Bugzilla – Bug 986004
VUL-0: CVE-2015-8935: php5,php53: XSS in header() with Internet Explorer
Last modified: 2016-09-01 10:19:59 UTC
CVE-2015-8935 http://seclists.org/oss-sec/2016/q2/570 From: Lukas Reschke <lukas () nextcloud com> Date: Mon, 20 Jun 2016 18:41:50 +0200 Hi, Considering CVE-2011-1398 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1398) we believe PHP security bug #68978 (https://bugs.php.net/bug.php?id=68978) also warrants a CVE identifier: The filtering in header() function is not sufficient and this can lead to header injection and content injection (XSS) when the client is Internet Explorer (in every tested version). IE accepts %0A%20 or %0D%0A%20 as separator in HTTP while other browser treat the new line beginning with space as the continuation of the previous header. This can lead to header injection or content injection (basically, XSS) in IE. PHP’s documentation (http://php.net/manual/en/function.header.php) explicitly states that since version 5.2.1 PHP natively prevents header injections: This function now prevents more than one header to be sent at once as a protection against header injection attacks. My understanding is t hat the corresponding upstream commit can be found at https://github.com/php/php-src/commit/996faf964bba1aec06b153b370a7f20d3dd2bb8b This has been patched in PHP 5.6.6, 5.5.22 and 5.4.38, since some distributions ship older versions and have not backported this we’re therefore kindly requesting a CVE identifier and making OSS Security aware of this. An issue directly to Ubuntu has been filed at https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1594041 for 14.04. Thanks, Lukas References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8935 http://seclists.org/oss-sec/2016/q2/576 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8935.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8935
bugbot adjusting priority
If I understand correctly, this will disallow newlines in headers, which is, I believe unlikely. But it is incompatible change.
QA: note the change of some *phpt in the commit
12sp2/php7 has that already in. Applied in 13.2/php5 to 10sp3/php5.
Packages submitted.
This is an autogenerated message for OBS integration: This bug (986004) was mentioned in https://build.opensuse.org/request/show/405425 13.2 / php5
This is an autogenerated message for OBS integration: This bug (986004) was mentioned in https://build.opensuse.org/request/show/405458 13.2 / php5
openSUSE-SU-2016:1761-1: An update that fixes 9 vulnerabilities is now available. Category: security (important) Bug References: 986004,986244,986246,986247,986386,986388,986391,986392,986393 CVE References: CVE-2015-8935,CVE-2016-5766,CVE-2016-5767,CVE-2016-5768,CVE-2016-5769,CVE-2016-5770,CVE-2016-5771,CVE-2016-5772,CVE-2016-5773 Sources used: openSUSE 13.2 (src): php5-5.6.1-69.1
SUSE-SU-2016:1842-1: An update that fixes 9 vulnerabilities is now available. Category: security (moderate) Bug References: 986004,986244,986246,986386,986388,986391,986392,986393,988486 CVE References: CVE-2015-8935,CVE-2016-5385,CVE-2016-5766,CVE-2016-5767,CVE-2016-5768,CVE-2016-5769,CVE-2016-5770,CVE-2016-5771,CVE-2016-5772 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): php5-5.5.14-68.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-68.1
openSUSE-SU-2016:1922-1: An update that fixes 9 vulnerabilities is now available. Category: security (moderate) Bug References: 986004,986244,986246,986386,986388,986391,986392,986393,988486 CVE References: CVE-2015-8935,CVE-2016-5385,CVE-2016-5766,CVE-2016-5767,CVE-2016-5768,CVE-2016-5769,CVE-2016-5770,CVE-2016-5771,CVE-2016-5772 Sources used: openSUSE Leap 42.1 (src): php5-5.5.14-56.1
all released
SUSE-SU-2016:2013-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 986004,986244,986386,986388,986393 CVE References: CVE-2015-8935,CVE-2016-5766,CVE-2016-5767,CVE-2016-5769,CVE-2016-5772 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): php53-5.3.17-74.1 SUSE Linux Enterprise Server 11-SP4 (src): php53-5.3.17-74.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): php53-5.3.17-74.1
SUSE-SU-2016:2080-1: An update that fixes 12 vulnerabilities is now available. Category: security (important) Bug References: 986004,986244,986386,986388,986393,991426,991427,991428,991429,991430,991433,991437 CVE References: CVE-2015-8935,CVE-2016-5399,CVE-2016-5766,CVE-2016-5767,CVE-2016-5769,CVE-2016-5772,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6296,CVE-2016-6297 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): php5-5.2.14-0.7.30.89.1 SUSE Linux Enterprise Debuginfo 11-SP2 (src): php5-5.2.14-0.7.30.89.1