CVE-2017-11142

Published: 10 July 2017

In PHP before 5.6.31, 7.x before 7.0.17, and 7.1.x before 7.1.3, remote attackers could cause a CPU consumption denial of service attack by injecting long form variables, related to main/php_variables.c.

Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
php5
Launchpad, Ubuntu, Debian
Upstream
Released (5.6.31)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(code not present)
php7.0
Launchpad, Ubuntu, Debian
Upstream
Released (7.0.17)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(7.0.18-0ubuntu0.16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/php/php-src/commit/0f8cf3b8497dc45c010c44ed9e96518e11e19fc3
Upstream: https://github.com/php/php-src/commit/a15bffd105ac28fd0dd9b596632dbf035238fda3
php7.1
Launchpad, Ubuntu, Debian
Upstream
Released (7.1.3)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist