php: two vulnerabilities
| Package(s): | php7 | CVE #(s): | CVE-2016-10162 CVE-2016-7480 | ||||
| Created: | February 22, 2017 | Updated: | February 22, 2017 | ||||
| Description: | From the SUSE advisory:
- CVE-2016-10162: The php_wddx_pop_element function in ext/wddx/wddx.c in PHP 7 allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an inapplicable class name in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call. - CVE-2016-7480: The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP did not verify that a key is an object, which allowed remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data. | ||||||
| Alerts: |
| ||||||