data remote DOS Vulnerability.
• CVE-2015-4026 [bnc#931776]: pcntl_exec() did not check path validity.
• CVE-2015-4022 [bnc#931772]: Fixed and overflow in ftp_genlist() that resulted in a heap overflow.
• CVE-2015-4021 [bnc#931769]: Fixed memory corruption in phar_parse_tarfile when entry filename starts with NULL.
• CVE-2015-4148 [bnc#933227]: Fixed SoapClient's do_soap_call() type confusion after unserialize() information disclosure.
• CVE-2015-4602 [bnc#935224]: Fixed an incomplete Class unserialization type confusion.
• CVE-2015-4599, CVE-2015-4600, CVE-2015-4601 [bnc#935226]: Fixed type confusion issues in unserialize() with various SOAP methods.
• CVE-2015-4603 [bnc#935234]: Fixed exception::getTraceAsString type confusion issue after unserialize.
• CVE-2015-4644 [bnc#935274]: Fixed a crash in php_pgsql_meta_data.
• CVE-2015-4643 [bnc#935275]: Fixed an integer overflow in ftp_genlist() that could result in a heap overflow.
• CVE-2015-3411, CVE-2015-3412, CVE-2015-4598 [bnc#935227], [bnc#935232]: Added missing null byte checks for paths in various PHP extensions.

Bugs fixed:

• configure php-fpm with --localstatedir=/var [bnc#927147]
• fix timezone map [bnc#919080]

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Web and Scripting Module 12
  zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2015-322=1
• SUSE Linux Enterprise Software Development Kit 12
  zypper in -t patch SUSE-SLE-SDK-12-2015-322=1

Package List:

• Web and Scripting Module 12 (ppc64le s390x x86_64)
  • php5-bz2-5.5.14-30.1
  • php5-fastcgi-debuginfo-5.5.14-30.1
  • php5-intl-debuginfo-5.5.14-30.1
  • php5-pgsql-5.5.14-30.1
  • php5-suhosin-5.5.14-30.1
  • php5-suhosin-debuginfo-5.5.14-30.1
  • php5-iconv-5.5.14-30.1
  • php5-ldap-5.5.14-30.1
  • php5-sysvshm-5.5.14-30.1
  • php5-openssl-5.5.14-30.1
  • php5-zlib-5.5.14-30.1
  • php5-debuginfo-5.5.14-30.1
  • php5-ctype-5.5.14-30.1
  • php5-soap-5.5.14-30.1
  • php5-odbc-5.5.14-30.1
  • php5-xmlrpc-debuginfo-5.5.14-30.1
  • php5-dba-debuginfo-5.5.14-30.1
  • php5-mbstring-debuginfo-5.5.14-30.1
  • php5-enchant-debuginfo-5.5.14-30.1
  • php5-ftp-5.5.14-30.1
  • php5-sysvmsg-5.5.14-30.1
  • php5-gmp-debuginfo-5.5.14-30.1
  • php5-mysql-debuginfo-5.5.14-30.1
  • php5-dom-5.5.14-30.1
  • php5-xsl-debuginfo-5.5.14-30.1
  • php5-xmlrpc-5.5.14-30.1
  • php5-odbc-debuginfo-5.5.14-30.1
  • php5-pspell-5.5.14-30.1
  • php5-gd-5.5.14-30.1
  • php5-gettext-5.5.14-30.1
  • php5-wddx-debuginfo-5.5.14-30.1
  • php5-soap-debuginfo-5.5.14-30.1
  • php5-xmlreader-5.5.14-30.1
  • php5-zip-5.5.14-30.1
  • php5-ldap-debuginfo-5.5.14-30.1
  • php5-shmop-5.5.14-30.1
  • php5-tokenizer-debuginfo-5.5.14-30.1
  • php5-fastcgi-5.5.14-30.1
  • php5-zip-debuginfo-5.5.14-30.1
  • php5-calendar-5.5.14-30.1
  • php5-sysvmsg-debuginfo-5.5.14-30.1
  • php5-pcntl-debuginfo-5.5.14-30.1
  • php5-snmp-debuginfo-5.5.14-30.1
  • php5-bcmath-debuginfo-5.5.14-30.1
  • php5-curl-5.5.14-30.1
  • php5-pdo-5.5.14-30.1
  • php5-sysvshm-debuginfo-5.5.14-30.1
  • php5-sqlite-5.5.14-30.1
  • php5-fpm-5.5.14-30.1
  • php5-xmlwriter-5.5.14-30.1
  • php5-intl-5.5.14-30.1
  • php5-pgsql-debuginfo-5.5.14-30.1
  • php5-sysvsem-5.5.14-30.1
  • php5-fileinfo-debuginfo-5.5.14-30.1
  • php5-sockets-5.5.14-30.1
  • php5-mysql-5.5.14-30.1
  • php5-ctype-debuginfo-5.5.14-30.1
  • php5-zlib-debuginfo-5.5.14-30.1
  • php5-dba-5.5.14-30.1
  • php5-iconv-debuginfo-5.5.14-30.1
  • php5-xmlwriter-debuginfo-5.5.14-30.1
  • php5-mbstring-5.5.14-30.1
  • php5-sqlite-debuginfo-5.5.14-30.1
  • php5-gettext-debuginfo-5.5.14-30.1
  • php5-json-5.5.14-30.1
  • php5-ftp-debuginfo-5.5.14-30.1
  • php5-fpm-debuginfo-5.5.14-30.1
  • php5-shmop-debuginfo-5.5.14-30.1
  • php5-pspell-debuginfo-5.5.14-30.1
  • php5-openssl-debuginfo-5.5.14-30.1
  • php5-gd-debuginfo-5.5.14-30.1
  • php5-wddx-5.5.14-30.1
  • php5-5.5.14-30.1
  • php5-debugsource-5.5.14-30.1
  • php5-dom-debuginfo-5.5.14-30.1
  • php5-snmp-5.5.14-30.1
  • php5-calendar-debuginfo-5.5.14-30.1
  • php5-sockets-debuginfo-5.5.14-30.1
  • php5-mcrypt-5.5.14-30.1
  • apache2-mod_php5-debuginfo-5.5.14-30.1
  • php5-exif-5.5.14-30.1
  • apache2-mod_php5-5.5.14-30.1
  • php5-bz2-debuginfo-5.5.14-30.1
  • php5-mcrypt-debuginfo-5.5.14-30.1
  • php5-pcntl-5.5.14-30.1
  • php5-pdo-debuginfo-5.5.14-30.1
  • php5-tokenizer-5.5.14-30.1
  • php5-exif-debuginfo-5.5.14-30.1
  • php5-sysvsem-debuginfo-5.5.14-30.1
  • php5-fileinfo-5.5.14-30.1
  • php5-bcmath-5.5.14-30.1
  • php5-xsl-5.5.14-30.1
  • php5-json-debuginfo-5.5.14-30.1
  • php5-enchant-5.5.14-30.1
  • php5-gmp-5.5.14-30.1
  • php5-xmlreader-debuginfo-5.5.14-30.1
  • php5-curl-debuginfo-5.5.14-30.1
• Web and Scripting Module 12 (noarch)
  • php5-pear-5.5.14-30.1
• SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64)
  • php5-debugsource-5.5.14-30.1
  • php5-debuginfo-5.5.14-30.1
  • php5-devel-5.5.14-30.1

References:

• https://www.suse.com/security/cve/CVE-2015-3411.html
• https://www.suse.com/security/cve/CVE-2015-3412.html
• https://www.suse.com/security/cve/CVE-2015-4021.html
• https://www.suse.com/security/cve/CVE-2015-4022.html
• https://www.suse.com/security/cve/CVE-2015-4024.html
• https://www.suse.com/security/cve/CVE-2015-4026.html
• https://www.suse.com/security/cve/CVE-2015-4148.html
• https://www.suse.com/security/cve/CVE-2015-4598.html
• https://www.suse.com/security/cve/CVE-2015-4599.html
• https://www.suse.com/security/cve/CVE-2015-4600.html
• https://www.suse.com/security/cve/CVE-2015-4601.html
• https://www.suse.com/security/cve/CVE-2015-4602.html
• https://www.suse.com/security/cve/CVE-2015-4603.html
• https://www.suse.com/security/cve/CVE-2015-4643.html
• https://www.suse.com/security/cve/CVE-2015-4644.html
• https://bugzilla.suse.com/show_bug.cgi?id=919080
• https://bugzilla.suse.com/show_bug.cgi?id=927147
• https://bugzilla.suse.com/show_bug.cgi?id=931421
• https://bugzilla.suse.com/show_bug.cgi?id=931769
• https://bugzilla.suse.com/show_bug.cgi?id=931772
• https://bugzilla.suse.com/show_bug.cgi?id=931776
• https://bugzilla.suse.com/show_bug.cgi?id=933227
• https://bugzilla.suse.com/show_bug.cgi?id=935224
• https://bugzilla.suse.com/show_bug.cgi?id=935226
• https://bugzilla.suse.com/show_bug.cgi?id=935227
• https://bugzilla.suse.com/show_bug.cgi?id=935232
• https://bugzilla.suse.com/show_bug.cgi?id=935234
• https://bugzilla.suse.com/show_bug.cgi?id=935274
• https://bugzilla.suse.com/show_bug.cgi?id=935275