7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.74 High
EPSS
Percentile
98.1%
Updated php packages fix security vulnerabilities: Memory Corruption in phar_parse_tarfile when entry filename starts with null (CVE-2015-4021). Integer overflow in ftp_genlist() resulting in heap overflow, potentially exploitable by a hostile FTP server (CVE-2015-4022). PHP Multipart/form-data parsing remote DoS Vulnerability (CVE-2015-4024). Various functions allow \0 in paths where they shouldn’t. In theory, that could lead to security failure for path-based access controls if the user injects a string with \0 in it. These functions include set_include_path(), tempnam(), rmdir(), and readlink() (CVE-2015-4025), as well as pcntl_exec() (CVE-2015-4026).
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Mageia | 4 | noarch | php | < 5.5.25-1 | php-5.5.25-1.mga4 |
Mageia | 4 | noarch | php-apc | < 3.1.15-4.15 | php-apc-3.1.15-4.15.mga4 |
Mageia | 4 | noarch | php-timezonedb | < 2015.4-1 | php-timezonedb-2015.4-1.mga4 |