The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2015-1135 advisory.

    - core: fix multipart/form-data request can use excessive       amount of CPU usage CVE-2015-4024
    - fix various functions accept paths with NUL character       CVE-2015-4025, CVE-2015-4026, #1213407
    - ftp: fix integer overflow leading to heap overflow when       reading FTP file listing CVE-2015-4022
    - phar: fix buffer over-read in metadata parsing CVE-2015-2783
    - phar: invalid pointer free() in phar_tar_process_metadata()       CVE-2015-3307
    - phar: fix buffer overflow in phar_set_inode() CVE-2015-3329
    - phar: fix memory corruption in phar_parse_tarfile caused by       empty entry file name CVE-2015-4021
    - apache2handler: fix pipelined request executed in deinitialized       interpreter under httpd 2.4 CVE-2015-3330
    - core: use after free vulnerability in unserialize()       CVE-2014-8142 and CVE-2015-0231
    - core: fix use-after-free in unserialize CVE-2015-2787
    - core: fix NUL byte injection in file name argument of       move_uploaded_file() CVE-2015-2348
    - date: use after free vulnerability in unserialize CVE-2015-0273
    - enchant: fix heap buffer overflow in enchant_broker_request_dict       CVE-2014-9705
    - exif: free called on unitialized pointer CVE-2015-0232
    - fileinfo: fix out of bounds read in mconvert CVE-2014-9652
    - gd: fix buffer read overflow in gd_gif_in.c CVE-2014-9709
    - phar: use after free in phar_object.c CVE-2015-2301
    - fileinfo: fix out-of-bounds read in elf note headers. CVE-2014-3710
    - xmlrpc: fix out-of-bounds read flaw in mkgmtime() CVE-2014-3668
    - core: fix integer overflow in unserialize() CVE-2014-3669
    - exif: fix heap corruption issue in exif_thumbnail() CVE-2014-3670
    - gd: fix NULL pointer dereference in gdImageCreateFromXpm().
      CVE-2014-2497
    - gd: fix NUL byte injection in file names. CVE-2014-5120
    - fileinfo: fix extensive backtracking in regular expression       (incomplete fix for CVE-2013-7345). CVE-2014-3538
    - fileinfo: fix mconvert incorrect handling of truncated       pascal string size. CVE-2014-3478
    - fileinfo: fix cdf_read_property_info       (incomplete fix for CVE-2012-1571). CVE-2014-3587
    - spl: fix use-after-free in ArrayIterator due to object       change during sorting. CVE-2014-4698
    - spl: fix use-after-free in SPL Iterators. CVE-2014-4670
    - network: fix segfault in dns_get_record       (incomplete fix for CVE-2014-4049). CVE-2014-3597

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Oracle Linux 7 : php (ELSA-2015-1135)

critical Nessus Plugin ID 84351

Version 2.16