CVE-2016-10397

Priority
Medium
Description
In PHP before 5.6.28 and 7.x before 7.0.13, incorrect handling of various
URI components in the URL parser could be used by attackers to bypass
hostname-specific URL checks, as demonstrated by
evil.example.com:80#@good.example.com/ and
evil.example.com:80?@good.example.com/ inputs to the parse_url function
(implemented in the php_url_parse_ex function in ext/standard/url.c).
References
Bugs
Notes
 sbeattie> PEAR issues should go against php-pear as of xenial
Package
Source: php5 (LP Ubuntu Debian)
Upstream:released (5.6.28)
Ubuntu 17.10 (Artful Aardvark):DNE
Ubuntu 12.04 ESM (Precise Pangolin):needs-triage
Ubuntu 14.04 LTS (Trusty Tahr):released (5.5.9+dfsg-1ubuntu4.22)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 17.04 (Zesty Zapus):DNE
Patches:
Upstream:http://git.php.net/?p=php-src.git;a=commit;h=b061fa909de77085d3822a89ab901b934d0362c4
Upstream:http://git.php.net/?p=php-src.git;a=commit;h=2d19c92fc2f14aa97db9094eaa0b67d1c3b12409 (regression?)
Package
Upstream:needs-triage
Ubuntu 17.10 (Artful Aardvark):not-affected (7.1.6-2ubuntu1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 17.04 (Zesty Zapus):DNE
Package
Upstream:released (7.0.13)
Ubuntu 17.10 (Artful Aardvark):DNE
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (7.0.18-0ubuntu0.16.04.1)
Ubuntu 17.04 (Zesty Zapus):not-affected (7.0.18-0ubuntu0.16.04.1)
More Information

Updated: 2017-10-23 12:23:12 UTC (commit 13562)