This update for php5 fixes the following issues:
* It is possible to launch a web server with "php -S localhost:8080"
It used to be possible to set an arbitrary $HTTP_PROXY environment variable
for request handlers -- like CGI scripts -- by including a specially crafted
HTTP header in the request (CVE-2016-5385). As a result, these server
components would potentially direct all their outgoing HTTP traffic through a
malicious proxy server. This patch fixes the issue: the updated php server
ignores such HTTP headers and never sets $HTTP_PROXY for sub-processes.
(bnc#988486)
* There was multiple cases where a remote attacker could trigger a double free
and, given specific PHP code using callbacks, trigger code execution vectors.
(bnc#986246,bnc#986244,CVE-2016-5768,CVE-2016-5772)
* It was possible to inject header or content information (XSS) when a user was
using internet explorer as the browser. (bnc#986004, CVE-2015-8935)
* In several cases it was possible for a integer overflow to trigger an
excessive memory allocation (bnc#986392, bnc#986388, bnc#986386, bnc#986393,
CVE-2016-5770, CVE-2016-5769, CVE-2016-5766, CVE-2016-5767)
* It was possible for an attacker to abuse the garbage collector to free a
target array. At this point an attacker could craft a fake zval object and
exploit the PHP process by taking over the EIP/RIP. (bnc#986391,
CVE-2016-5771)
This update was imported from the SUSE:SLE-12:Update update project.
- Submitted by Simon Lees (simotek)