Use after free vulnerability reported in PHP "phar" extension [1]. Upstream commit that fixes this: http://git.php.net/?p=php-src.git;a=commit;h=b2cf3f064b8f5efef89bb084521b61318c71781b [1]: https://bugs.php.net/bug.php?id=68901
Fixed upstream in PHP 5.6.6 and 5.5.22: http://php.net/ChangeLog-5.php#5.6.6 http://php.net/ChangeLog-5.php#5.5.22
Can you provide an update on the status of this bug? The NIST NVD shows a higher vuln score than your whiteboard comments show (above). This is the NIST rating: Original release date: 03/30/2015 Last revised: 04/13/2015 Source: US-CERT/NIST CVSS Severity (version 2.0): CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend) Impact Subscore: 6.4 Exploitability Subscore: 10.0 CVSS Version 2 Metrics: Access Vector: Network exploitable Access Complexity: Low Authentication: Not required to exploit Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service Thanks.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS Via RHSA-2015:1066 https://rhn.redhat.com/errata/RHSA-2015-1066.html
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS Via RHSA-2015:1053 https://rhn.redhat.com/errata/RHSA-2015-1053.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:1135 https://rhn.redhat.com/errata/RHSA-2015-1135.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1218 https://rhn.redhat.com/errata/RHSA-2015-1218.html