{
  "schema_version": "1.7.0",
  "id": "MGASA-2015-0231",
  "published": "2015-05-18T19:08:05Z",
  "modified": "2015-05-20T15:38:54Z",
  "summary": "Updated php packages fix security vulnerabilities",
  "details": "Updated php packages fix security vulnerabilities:\n\nMemory Corruption in phar_parse_tarfile when entry filename starts with null\n(CVE-2015-4021).\n\nInteger overflow in ftp_genlist() resulting in heap overflow, potentially\nexploitable by a hostile FTP server (CVE-2015-4022).\n\nPHP Multipart/form-data parsing remote DoS Vulnerability (CVE-2015-4024).\n\nVarious functions allow \\0 in paths where they shouldn't. In theory, that\ncould lead to security failure for path-based access controls if the user\ninjects a string with \\0 in it. These functions include set_include_path(),\ntempnam(), rmdir(), and readlink() (CVE-2015-4025), as well as pcntl_exec()\n(CVE-2015-4026).\n",
  "upstream": [
    "CVE-2015-4021",
    "CVE-2015-4022",
    "CVE-2015-4024",
    "CVE-2015-4025",
    "CVE-2015-4026"
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://advisories.mageia.org/MGASA-2015-0231.html"
    },
    {
      "type": "REPORT",
      "url": "https://bugs.mageia.org/show_bug.cgi?id=15943"
    },
    {
      "type": "WEB",
      "url": "http://php.net/ChangeLog-5.php#5.5.25"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2015/05/20/3"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Mageia:4",
        "name": "php",
        "purl": "pkg:rpm/mageia/php?arch=source&distro=mageia-4"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.5.25-1.mga4"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    },
    {
      "package": {
        "ecosystem": "Mageia:4",
        "name": "php-apc",
        "purl": "pkg:rpm/mageia/php-apc?arch=source&distro=mageia-4"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.15-4.15.mga4"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    },
    {
      "package": {
        "ecosystem": "Mageia:4",
        "name": "php-timezonedb",
        "purl": "pkg:rpm/mageia/php-timezonedb?arch=source&distro=mageia-4"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2015.4-1.mga4"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    }
  ],
  "credits": [
    {
      "name": "Mageia",
      "type": "COORDINATOR",
      "contact": [
        "https://wiki.mageia.org/en/Packages_Security_Team"
      ]
    }
  ]
}