SUSE SLED12 Security Update : php5 (SUSE-SU-2016:1633-1)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote SUSE host is missing one or more security updates.

Description :

This update for php5 fixes the following issues :

- CVE-2013-7456: imagescale out-of-bounds read
(bnc#982009).

- CVE-2016-5093: get_icu_value_internal out-of-bounds read
(bnc#982010).

- CVE-2016-5094: Don't create strings with lengths outside
of valid range (bnc#982011).

- CVE-2016-5095: Don't create strings with lengths outside
of valid range (bnc#982012).

- CVE-2016-5096: int/size_t confusion in fread
(bsc#982013).

- CVE-2015-8877: The gdImageScaleTwoPass function in
gd_interpolation.c in the GD Graphics Library (aka
libgd) as used in PHP used inconsistent allocate and
free approaches, which allowed remote attackers to cause
a denial of service (memory consumption) via a crafted
call, as demonstrated by a call to the PHP imagescale
function (bsc#981061).

- CVE-2015-8876: Zend/zend_exceptions.c in PHP did not
validate certain Exception objects, which allowed remote
attackers to cause a denial of service (NULL pointer
dereference and application crash) or trigger unintended
method execution via crafted serialized data
(bsc#981049).

- CVE-2015-8879: The odbc_bindcols function in
ext/odbc/php_odbc.c in PHP mishandles driver behavior
for SQL_WVARCHAR columns, which allowed remote attackers
to cause a denial of service (application crash) in
opportunistic circumstances by leveraging use of the
odbc_fetch_array function to access a certain type of
Microsoft SQL Server table (bsc#981050).

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/981049
https://bugzilla.suse.com/981050
https://bugzilla.suse.com/981061
https://bugzilla.suse.com/982009
https://bugzilla.suse.com/982010
https://bugzilla.suse.com/982011
https://bugzilla.suse.com/982012
https://bugzilla.suse.com/982013
https://www.suse.com/security/cve/CVE-2013-7456.html
https://www.suse.com/security/cve/CVE-2015-8876.html
https://www.suse.com/security/cve/CVE-2015-8877.html
https://www.suse.com/security/cve/CVE-2015-8879.html
https://www.suse.com/security/cve/CVE-2016-5093.html
https://www.suse.com/security/cve/CVE-2016-5094.html
https://www.suse.com/security/cve/CVE-2016-5095.html
https://www.suse.com/security/cve/CVE-2016-5096.html
http://www.nessus.org/u?eed6abc1

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Workstation Extension 12-SP1 :

zypper in -t patch SUSE-SLE-WE-12-SP1-2016-968=1

SUSE Linux Enterprise Workstation Extension 12 :

zypper in -t patch SUSE-SLE-WE-12-2016-968=1

SUSE Linux Enterprise Software Development Kit 12-SP1 :

zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-968=1

SUSE Linux Enterprise Software Development Kit 12 :

zypper in -t patch SUSE-SLE-SDK-12-2016-968=1

SUSE Linux Enterprise Module for Web Scripting 12 :

zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2016-968=1

SUSE Linux Enterprise Desktop 12-SP1 :

zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-968=1

SUSE Linux Enterprise Desktop 12 :

zypper in -t patch SUSE-SLE-DESKTOP-12-2016-968=1

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.9
(CVSS2#E:POC/RL:OF/RC:ND)
Public Exploit Available : true

Family: SuSE Local Security Checks

Nessus Plugin ID: 93160 ()

Bugtraq ID:

CVE ID: CVE-2013-7456
CVE-2015-8876
CVE-2015-8877
CVE-2015-8879
CVE-2016-5093
CVE-2016-5094
CVE-2016-5095
CVE-2016-5096

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now