Candidate: CVE-2015-8866
PublicDate: 2016-05-22 01:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8866
 http://framework.zend.com/security/advisory/ZF2015-06 -> Relation to CVE-2015-5161
 http://www.openwall.com/lists/oss-security/2016/04/21/8
 https://ubuntu.com/security/notices/USN-2952-1
Description:
 ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when
 PHP-FPM is used, does not isolate each thread from
 libxml_disable_entity_loader changes in other threads, which allows remote
 attackers to conduct XML External Entity (XXE) and XML Entity Expansion
 (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161.
Ubuntu-Description:
Notes:
Bugs:
 https://bugs.php.net/bug.php?id=64938
 https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1509817
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H [9.6 CRITICAL]

Patches_php5:
 upstream: http://git.php.net/?p=php-src.git;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9
upstream_php5: released (5.6.6+dfsg-1)
precise_php5: released (5.3.10-1ubuntu3.22)
trusty_php5: released (5.5.9+dfsg-1ubuntu4.16)
trusty/esm_php5: released (5.5.9+dfsg-1ubuntu4.16)
vivid/stable-phone-overlay_php5: DNE
vivid/ubuntu-core_php5: DNE
wily_php5: not-affected (5.6.11+dfsg-1ubuntu3.1)
xenial_php5: DNE
devel_php5: DNE