CVE-2015-4148

Publication date 9 June 2015

Last updated 24 July 2024

Ubuntu priority

The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that the uri property is a string, which allows remote attackers to obtain sensitive information by providing crafted serialized data with an int data type, related to a "type confusion" issue.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
php5	15.04 vivid	Fixed 5.6.4+dfsg-4ubuntu6.2
	14.10 utopic	Fixed 5.5.12+dfsg-2ubuntu4.6
	14.04 LTS trusty	Fixed 5.5.9+dfsg-1ubuntu4.11
	12.04 LTS precise	Fixed 5.3.10-1ubuntu3.19

How can I get the fixes?
What do statuses mean?

Notes

mdeslaur

same commits as CVE-2015-4147 regression fixed in 5.4.40,5.5.24,5.6.8

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-2658-1
PHP vulnerabilities
6 July 2015

Other references

http://www.openwall.com/lists/oss-security/2015/03/20/14
http://www.openwall.com/lists/oss-security/2015/06/01/4
https://www.cve.org/CVERecord?id=CVE-2015-4148