PHP 7.0.10-2 Update

Latest response

PHP 7.0.10 is the latest available in Satellite. This version is being hit as a Critical finding by Nessus scanners. Will an update for this be rolled out through Satellite? The applicable CVEs state that the fix is in 7.0.25.

Responses

What are the applicable CVEs that Nessus is reporting?

Here are the CVEs

CVE-2016-1283 Details: The pcre_compile2 function in pcre_compile.c in PCRE 8.38 mishandles input patterns with named subgroups. This can allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. CVE-2017-16642 Details: In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's timelib_meridian handling of 'front of' and 'back of' directives could be used by attackers to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: this is a different issue than CVE-2017-11145.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.