Bugzilla – Bug 945412
VUL-0: CVE-2015-6837 CVE-2015-6838: php5, php53: NULL pointer dereference in XSLTProcessor class
Last modified: 2016-06-21 11:16:55 UTC
rh#1260711 The XSLTProcessor class misses a few checks on the input from the libxslt library. The valuePop() function call is able to return NULL pointer and php does not check that. Upstream report: https://bugs.php.net/bug.php?id=69782 Upstream patch: http://git.php.net/?p=php-src.git;a=commit;h=1744be2d17befc69bf00033993f4081852a747d6 References: https://bugzilla.redhat.com/show_bug.cgi?id=1260711 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6838 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-6838.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6838
bugbot adjusting priority
yes it looks like its the same issue. But if they didn't fix it then the patch is incomplete.
openSUSE-SU-2015:1628-1: An update that solves 8 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 942291,942293,942294,942295,942296,945402,945403,945412,945428 CVE References: CVE-2015-6831,CVE-2015-6832,CVE-2015-6833,CVE-2015-6834,CVE-2015-6835,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838 Sources used: openSUSE 13.2 (src): php5-5.6.1-36.1 openSUSE 13.1 (src): php5-5.4.20-67.1
SUSE-SU-2015:1633-1: An update that solves 8 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 935074,942291,942293,942294,942295,942296,944302,945402,945403,945412,945428 CVE References: CVE-2015-6831,CVE-2015-6832,CVE-2015-6833,CVE-2015-6834,CVE-2015-6835,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): php5-5.5.14-36.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-36.1
SUSE-SU-2015:1701-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 945412,945428 CVE References: CVE-2015-6836,CVE-2015-6837,CVE-2015-6838 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): php5-5.2.14-0.7.30.72.1 SUSE Linux Enterprise Debuginfo 11-SP2 (src): php5-5.2.14-0.7.30.72.1
Hello SUSE, ... with the php update now available for SLES 11 SP2 LTSS is there any outlook when this update will be available for SLES 11 SP3 on the maintweb ..? Please advise ... Thanks for your support.
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-10-26. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62310
(In reply to Hanns-Joachim Uhl from comment #12) > Hello SUSE, > ... with the php update now available for SLES 11 SP2 LTSS > is there any outlook when this update will be available for SLES 11 SP3 > on the maintweb ..? > Please advise ... > Thanks for your support. . Hello SUSE, ... do you have already an outlook when this update will be available for SLES 11 SP3 on the maintweb ..? I am getting questions / requests for it already from the field ... ... please advise. Thanks in advance for your support.
today
SUSE-SU-2015:1818-1: An update that solves 5 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 935074,942291,942294,942295,942296,945412,945428 CVE References: CVE-2015-6831,CVE-2015-6833,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): php53-5.3.17-48.1 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): php53-5.3.17-48.1 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): php53-5.3.17-48.1 SUSE Linux Enterprise Server 11-SP4 (src): php53-5.3.17-48.1 SUSE Linux Enterprise Server 11-SP3 (src): php53-5.3.17-48.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): php53-5.3.17-48.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): php53-5.3.17-48.1
released
SUSE-SU-2016:1638-1: An update that fixes 85 vulnerabilities is now available. Category: security (important) Bug References: 884986,884987,884989,884990,884991,884992,885961,886059,886060,893849,893853,902357,902360,902368,910659,914690,917150,918768,919080,921950,922451,922452,923945,924972,925109,928506,928511,931421,931769,931772,931776,933227,935074,935224,935226,935227,935229,935232,935234,935274,935275,938719,938721,942291,942296,945412,945428,949961,968284,969821,971611,971612,971912,973351,973792,976996,976997,977003,977005,977991,977994,978827,978828,978829,978830,980366,980373,980375,981050,982010,982011,982012,982013,982162 CVE References: CVE-2004-1019,CVE-2006-7243,CVE-2014-0207,CVE-2014-3478,CVE-2014-3479,CVE-2014-3480,CVE-2014-3487,CVE-2014-3515,CVE-2014-3597,CVE-2014-3668,CVE-2014-3669,CVE-2014-3670,CVE-2014-4049,CVE-2014-4670,CVE-2014-4698,CVE-2014-4721,CVE-2014-5459,CVE-2014-8142,CVE-2014-9652,CVE-2014-9705,CVE-2014-9709,CVE-2014-9767,CVE-2015-0231,CVE-2015-0232,CVE-2015-0273,CVE-2015-1352,CVE-2015-2301,CVE-2015-2305,CVE-2015-2783,CVE-2015-2787,CVE-2015-3152,CVE-2015-3329,CVE-2015-3411,CVE-2015-3412,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026,CVE-2015-4116,CVE-2015-4148,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4643,CVE-2015-4644,CVE-2015-5161,CVE-2015-5589,CVE-2015-5590,CVE-2015-6831,CVE-2015-6833,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2015-8866,CVE-2015-8867,CVE-2015-8873,CVE-2015-8874,CVE-2015-8879,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185,CVE-2016-4070,CVE-2016-4073,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): php53-5.3.17-47.1