PublicDateAtUSN: 2016-05-30
Candidate: CVE-2016-5095
PublicDate: 2016-08-07 10:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5095
 http://www.openwall.com/lists/oss-security/2016/05/25/3
 https://ubuntu.com/security/notices/USN-3045-1
Description:
 Integer overflow in the php_escape_html_entities_ex function in
 ext/standard/html.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows
 remote attackers to cause a denial of service or possibly have unspecified
 other impact by triggering a large output string from a
 FILTER_SANITIZE_FULL_SPECIAL_CHARS filter_var call.  NOTE: this
 vulnerability exists because of an incomplete fix for CVE-2016-5094.
Ubuntu-Description:
Notes:
Bugs:
 https://bugs.php.net/bug.php?id=72135
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H [8.6 HIGH]

Patches_php5:
 upstream: http://git.php.net/?p=php-src.git;a=commit;h=41fc3c76e97a36ff3b505da7d704ca17bb171fdf
upstream_php5: released (5.6.22+dfsg-1)
precise_php5: released (5.3.10-1ubuntu3.24)
trusty_php5: released (5.5.9+dfsg-1ubuntu4.19)
trusty/esm_php5: released (5.5.9+dfsg-1ubuntu4.19)
vivid/stable-phone-overlay_php5: DNE
vivid/ubuntu-core_php5: DNE
wily_php5: ignored (reached end-of-life)
xenial_php5: DNE
devel_php5: DNE