PublicDateAtUSN: 2014-07-09
Candidate: CVE-2014-3515
PublicDate: 2014-07-09 11:07:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3515
 https://ubuntu.com/security/notices/USN-2276-1
Description:
 The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly
 anticipates that certain data structures will have the array data type
 after unserialization, which allows remote attackers to execute arbitrary
 code via a crafted string that triggers use of a Hashtable destructor,
 related to "type confusion" issues in (1) ArrayObject and (2)
 SPLObjectStorage.
Ubuntu-Description:
Notes:
Bugs:
 https://bugs.php.net/bug.php?id=67492
Priority: medium
Discovered-by: Stefan Esser
Assigned-to: mdeslaur
CVSS: 

Patches_php5:
 upstream: http://git.php.net/?p=php-src.git;a=commit;h=88223c5245e9b470e1e6362bfd96829562ffe6ab
upstream_php5: needed
lucid_php5: released (5.3.2-1ubuntu4.26)
precise_php5: released (5.3.10-1ubuntu3.13)
saucy_php5: released (5.5.3+dfsg-1ubuntu2.6)
trusty_php5: released (5.5.9+dfsg-1ubuntu4.3)
trusty/esm_php5: released (5.5.9+dfsg-1ubuntu4.3)
devel_php5: released (5.5.12+dfsg-2ubuntu3)