This update for php5 fixes the following issues:
- CVE-2016-10397: parse_url() can be bypassed to return fake host. (bsc#1047454)
- CVE-2017-11143: An invalid free in the WDDX deserialization of booleanparameters could be used by
attackers able to inject XML for deserialization tocrash the PHP interpreter. (bsc#1048097)
- CVE-2017-11144: The opensslextension PEM sealing code did not check the return value of the
OpenSSL sealingfunction, which could lead to a crash. (bsc#1048096)
- CVE-2017-11145: Lack of bounds checks in timelib_meridian coud lead to information leak.
(bsc#1048112)
- CVE-2017-11146: Lack of bounds checks in timelib_meridian parse code could lead to information
leak. (bsc#1048111)
- CVE-2017-11147: The PHAR archive handler could beused by attackers supplying malicious archive
files to crash the PHP interpreteror potentially disclose information. (bsc#1048094)
- CVE-2016-5766: Integer Overflow in _gd2GetHeader() resulting could lead to heap overflow (bsc#986386)
- CVE-2017-11628: Stack-base dbuffer overflow in zend_ini_do_op() in Zend/zend_ini_parser.c (bsc#1050726)
- CVE-2017-7890: Buffer over-read from unitialized data in gdImageCreateFromGifCtx function could lead to denial of service (bsc#1050241)
This update was imported from the SUSE:SLE-12:Update update project.
- Submitted by Petr Gajdos (pgajdos)