Overview

File _patchinfo of Package patchinfo.5534

<patchinfo incident="5534">
  <issue id="1057845" tracker="bnc">L3: PHP7 Fatal error - Namespace encapsulation not working</issue>
  <issue id="1057104" tracker="bnc">php7-devel package should require php7-pear</issue>
  <issue id="1054432" tracker="bnc">VUL-0: CVE-2017-12932: php7: ext/standard/var_unserializer.re in PHP 7.0.x through 7.0.22 and 7.1.x through7.1.8 is prone to a heap use after free while unserializing untrusted data,related to improper use of the hash API for key deletion</issue>
  <issue id="1054408" tracker="bnc">VUL-0: CVE-2017-12934: php7: ext/standard/var_unserializer.re in PHP 7.0.x before 7.0.21 and 7.1.x before7.1.7 is prone to a heap use after free while unserializing untrusted data,related to the zval_get_type function in Zend/zend_types.h</issue>
  <issue id="1054430" tracker="bnc">VUL-0: CVE-2017-12933: php5,php7,php53: The finish_nested_data function in ext/standard/var_unserializer.re in PHPbefore 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a bufferover-read while unserializing untrusted data.</issue>
  <issue id="2017-12933" tracker="cve" />
  <issue id="2017-12934" tracker="cve" />
  <issue id="2017-12932" tracker="cve" />
  <category>security</category>
  <rating>moderate</rating>
  <packager>pgajdos</packager>
  <description>This update for php7 fixes several issues.

These security issues were fixed:

- CVE-2017-12932: Prevent heap use after free while unserializing untrusted
  data, related to improper use of the hash API for key deletion in a situation
  with an invalid array size. Exploitation of this issue could have had an
  unspecified impact on the integrity of PHP (bsc#1054432).
- CVE-2017-12934: Prevent heap use after free while unserializing untrusted
  data, related to the zval_get_type function in Zend/zend_types.h.
  Exploitation of this issue could have had an unspecified impact on the
  integrity of PHP (bsc#1054408).
- CVE-2017-12933: The finish_nested_data function in
  ext/standard/var_unserializer.re was prone to a buffer over-read while
  unserializing untrusted data. Exploitation of this issue could have had an
  unspecified impact on the integrity of PHP (bsc#1054430)

These non-security issues were fixed:

- bsc#1057104: php7-devel now requires php7-pear
- bsc#1057845: Fixed namespace encapsulation of imported classes/functions/constants
</description>
  <summary>Security update for php7</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places