ID

VAR-201605-0133


CVE

CVE-2015-8865


TITLE

PHP of Fileinfo Used by components file of funcs.c of file_check_mem Service disruption in functions (DoS) Vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2015-007175

DESCRIPTION

The file_check_mem function in funcs.c in file before 5.23, as used in the Fileinfo component in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5, mishandles continuation-level jumps, which allows context-dependent attackers to cause a denial of service (buffer overflow and application crash) or possibly execute arbitrary code via a crafted magic file. PHP is prone to a denial-of-service vulnerability. Successful exploits may allow the attacker to crash the affected application resulting in denial-of-service condition. PHP (PHP: Hypertext Preprocessor, PHP: Hypertext Preprocessor) is an open source general-purpose computer scripting language jointly maintained by the PHP Group and the open source community; Fileinfo is one of them used to display file attributes and support batch modification of its Components of properties. The vulnerability stems from the fact that the program does not correctly handle continuation-level jumps. The following versions are affected: PHP prior to 5.5.34, 5.6.x prior to 5.6.20, 7.x prior to 7.0.5, and prior to file 5.23. ============================================================================ Ubuntu Security Notice USN-2984-1 May 24, 2016 php5, php7.0 vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS - Ubuntu 15.10 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Several security issues were fixed in PHP. Software Description: - php7.0: HTML-embedded scripting language interpreter - php5: HTML-embedded scripting language interpreter Details: It was discovered that the PHP Fileinfo component incorrectly handled certain magic files. This issue only affected Ubuntu 16.04 LTS. (CVE-2015-8865) Hans Jerry Illikainen discovered that the PHP Zip extension incorrectly handled certain malformed Zip archives. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-3078) It was discovered that PHP incorrectly handled invalid indexes in the SplDoublyLinkedList class. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-3132) It was discovered that the PHP rawurlencode() function incorrectly handled large strings. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-4070) It was discovered that the PHP php_snmp_error() function incorrectly handled string formatting. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-4071) It was discovered that the PHP phar extension incorrectly handled certain filenames in archives. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-4072) It was discovered that the PHP mb_strcut() function incorrectly handled string formatting. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-4073) It was discovered that the PHP phar extension incorrectly handled certain archive files. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2016-4342, CVE-2016-4343) It was discovered that the PHP bcpowmod() function incorrectly handled memory. (CVE-2016-4537, CVE-2016-4538) It was discovered that the PHP XML parser incorrectly handled certain malformed XML data. (CVE-2016-4539) It was discovered that certain PHP grapheme functions incorrectly handled negative offsets. (CVE-2016-4540, CVE-2016-4541) It was discovered that PHP incorrectly handled certain malformed EXIF tags. (CVE-2016-4542, CVE-2016-4543, CVE-2016-4544) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: libapache2-mod-php7.0 7.0.4-7ubuntu2.1 php7.0-cgi 7.0.4-7ubuntu2.1 php7.0-cli 7.0.4-7ubuntu2.1 php7.0-fpm 7.0.4-7ubuntu2.1 Ubuntu 15.10: libapache2-mod-php5 5.6.11+dfsg-1ubuntu3.4 php5-cgi 5.6.11+dfsg-1ubuntu3.4 php5-cli 5.6.11+dfsg-1ubuntu3.4 php5-fpm 5.6.11+dfsg-1ubuntu3.4 Ubuntu 14.04 LTS: libapache2-mod-php5 5.5.9+dfsg-1ubuntu4.17 php5-cgi 5.5.9+dfsg-1ubuntu4.17 php5-cli 5.5.9+dfsg-1ubuntu4.17 php5-fpm 5.5.9+dfsg-1ubuntu4.17 Ubuntu 12.04 LTS: libapache2-mod-php5 5.3.10-1ubuntu3.23 php5-cgi 5.3.10-1ubuntu3.23 php5-cli 5.3.10-1ubuntu3.23 php5-fpm 5.3.10-1ubuntu3.23 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-2984-1 CVE-2015-8865, CVE-2016-3078, CVE-2016-3132, CVE-2016-4070, CVE-2016-4071, CVE-2016-4072, CVE-2016-4073, CVE-2016-4342, CVE-2016-4343, CVE-2016-4537, CVE-2016-4538, CVE-2016-4539, CVE-2016-4540, CVE-2016-4541, CVE-2016-4542, CVE-2016-4543, CVE-2016-4544 Package Information: https://launchpad.net/ubuntu/+source/php7.0/7.0.4-7ubuntu2.1 https://launchpad.net/ubuntu/+source/php5/5.6.11+dfsg-1ubuntu3.4 https://launchpad.net/ubuntu/+source/php5/5.5.9+dfsg-1ubuntu4.17 https://launchpad.net/ubuntu/+source/php5/5.3.10-1ubuntu3.23 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05240731 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c05240731 Version: 1 HPSBNS03635 rev.1 - HPE NonStop Servers OSS Script Languages running Perl and PHP, Multiple Local and Remote Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2016-08-19 Last Updated: 2016-08-19 Potential Security Impact: Local Denial of Service (DoS), Elevation of Privilege, Remote Denial of Service (DoS), Execution of Arbitrary Code, Unauthorized Disclosure of Information, Unauthorized Modification Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY Multiple potential remote and local vulnerabilities impacting Perl and PHP have been addressed by HPE NonStop Servers OSS Script Languages. The vulnerabilities include Perl's opportunistic loading of optional modules which might allow local users to gain elevation of privilege via a Trojan horse library under the current working directory. References: - CVE-2016-1238 - Perl Local Elevation of Privilege - CVE-2016-2381 - Perl Remote Unauthorized Modification - CVE-2014-4330 - Perl Local Denial of Service (DoS) **Note:** applies only for the H/J-series SPR. Fix was already provided in a previous L-series SPR. OSS Script Languages (T1203) T1203H01 through T1203H01^AAD, T1203L01 and T1203L01^AAC *Impacted releases:* - L15.02 - L15.08.00, L15.08.01 - L16.05.00 - J06.14 through J06.16.02 - J06.17.00, J06.17.01 - J06.18.00, J06.18.01 - J06.19.00, J06.19.01, J06.19.02 - J06.20.00 - H06.25 through H06.26.01 - H06.27.00, H06.27.01 - H06.28.00, H06.28.01 - H06.29.00, H06.29.01 BACKGROUND CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector CVE-2013-7456 7.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2014-4330 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P) CVE-2015-8383 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2015-8386 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2015-8387 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2015-8389 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2015-8390 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2015-8391 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H 9.0 (AV:N/AC:L/Au:N/C:P/I:P/A:C) CVE-2015-8393 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE-2015-8394 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2015-8607 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2015-8853 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE-2015-8865 7.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2015-8874 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE-2016-1238 6.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H 6.2 (AV:L/AC:H/Au:N/C:C/I:C/A:C) CVE-2016-1903 9.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P) CVE-2016-2381 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) CVE-2016-2554 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVE-2016-3074 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4070 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE-2016-4071 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4072 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4073 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4342 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 8.3 (AV:N/AC:M/Au:N/C:P/I:P/A:C) CVE-2016-4343 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-4537 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4538 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4539 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4540 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4541 9.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4542 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4543 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4544 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-5093 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-5094 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-5096 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-5114 9.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P) CVE-2016-5766 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-5767 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-5768 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-5769 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-5770 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-5771 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-5772 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-5773 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Information on CVSS is documented in HPE Customer Notice HPSN-2008-002 here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499 RESOLUTION HPE has released the following software updates to resolve the vulnerabilities in NonStop Servers OSS Script Languages running Perl and PHP. Install one of the SPRs below as appropriate for the system's release version: + L-Series: * T1203L01^AAE (OSS Scripting Languages) - already available This SPR already is present in these RVUs: None This SPR is usable with the following RVUs: - L15.02 through L16.05.00 + H and J-Series: * T1203H01^AAF (OSS Scripting Languages) - already available This SPR already is present in these RVUs: None This SPR is usable with the following RVUs: - J06.14 through J06.20.00 - H06.25 through H06.29.01 **Note:** Please refer to *NonStop Hotstuff HS03333* for more information. HISTORY Version:1 (rev.1) - 19 August 2016 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2016 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJXt3agAAoJEGIGBBYqRO9/bxkH/1EVS3tqVmJcgc6m3u3aZk8o OhnKG+FTz8bhRPkeRn90P57BWW/tjDCc/U3vbtX+3r7SxRwDactfzhe4F9Xw2URO XfPJqusug8DU8UY51zIG5wf0P2IF0hNAv/XQ1El/YhLYO6QvvWWLaxbXpdKHXd7j Y7yPzq4tBOoZdnaIgP0xdWrna81tkS+c5eKW+cY432xEdOeA1e2W5rER/AMowSX1 DWsleBMn1enV4cktUXQmoh/o4zgSfv7jwHIOErwaUbui7tdhUA4b7kKPcmXxbDn7 dXxy9cKZQmc0ujqrTUC03JQxvgDa3TIcYBs/FUHTpRnSUFFhQ4yNfky2QsdC3PY= =n6RW -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3560-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 27, 2016 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : php5 CVE ID : CVE-2015-8865 CVE-2016-4070 CVE-2016-4071 CVE-2016-4072 CVE-2016-4073 Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development. The vulnerabilities are addressed by upgrading PHP to the new upstream version 5.6.20, which includes additional bug fixes. Please refer to the upstream changelog for more information: https://php.net/ChangeLog-5.php#5.6.20 For the stable distribution (jessie), these problems have been fixed in version 5.6.20+dfsg-0+deb8u1. We recommend that you upgrade your php5 packages. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201611-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: PHP: Multiple vulnerabilities Date: November 30, 2016 Bugs: #578734, #581834, #584204, #587246, #591710, #594498, #597586, #599326 ID: 201611-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in PHP, the worst of which could lead to arbitrary code execution or cause a Denial of Service condition. Background ========== PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-lang/php < 5.6.28 >= 5.6.28 Description =========== Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All PHP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev=lang/php-5.6.28" References ========== [ 1 ] CVE-2015-8865 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8865 [ 2 ] CVE-2016-3074 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3074 [ 3 ] CVE-2016-4071 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4071 [ 4 ] CVE-2016-4072 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4072 [ 5 ] CVE-2016-4073 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4073 [ 6 ] CVE-2016-4537 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4537 [ 7 ] CVE-2016-4538 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4538 [ 8 ] CVE-2016-4539 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4539 [ 9 ] CVE-2016-4540 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4540 [ 10 ] CVE-2016-4541 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4541 [ 11 ] CVE-2016-4542 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4542 [ 12 ] CVE-2016-4543 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4543 [ 13 ] CVE-2016-4544 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4544 [ 14 ] CVE-2016-5385 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5385 [ 15 ] CVE-2016-6289 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6289 [ 16 ] CVE-2016-6290 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6290 [ 17 ] CVE-2016-6291 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6291 [ 18 ] CVE-2016-6292 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6292 [ 19 ] CVE-2016-6294 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6294 [ 20 ] CVE-2016-6295 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6295 [ 21 ] CVE-2016-6296 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6296 [ 22 ] CVE-2016-6297 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6297 [ 23 ] CVE-2016-7124 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7124 [ 24 ] CVE-2016-7125 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7125 [ 25 ] CVE-2016-7126 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7126 [ 26 ] CVE-2016-7127 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7127 [ 27 ] CVE-2016-7128 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7128 [ 28 ] CVE-2016-7129 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7129 [ 29 ] CVE-2016-7130 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7130 [ 30 ] CVE-2016-7131 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7131 [ 31 ] CVE-2016-7132 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7132 [ 32 ] CVE-2016-7133 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7133 [ 33 ] CVE-2016-7134 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7134 [ 34 ] CVE-2016-7411 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7411 [ 35 ] CVE-2016-7412 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7412 [ 36 ] CVE-2016-7413 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7413 [ 37 ] CVE-2016-7414 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7414 [ 38 ] CVE-2016-7416 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7416 [ 39 ] CVE-2016-7417 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7417 [ 40 ] CVE-2016-7418 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7418 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201611-22 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Trust: 2.61

sources: NVD: CVE-2015-8865 // JVNDB: JVNDB-2015-007175 // BID: 85802 // VULHUB: VHN-86826 // VULMON: CVE-2015-8865 // PACKETSTORM: 137174 // PACKETSTORM: 148367 // PACKETSTORM: 138463 // PACKETSTORM: 136841 // PACKETSTORM: 139968 // PACKETSTORM: 148192

AFFECTED PRODUCTS

vendor:phpmodel:phpscope:eqversion:7.0.3

Trust: 1.3

vendor:phpmodel:phpscope:eqversion:5.6.19

Trust: 1.3

vendor:phpmodel:phpscope:eqversion:5.6.18

Trust: 1.3

vendor:phpmodel:phpscope:eqversion:5.6.17

Trust: 1.3

vendor:phpmodel:phpscope:eqversion:5.6.13

Trust: 1.3

vendor:phpmodel:phpscope:eqversion:5.6.12

Trust: 1.3

vendor:phpmodel:phpscope:eqversion:5.6.11

Trust: 1.3

vendor:phpmodel:phpscope:eqversion:5.6.5

Trust: 1.3

vendor:phpmodel:phpscope:eqversion:5.6.4

Trust: 1.3

vendor:phpmodel:phpscope:eqversion:5.6.1

Trust: 1.3

vendor:phpmodel:phpscope:eqversion:7.0.4

Trust: 1.3

vendor:phpmodel:phpscope:eqversion:7.0.2

Trust: 1.3

vendor:phpmodel:phpscope:eqversion:7.0.1

Trust: 1.3

vendor:phpmodel:phpscope:eqversion:5.6.9

Trust: 1.3

vendor:phpmodel:phpscope:eqversion:5.6.8

Trust: 1.3

vendor:phpmodel:phpscope:eqversion:5.6.7

Trust: 1.3

vendor:phpmodel:phpscope:eqversion:5.6.6

Trust: 1.3

vendor:phpmodel:phpscope:eqversion:5.6.3

Trust: 1.3

vendor:phpmodel:phpscope:eqversion:5.6.2

Trust: 1.3

vendor:phpmodel:phpscope:eqversion:5.6.14

Trust: 1.3

vendor:phpmodel:phpscope:eqversion:5.6.10

Trust: 1.3

vendor:phpmodel:phpscope:eqversion:5.6.16

Trust: 1.0

vendor:applemodel:mac os xscope:lteversion:10.11.4

Trust: 1.0

vendor:phpmodel:phpscope:lteversion:5.5.33

Trust: 1.0

vendor:phpmodel:phpscope:eqversion:5.6.15

Trust: 1.0

vendor:phpmodel:phpscope:eqversion:5.6.0

Trust: 1.0

vendor:phpmodel:phpscope:eqversion:7.0.0

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.11 and later

Trust: 0.8

vendor:the php groupmodel:phpscope:eqversion:7.0.5

Trust: 0.8

vendor:the php groupmodel:phpscope:ltversion:5.6.x

Trust: 0.8

vendor:the php groupmodel:phpscope:ltversion:7.x

Trust: 0.8

vendor:the php groupmodel:phpscope:eqversion:5.6.20

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.11.4

Trust: 0.6

vendor:ubuntumodel:linux ltsscope:eqversion:16.04

Trust: 0.3

vendor:ubuntumodel:linuxscope:eqversion:15.10

Trust: 0.3

vendor:ubuntumodel:linux ltsscope:eqversion:14.04

Trust: 0.3

vendor:ubuntumodel:linux ltsscope:eqversion:12.04

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:7.0

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.33

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.32

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.29

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.28

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.27

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.26

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.21

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.14

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.13

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.12

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.11

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.10

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.6

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.5

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.4

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.3

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.1

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.45

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.44

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.43

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.37

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.30

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.29

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.26

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.25

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.17

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.14

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.8

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.7

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.6

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.4

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.3

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.2

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.1

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.29

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.28

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.24

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.23

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.22

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.21

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.20

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.17

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.16

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.14

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.13

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.12

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.9

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.8

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.7

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.6

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.5

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.2

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.1

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.2.17

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.2.16

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.2.15

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.2.13

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.2.12

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.2.11

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.2.10

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.2.9

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.2.8

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.2.7

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.2.6

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.2.5

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.2.4

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.2.3

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.2.2

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.2.1

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.1.6

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.1.5

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.1.4

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.1.3

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.1.2

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.1.1

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.1

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.0.5

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.0.4

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.0.3

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.0.2

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.0.1

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.6

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.9

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.8

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.7

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.31

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.30

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.25

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.24

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.23

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.22

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.2

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.19

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.18

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.17

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.16

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.5.15

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.9

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.5

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.42

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.41

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.39

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.38

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.36

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.35

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.34

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.33

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.32

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.31

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.28

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.27

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.24

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.23

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.22

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.21

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.20

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.19

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.18

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.16

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.15

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.13

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.12

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.11

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.4.10

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.4

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.3

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.27

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.26

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.25

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.19

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.18

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.15

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.11

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.3.10

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.2.17.03

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.2.14

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.2

Trust: 0.3

vendor:phpmodel:phpscope:eqversion:5.1.43

Trust: 0.3

vendor:gentoomodel:linuxscope: - version: -

Trust: 0.3

vendor:debianmodel:linux sparcscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux s/390scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux powerpcscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux mipsscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux ia-64scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux ia-32scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux armscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux amd64scope:eqversion:6.0

Trust: 0.3

vendor:applemodel:mac os security updatescope:eqversion:x2016-0020

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.11.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.11.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.11.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.11.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.11

Trust: 0.3

vendor:phpmodel:phpscope:neversion:7.0.5

Trust: 0.3

vendor:phpmodel:phpscope:neversion:5.6.20

Trust: 0.3

vendor:phpmodel:phpscope:neversion:5.5.34

Trust: 0.3

vendor:applemodel:mac os security updatescope:neversion:x2016-0030

Trust: 0.3

vendor:applemodel:mac osscope:neversion:x10.11.5

Trust: 0.3

sources: BID: 85802 // JVNDB: JVNDB-2015-007175 // CNNVD: CNNVD-201604-556 // NVD: CVE-2015-8865

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-8865
value: HIGH

Trust: 1.0

NVD: CVE-2015-8865
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201604-556
value: HIGH

Trust: 0.6

VULHUB: VHN-86826
value: HIGH

Trust: 0.1

VULMON: CVE-2015-8865
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2015-8865
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-86826
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2015-8865
baseSeverity: HIGH
baseScore: 7.3
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.3
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-86826 // VULMON: CVE-2015-8865 // JVNDB: JVNDB-2015-007175 // CNNVD: CNNVD-201604-556 // NVD: CVE-2015-8865

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.9

sources: VULHUB: VHN-86826 // JVNDB: JVNDB-2015-007175 // NVD: CVE-2015-8865

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 137174 // CNNVD: CNNVD-201604-556

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201604-556

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-007175

PATCH

title:APPLE-SA-2016-05-16-4 OS X El Capitan 10.11.5 and Security Update 2016-003url:http://lists.apple.com/archives/security-announce/2016/May/msg00004.html

Trust: 0.8

title:HT206567url:https://support.apple.com/en-us/HT206567

Trust: 0.8

title:HT206567url:https://support.apple.com/ja-jp/HT206567

Trust: 0.8

title:PR/454: Fix memory corruption when the continuation level jumps by more thanurl:https://github.com/file/file/commit/6713ca45e7757297381f4b4cdb9cf5e624a9ad36

Trust: 0.8

title:0000522: Buffer over-write in PHP function finfo_open with malformed magic file. (uses libmagic)url:http://bugs.gw.com/view.php?id=522

Trust: 0.8

title:Sec Bug #71527url:https://bugs.php.net/bug.php?id=71527

Trust: 0.8

title:PHP 5 ChangeLogurl:http://php.net/ChangeLog-5.php

Trust: 0.8

title:PHP 7 ChangeLogurl:http://php.net/ChangeLog-7.php

Trust: 0.8

title:Fixed bug #71527 Buffer over-write in finfo_open with malformed magic fileurl:http://git.php.net/?p=php-src.git;a=commit;h=fe13566c93f118a15a96320a546c7878fd0cfc5e

Trust: 0.8

title:PHP Fileinfo Fixes for component buffer overflow vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=61239

Trust: 0.6

title:Debian CVElist Bug Report Logs: file: CVE-2015-8865: file_check_mem() misbehaves on some inputurl:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=357578556d837956c999174963fd2eea

Trust: 0.1

title:Ubuntu Security Notice: file vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-3686-2

Trust: 0.1

title:Red Hat: CVE-2015-8865url:https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2015-8865

Trust: 0.1

title:Ubuntu Security Notice: file vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-3686-1

Trust: 0.1

title:Debian Security Advisories: DSA-3560-1 php5 -- security updateurl:https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=9f33dfec360e1186a6d0f52314de3ce6

Trust: 0.1

title:Amazon Linux AMI: ALAS-2016-698url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2016-698

Trust: 0.1

title:Ubuntu Security Notice: php5, php7.0 vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-2984-1

Trust: 0.1

title:Debian CVElist Bug Report Logs: hhvm: Various CVEs (CVE-2014-9709 CVE-2015-8865 CVE-2016-1903 CVE-2016-4070 CVE-2016-4539 CVE-2016-6870 CVE-2016-6871 CVE-2016-6872 CVE-2016-6873 CVE-2016-6874 CVE-2016-6875)url:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=98d16dc1a3e1824eeb9ad5c28e1a0a02

Trust: 0.1

title:Red Hat: Moderate: rh-php56 security, bug fix, and enhancement updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20162750 - Security Advisory

Trust: 0.1

title:Apple: OS X El Capitan v10.11.5 and Security Update 2016-003url:https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories&qid=3c550201b398ce302f3a9adf27215fda

Trust: 0.1

sources: VULMON: CVE-2015-8865 // JVNDB: JVNDB-2015-007175 // CNNVD: CNNVD-201604-556

EXTERNAL IDS

db:NVDid:CVE-2015-8865

Trust: 3.5

db:OPENWALLid:OSS-SECURITY/2016/04/24/1

Trust: 1.8

db:BIDid:85802

Trust: 1.5

db:JVNDBid:JVNDB-2015-007175

Trust: 0.8

db:CNNVDid:CNNVD-201604-556

Trust: 0.7

db:PACKETSTORMid:148367

Trust: 0.2

db:PACKETSTORMid:139968

Trust: 0.2

db:PACKETSTORMid:136841

Trust: 0.2

db:PACKETSTORMid:137174

Trust: 0.2

db:PACKETSTORMid:137086

Trust: 0.1

db:VULHUBid:VHN-86826

Trust: 0.1

db:VULMONid:CVE-2015-8865

Trust: 0.1

db:PACKETSTORMid:138463

Trust: 0.1

db:PACKETSTORMid:148192

Trust: 0.1

sources: VULHUB: VHN-86826 // VULMON: CVE-2015-8865 // BID: 85802 // PACKETSTORM: 137174 // PACKETSTORM: 148367 // PACKETSTORM: 138463 // PACKETSTORM: 136841 // PACKETSTORM: 139968 // PACKETSTORM: 148192 // JVNDB: JVNDB-2015-007175 // CNNVD: CNNVD-201604-556 // NVD: CVE-2015-8865

REFERENCES

url:https://bugs.php.net/bug.php?id=71527

Trust: 2.1

url:http://lists.apple.com/archives/security-announce/2016/may/msg00004.html

Trust: 1.8

url:http://bugs.gw.com/view.php?id=522

Trust: 1.8

url:http://www.php.net/changelog-5.php

Trust: 1.8

url:http://www.php.net/changelog-7.php

Trust: 1.8

url:https://github.com/file/file/commit/6713ca45e7757297381f4b4cdb9cf5e624a9ad36

Trust: 1.8

url:https://support.apple.com/ht206567

Trust: 1.8

url:http://www.openwall.com/lists/oss-security/2016/04/24/1

Trust: 1.8

url:https://security.gentoo.org/glsa/201611-22

Trust: 1.3

url:https://usn.ubuntu.com/3686-2/

Trust: 1.3

url:http://www.securityfocus.com/bid/85802

Trust: 1.2

url:https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05240731

Trust: 1.2

url:http://www.debian.org/security/2016/dsa-3560

Trust: 1.2

url:https://security.gentoo.org/glsa/201701-42

Trust: 1.2

url:http://rhn.redhat.com/errata/rhsa-2016-2750.html

Trust: 1.2

url:http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00057.html

Trust: 1.2

url:http://www.ubuntu.com/usn/usn-2952-1

Trust: 1.2

url:http://www.ubuntu.com/usn/usn-2952-2

Trust: 1.2

url:https://usn.ubuntu.com/3686-1/

Trust: 1.2

url:http://git.php.net/?p=php-src.git;a=commit;h=fe13566c93f118a15a96320a546c7878fd0cfc5e

Trust: 1.1

url:http://git.php.net/?p=php-src.git%3ba=commit%3bh=fe13566c93f118a15a96320a546c7878fd0cfc5e

Trust: 1.0

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-8865

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-8865

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2015-8865

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2016-4072

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2016-4071

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2016-4073

Trust: 0.4

url:http://php.net/changelog-5.php

Trust: 0.3

url:http://php.net/changelog-7.php

Trust: 0.3

url:http://www.php.net/

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2016-4537

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2016-4538

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2016-4070

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2016-4539

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2016-4542

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-4544

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-4343

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-4543

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-4541

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-4540

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-4342

Trust: 0.2

url:https://usn.ubuntu.com/usn/usn-3686-1

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2018-10360

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-3074

Trust: 0.2

url:https://cwe.mitre.org/data/definitions/119.html

Trust: 0.1

url:https://www.rapid7.com/db/vulnerabilities/apple-osx-apachemodphp-cve-2015-8865

Trust: 0.1

url:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827377

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-3132

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/php7.0/7.0.4-7ubuntu2.1

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-3078

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/php5/5.3.10-1ubuntu3.23

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/php5/5.5.9+dfsg-1ubuntu4.17

Trust: 0.1

url:http://www.ubuntu.com/usn/usn-2984-1

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/php5/5.6.11+dfsg-1ubuntu3.4

Trust: 0.1

url:https://usn.ubuntu.com/usn/usn-3686-2

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-7456

Trust: 0.1

url:http://www.hpe.com/support/security_bulletin_archive

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-8853

Trust: 0.1

url:https://h20564.www2.hpe.com/hpsc/doc/public/display?docid=emr_na-c05240731

Trust: 0.1

url:http://www.hpe.com/support/subscriber_choice

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-8383

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-8386

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-8391

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-8393

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-1238

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-2381

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-8387

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-2554

Trust: 0.1

url:https://h20564.www2.hpe.com/hpsc/doc/public/display?docid=emr_na-c01345499

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-4330

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-8389

Trust: 0.1

url:https://www.hpe.com/info/report-security-vulnerability

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-8394

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-1903

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-8607

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-8874

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-8390

Trust: 0.1

url:https://www.debian.org/security/faq

Trust: 0.1

url:https://www.debian.org/security/

Trust: 0.1

url:https://php.net/changelog-5.php#5.6.20

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-6297

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-7131

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-7417

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-4542

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-6297

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-7124

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-7124

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-7125

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-7129

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-4538

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-7132

Trust: 0.1

url:https://security.gentoo.org/

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-6292

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-7416

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-5385

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-7126

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-6289

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-8865

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-6289

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-7128

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-4073

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-6295

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-6296

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-5385

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-4539

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-4072

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-7128

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-6290

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-7134

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-7411

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-4537

Trust: 0.1

url:http://creativecommons.org/licenses/by-sa/2.5

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-7413

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-4541

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-7130

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-6292

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-6290

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-7414

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-6291

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-4544

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-7127

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-6294

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-7126

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-4071

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-7133

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-6295

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-6291

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-6294

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-7125

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-4543

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-4540

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-7129

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-7412

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-6296

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-7418

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-7127

Trust: 0.1

url:https://bugs.gentoo.org.

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-3074

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/file/1:5.25-2ubuntu1.1

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-9621

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/file/1:5.14-2ubuntu3.4

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-9653

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/file/1:5.32-2ubuntu0.1

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-9620

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/file/1:5.32-1ubuntu0.1

Trust: 0.1

sources: VULHUB: VHN-86826 // VULMON: CVE-2015-8865 // BID: 85802 // PACKETSTORM: 137174 // PACKETSTORM: 148367 // PACKETSTORM: 138463 // PACKETSTORM: 136841 // PACKETSTORM: 139968 // PACKETSTORM: 148192 // JVNDB: JVNDB-2015-007175 // CNNVD: CNNVD-201604-556 // NVD: CVE-2015-8865

CREDITS

Hugh Davenport

Trust: 0.3

sources: BID: 85802

SOURCES

db:VULHUBid:VHN-86826
db:VULMONid:CVE-2015-8865
db:BIDid:85802
db:PACKETSTORMid:137174
db:PACKETSTORMid:148367
db:PACKETSTORMid:138463
db:PACKETSTORMid:136841
db:PACKETSTORMid:139968
db:PACKETSTORMid:148192
db:JVNDBid:JVNDB-2015-007175
db:CNNVDid:CNNVD-201604-556
db:NVDid:CVE-2015-8865

LAST UPDATE DATE

2025-08-12T20:05:53.208000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-86826date:2018-06-30T00:00:00
db:VULMONid:CVE-2015-8865date:2018-06-30T00:00:00
db:BIDid:85802date:2017-01-23T09:11:00
db:JVNDBid:JVNDB-2015-007175date:2016-05-25T00:00:00
db:CNNVDid:CNNVD-201604-556date:2016-05-23T00:00:00
db:NVDid:CVE-2015-8865date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:VULHUBid:VHN-86826date:2016-05-20T00:00:00
db:VULMONid:CVE-2015-8865date:2016-05-20T00:00:00
db:BIDid:85802date:2016-04-02T00:00:00
db:PACKETSTORMid:137174date:2016-05-24T23:31:17
db:PACKETSTORMid:148367date:2018-06-29T00:19:16
db:PACKETSTORMid:138463date:2016-08-22T18:18:17
db:PACKETSTORMid:136841date:2016-04-28T15:45:53
db:PACKETSTORMid:139968date:2016-12-01T16:38:01
db:PACKETSTORMid:148192date:2018-06-14T15:57:22
db:JVNDBid:JVNDB-2015-007175date:2016-05-25T00:00:00
db:CNNVDid:CNNVD-201604-556date:2016-04-25T00:00:00
db:NVDid:CVE-2015-8865date:2016-05-20T10:59:00.137