CLD-118 Details
Other IDs this deficiency may be known by:
Basic Information:
Affected Package(s) |
php, php5 |
Deficiency Type |
SECURITY |
Date Created |
2017-10-28 10:21:53 |
Date Last Modified |
2017-10-28 10:51:47 |
Version Specific Information:
Cucumber 1.0 i686 | fixed in php-5.6.32-i686-1 |
Cucumber 1.0 x86_64 | fixed in php-5.6.32-x86_64-1 |
Cucumber 1.1 i686 |
fixed in php-7.2.0RC5-i686-1 and php5-5.6.32-i686-1 |
Cucumber 1.1 x86_64 |
fixed in php-7.2.0RC5-x86_64-1 and php5-5.6.32-x86_64-1 |
Details:
This was a vulnerability which allowed for a remote attacker to cause a denial
of service or possibly have other unspecified impacts via a specially crafted
regex passed to PCRE. Note that this vulnerability has long since been fixed in
by the upstream PCRE developers and the regular Cucumber PCRE packages are
unaffected by this; this was an issue only because PHP was using an old version
of PCRE (which was linked statically into the PHP binaries).
More details about this vulnerability can be found at:
https://bugs.php.net/bug.php?id=75207 (all PHP versions)
http://www.php.net/ChangeLog-5.php#5.6.32 (PHP 5.6 only)
https://github.com/php/php-src/blob/php-7.2.0RC5/NEWS (PHP 7.2 only)
*** Note for Cucumber Linux 1.1 Alpha Users ***
For users of Cucumber Linux 1.1 Alpha, there have been two package updates
released for this vulnerability: one for the mainstream 'php' package (which is
PHP version 7.2) and one for the legacy 'php5' package (which is PHP version
5.6). You should only ever use one of these two packages on any given system as
they conflict with each other, so make sure to apply the correct update for the
version of PHP you are using. If you use Pickle to apply the update, it will
take care of this for you.