Title
MGASA-2016-0267 -- обновление безопасности для php, xmlrpc-epi, timezone, php-timezonedb
Description
Stack-based buffer overflow vulnerability in virtual_file_ex()
(CVE-2016-6289).
Use After Free in unserialize() with Unexpected Session Deserialization
(CVE-2016-6290).
Out of bound read in exif_process_IFD_in_MAKERNOTE() (CVE-2016-6291).
NULL Pointer Dereference in exif_process_user_comment() (CVE-2016-6292).
locale_accept_from_http() out-of-bounds access (CVE-2016-6294).
Use After Free Vulnerability in SNMP with GC and unserialize()
(CVE-2016-6295).
heap-buffer-overflow (write) simplestring_addn() simplestring.c in
php-xmlrpc (CVE-2016-6296).
Stack-based buffer overflow vulnerability in php_stream_zip_opener()
(CVE-2016-6297).
The php package has been updated to version 5.6.24, fixing these issues
and several other bugs. See the upstream ChangeLog for details.
The CVE-2016-6296 issue was in the xmlrpc-epi library, which has been
patched.
Additionally, the timezone and php-timezonedb packages have been updated
with the latest timezone data.