CLD-118 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2016-1283 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) php, php5
Deficiency Type SECURITY
Date Created 2017-10-28 10:21:53
Date Last Modified 2017-10-28 10:51:47

Version Specific Information:

Cucumber 1.0 i686 fixed in php-5.6.32-i686-1
Cucumber 1.0 x86_64 fixed in php-5.6.32-x86_64-1

Cucumber 1.1 i686 fixed in php-7.2.0RC5-i686-1 and php5-5.6.32-i686-1
Cucumber 1.1 x86_64 fixed in php-7.2.0RC5-x86_64-1 and php5-5.6.32-x86_64-1

Details:

This was a vulnerability which allowed for a remote attacker to cause a denial
of service or possibly have other unspecified impacts via a specially crafted
regex passed to PCRE. Note that this vulnerability has long since been fixed in
by the upstream PCRE developers and the regular Cucumber PCRE packages are
unaffected by this; this was an issue only because PHP was using an old version
of PCRE (which was linked statically into the PHP binaries). 

More details about this vulnerability can be found at:
	https://bugs.php.net/bug.php?id=75207 (all PHP versions)
	http://www.php.net/ChangeLog-5.php#5.6.32 (PHP 5.6 only)
	https://github.com/php/php-src/blob/php-7.2.0RC5/NEWS (PHP 7.2 only)

*** Note for Cucumber Linux 1.1 Alpha Users ***

For users of Cucumber Linux 1.1 Alpha, there have been two package updates
released for this vulnerability: one for the mainstream 'php' package (which is
PHP version 7.2) and one for the legacy 'php5' package (which is PHP version
5.6). You should only ever use one of these two packages on any given system as
they conflict with each other, so make sure to apply the correct update for the
version of PHP you are using. If you use Pickle to apply the update, it will
take care of this for you.