SUSE-SU-2019:2503-1 | Mondoo Vulnerability Intelligence

SUSE-SU-2019:2503-1

HIGH8.8

Security update for php7

Published Oct 1, 2019

Modified 6 years ago

Fix available

Details

Description of the patch:

This update for php7 fixes the following issues:

Security issues fixed:

CVE-2019-11041: Fixed heap buffer over-read in exif_scan_thumbnail() (bsc#1146360).
CVE-2019-11042: Fixed heap buffer over-read in exif_process_user_comment() (bsc#1145095).

Non-security issue fixed:

Drop -n from php invocation from pecl (bsc#1151793).

Affected Packages(53 packages)

php7-embed

SUSE Linux Enterprise Module for Package Hub 15

Fixed in:

7.2.5-4.40.1

apache2-mod_php7

SUSE Linux Enterprise Module for Web and Scripting 15SUSE Linux Enterprise Module for Web and Scripting 15 SP1

Fixed in:

7.2.5-4.40.1

php7

SUSE Linux Enterprise Module for Web and Scripting 15SUSE Linux Enterprise Module for Web and Scripting 15 SP1

Fixed in:

7.2.5-4.40.1

php7-bcmath

SUSE Linux Enterprise Module for Web and Scripting 15SUSE Linux Enterprise Module for Web and Scripting 15 SP1

Fixed in:

7.2.5-4.40.1

php7-bz2

SUSE Linux Enterprise Module for Web and Scripting 15SUSE Linux Enterprise Module for Web and Scripting 15 SP1

Fixed in:

7.2.5-4.40.1

php7-calendar

SUSE Linux Enterprise Module for Web and Scripting 15SUSE Linux Enterprise Module for Web and Scripting 15 SP1

Fixed in:

7.2.5-4.40.1

php7-ctype

SUSE Linux Enterprise Module for Web and Scripting 15SUSE Linux Enterprise Module for Web and Scripting 15 SP1

Fixed in:

7.2.5-4.40.1

php7-curl

SUSE Linux Enterprise Module for Web and Scripting 15SUSE Linux Enterprise Module for Web and Scripting 15 SP1

Fixed in:

7.2.5-4.40.1

php7-dba

SUSE Linux Enterprise Module for Web and Scripting 15SUSE Linux Enterprise Module for Web and Scripting 15 SP1

Fixed in:

7.2.5-4.40.1

php7-devel

SUSE Linux Enterprise Module for Web and Scripting 15SUSE Linux Enterprise Module for Web and Scripting 15 SP1

Fixed in:

7.2.5-4.40.1

References

https://bugzilla.suse.com/1145095

https://bugzilla.suse.com/1146360

https://bugzilla.suse.com/1151793

https://lists.suse.com/pipermail/sle-security-updates/2019-October/005973.html

https://www.suse.com/security/cve/CVE-2019-11041/

https://www.suse.com/security/cve/CVE-2019-11042/

https://www.suse.com/support/security/rating/

https://www.suse.com/support/update/announcement/2019/suse-su-20192503-1/

CVSS Analysis

CVSS v3.0

8.8

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

RequiredUI:R

Scope

Scope

UnchangedS:U

Impact

Confidentiality

HighC:H

Integrity

HighI:H

Availability

HighA:H

8.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Upstream

CVE-2019-11041 CVE-2019-11042

Ecosystems

SUSE Linux Enterprise Module for Package Hub 15 SUSE Linux Enterprise Module for Web and Scripting 15 SUSE Linux Enterprise Module for Web and Scripting 15 SP1

Timeline

PublishedOct 1, 2019

ModifiedOct 1, 2019