CVE-2016-6290 in Ubuntu

CVE-2016-6290

Priority

Medium

Description

ext/session/session.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x
before 7.0.9 does not properly maintain a certain hash data structure,
which allows remote attackers to cause a denial of service (use-after-free)
or possibly have unspecified other impact via vectors related to session
deserialization.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6290
https://usn.ubuntu.com/usn/usn-3045-1

Bugs

https://bugs.php.net/bug.php?id=72562

Package

Source: php5 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 14.04 LTS (Trusty Tahr):	released (5.5.9+dfsg-1ubuntu4.19)
Ubuntu 16.04 LTS (Xenial Xerus):	DNE

Patches:

Upstream:

http://git.php.net/?p=php-src.git;a=commit;h=3798eb6fd5dddb211b01d41495072fd9858d4e32

Package

Source: php7.0 (LP Ubuntu Debian)

Upstream:	released (7.0.9)
Ubuntu 14.04 LTS (Trusty Tahr):	DNE
Ubuntu 16.04 LTS (Xenial Xerus):	released (7.0.8-0ubuntu0.16.04.2)

Patches:

Upstream:

http://git.php.net/?p=php-src.git;a=commit;h=3798eb6fd5dddb211b01d41495072fd9858d4e32

More Information

Updated: 2017-12-15 20:35:17 UTC (commit 13913)