Candidate: CVE-2015-5161
PublicDate: 2015-08-25 17:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5161
 http://framework.zend.com/security/advisory/ZF2015-06
Description:
 The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework
 before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running
 under PHP-FPM in a threaded environment, allows remote attackers to bypass
 security checks and conduct XML external entity (XXE) and XML entity
 expansion (XEE) attacks via multibyte encoded characters.
Ubuntu-Description:
Notes:
 tyhicks> Doesn't affect php-zend-xml when used with PHP 5.5 >= 5.5.22,
  PHP 5.6 >= 5.6.6, and PHP 7
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_php-zend-xml:
upstream_php-zend-xml: needs-triage
precise_php-zend-xml: DNE
trusty_php-zend-xml: DNE
trusty/esm_php-zend-xml: DNE
vivid_php-zend-xml: ignored (reached end-of-life)
vivid/stable-phone-overlay_php-zend-xml: DNE
vivid/ubuntu-core_php-zend-xml: DNE
wily_php-zend-xml: DNE
devel_php-zend-xml: not-affected (1.0.1-1)