Multiple vulnerabilities in PHP
| Risk | Medium |
| Patch available | NO |
| Number of vulnerabilities | 12 |
| CVE-ID | CVE-2011-1464 CVE-2011-1466 CVE-2011-1467 CVE-2011-1468 CVE-2011-1469 CVE-2011-1470 CVE-2011-1471 CVE-2011-0421 CVE-2011-0708 CVE-2011-1153 CVE-2011-1092 CVE-2010-4645 |
| CWE-ID | CWE-119 CWE-20 CWE-399 CWE-125 CWE-134 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #4 is available. Public exploit code for vulnerability #6 is available. Public exploit code for vulnerability #7 is available. Public exploit code for vulnerability #8 is available. Public exploit code for vulnerability #9 is available. Public exploit code for vulnerability #11 is available. Public exploit code for vulnerability #12 is available. |
| Vulnerable software |
PHP Universal components / Libraries / Scripting languages |
| Vendor | PHP Group |
Security Bulletin
This security bulletin contains information about 12 vulnerabilities.
1) Buffer overflow
EUVDB-ID: #VU45183
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-1464
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
Buffer overflow in the strval function in PHP before 5.3.6, when the precision configuration option has a large value, might allow context-dependent attackers to cause a denial of service (application crash) via a small numerical value in the argument.
MitigationInstall update from vendor's website.
Vulnerable software versionsPHP: 1.0 - 5.3.4
CPE2.3- cpe:2.3:a:php_group:php:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:2.0b10:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:3.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:4.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:4.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:4.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:4.3.11:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:4.4.9:*:*:*:*:*:*:*
- cpe:2.3:a:php_group:php:5.0.5:*:*:*:*:*:*:*
https://bugs.php.net/bug.php?id=54055
https://marc.info/?l=bugtraq&m=133469208622507&w=2
https://www.mandriva.com/security/advisories?name=MDVSA-2011:052
https://www.mandriva.com/security/advisories?name=MDVSA-2011:053
https://www.php.net/archive/2011.php
https://www.php.net/ChangeLog-5.php
https://www.php.net/releases/5_3_6.php
https://www.vupen.com/english/advisories/2011/0744
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU45185
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-1466
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
Integer overflow in the SdnToJulian function in the Calendar extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) via a large integer in the first argument to the cal_from_jd function.
MitigationInstall update from vendor's website.
Vulnerable software versionsPHP: 1.0 - 5.3.4
CPE2.3 External linkshttps://bugs.php.net/bug.php?id=53574
https://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
https://lists.opensuse.org/opensuse-security-announce/2012-03/msg00016.html
https://rhn.redhat.com/errata/RHSA-2012-0071.html
https://secunia.com/advisories/48668
https://support.apple.com/kb/HT5002
https://www.debian.org/security/2011/dsa-2266
https://www.mandriva.com/security/advisories?name=MDVSA-2011:052
https://www.mandriva.com/security/advisories?name=MDVSA-2011:053
https://www.php.net/ChangeLog-5.php
https://www.redhat.com/support/errata/RHSA-2011-1423.html
https://www.securityfocus.com/bid/46967
https://www.vupen.com/english/advisories/2011/0744
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU45186
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2011-1467
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
Unspecified vulnerability in the NumberFormatter::setSymbol (aka numfmt_set_symbol) function in the Intl extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) via an invalid argument, a related issue to CVE-2010-4409.
MitigationInstall update from vendor's website.
Vulnerable software versionsPHP: 1.0 - 5.3.4
CPE2.3 External linkshttps://bugs.php.net/bug.php?id=53512
https://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
https://support.apple.com/kb/HT5002
https://www.mandriva.com/security/advisories?name=MDVSA-2011:052
https://www.mandriva.com/security/advisories?name=MDVSA-2011:053
https://www.php.net/ChangeLog-5.php
https://www.securityfocus.com/bid/46968
https://www.vupen.com/english/advisories/2011/0744
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Resource management error
EUVDB-ID: #VU45187
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2011-1468
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: Yes
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
Multiple memory leaks in the OpenSSL extension in PHP before 5.3.6 might allow remote attackers to cause a denial of service (memory consumption) via (1) plaintext data to the openssl_encrypt function or (2) ciphertext data to the openssl_decrypt function.
MitigationInstall update from vendor's website.
Vulnerable software versionsPHP: 1.0 - 5.3.4
CPE2.3 External linkshttps://bugs.php.net/bug.php?id=54060
https://bugs.php.net/bug.php?id=54061
https://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
https://support.apple.com/kb/HT5002
https://www.mandriva.com/security/advisories?name=MDVSA-2011:053
https://www.php.net/ChangeLog-5.php
https://www.redhat.com/support/errata/RHSA-2011-1423.html
https://www.securityfocus.com/bid/46977
https://www.vupen.com/english/advisories/2011/0744
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
5) Input validation error
EUVDB-ID: #VU45188
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-1469
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
Unspecified vulnerability in the Streams component in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) by accessing an ftp:// URL during use of an HTTP proxy with the FTP wrapper.
MitigationInstall update from vendor's website.
Vulnerable software versionsPHP: 1.0 - 5.3.4
CPE2.3https://bugs.php.net/bug.php?id=54092
https://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
https://support.apple.com/kb/HT5002
https://www.mandriva.com/security/advisories?name=MDVSA-2011:052
https://www.mandriva.com/security/advisories?name=MDVSA-2011:053
https://www.php.net/ChangeLog-5.php
https://www.redhat.com/support/errata/RHSA-2011-1423.html
https://www.securityfocus.com/bid/46970
https://www.vupen.com/english/advisories/2011/0744
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Input validation error
EUVDB-ID: #VU45189
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2011-1470
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The Zip extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) via a ziparchive stream that is not properly handled by the stream_get_contents function.
MitigationInstall update from vendor's website.
Vulnerable software versionsPHP: 1.0 - 5.3.4
CPE2.3https://bugs.php.net/bug.php?id=53579
https://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
https://support.apple.com/kb/HT5002
https://www.mandriva.com/security/advisories?name=MDVSA-2011:052
https://www.mandriva.com/security/advisories?name=MDVSA-2011:053
https://www.php.net/ChangeLog-5.php
https://www.securityfocus.com/bid/46969
https://www.vupen.com/english/advisories/2011/0744
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
7) Input validation error
EUVDB-ID: #VU45190
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2011-1471
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
Integer signedness error in zip_stream.c in the Zip extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (CPU consumption) via a malformed archive file that triggers errors in zip_fread function calls.
MitigationInstall update from vendor's website.
Vulnerable software versionsPHP: 1.0 - 5.3.4
CPE2.3https://bugs.php.net/bug.php?id=49072
https://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
https://support.apple.com/kb/HT5002
https://www.debian.org/security/2011/dsa-2266
https://www.mandriva.com/security/advisories?name=MDVSA-2011:052
https://www.mandriva.com/security/advisories?name=MDVSA-2011:053
https://www.php.net/ChangeLog-5.php
https://www.redhat.com/support/errata/RHSA-2011-1423.html
https://www.securityfocus.com/bid/46975
https://www.vupen.com/english/advisories/2011/0744
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
8) Input validation error
EUVDB-ID: #VU45192
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2011-0421
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows context-dependent attackers to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (NULL pointer dereference) via an empty ZIP archive that is processed with a (1) locateName or (2) statName operation.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsPHP: 1.0 - 5.3.4
CPE2.3https://bugs.php.net/bug.php?id=53885
https://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
https://lists.fedoraproject.org/pipermail/package-announce/2011-April/057709.html
https://lists.fedoraproject.org/pipermail/package-announce/2011-April/057710.html
https://lists.fedoraproject.org/pipermail/package-announce/2011-March/056642.html
https://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.html
https://marc.info/?l=bugtraq&m=133469208622507&w=2
https://secunia.com/advisories/43621
https://securityreason.com/achievement_securityalert/96
https://securityreason.com/securityalert/8146
https://support.apple.com/kb/HT5002
https://svn.php.net/viewvc/?view=revision&revision=307867
https://www.debian.org/security/2011/dsa-2266
https://www.exploit-db.com/exploits/17004
https://www.mandriva.com/security/advisories?name=MDVSA-2011:052
https://www.mandriva.com/security/advisories?name=MDVSA-2011:053
https://www.mandriva.com/security/advisories?name=MDVSA-2011:099
https://www.php.net/archive/2011.php
https://www.php.net/ChangeLog-5.php
https://www.php.net/releases/5_3_6.php
https://www.securityfocus.com/archive/1/517065/100/0/threaded
https://www.securityfocus.com/bid/46354
https://www.vupen.com/english/advisories/2011/0744
https://www.vupen.com/english/advisories/2011/0764
https://www.vupen.com/english/advisories/2011/0890
https://bugzilla.redhat.com/show_bug.cgi?id=688735
https://exchange.xforce.ibmcloud.com/vulnerabilities/66173
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
9) Out-of-bounds read
EUVDB-ID: #VU45193
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2011-0708
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms performs an incorrect cast, which. A remote attacker can perform a denial of service (application crash) via an image with a crafted Image File Directory (IFD) that triggers a buffer over-read.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsPHP: 1.0 - 5.3.4
CPE2.3https://bugs.php.net/bug.php?id=54002
https://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
https://lists.fedoraproject.org/pipermail/package-announce/2011-April/057709.html
https://lists.fedoraproject.org/pipermail/package-announce/2011-April/057710.html
https://lists.fedoraproject.org/pipermail/package-announce/2011-March/056642.html
https://marc.info/?l=bugtraq&m=133469208622507&w=2
https://openwall.com/lists/oss-security/2011/02/14/1
https://openwall.com/lists/oss-security/2011/02/16/7
https://rhn.redhat.com/errata/RHSA-2012-0071.html
https://securityreason.com/securityalert/8114
https://support.apple.com/kb/HT5002
https://svn.php.net/viewvc?view=revision&revision=308316
https://www.debian.org/security/2011/dsa-2266
https://www.exploit-db.com/exploits/16261/
https://www.mandriva.com/security/advisories?name=MDVSA-2011:052
https://www.mandriva.com/security/advisories?name=MDVSA-2011:053
https://www.php.net/archive/2011.php
https://www.php.net/ChangeLog-5.php
https://www.php.net/releases/5_3_6.php
https://www.redhat.com/support/errata/RHSA-2011-1423.html
https://www.securityfocus.com/bid/46365
https://www.vupen.com/english/advisories/2011/0744
https://www.vupen.com/english/advisories/2011/0764
https://www.vupen.com/english/advisories/2011/0890
https://bugzilla.redhat.com/show_bug.cgi?id=680972
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
10) Format string error
EUVDB-ID: #VU45221
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-1153
CWE-ID:
CWE-134 - Use of Externally-Controlled Format String
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Multiple format string vulnerabilities in phar_object.c in the phar extension in PHP 5.3.5 and earlier allow context-dependent attackers to obtain sensitive information from process memory, cause a denial of service (memory corruption), or possibly execute arbitrary code via format string specifiers in an argument to a class method, leading to an incorrect zend_throw_exception_ex call.
MitigationInstall update from vendor's website.
Vulnerable software versionsPHP: 1.0 - 5.3.4
CPE2.3 External linkshttps://bugs.php.net/bug.php?id=54247
https://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
https://lists.fedoraproject.org/pipermail/package-announce/2011-April/057709.html
https://lists.fedoraproject.org/pipermail/package-announce/2011-April/057710.html
https://lists.fedoraproject.org/pipermail/package-announce/2011-March/056642.html
https://openwall.com/lists/oss-security/2011/03/14/13
https://openwall.com/lists/oss-security/2011/03/14/14
https://openwall.com/lists/oss-security/2011/03/14/24
https://secunia.com/advisories/43744
https://support.apple.com/kb/HT5002
https://svn.php.net/viewvc?view=revision&revision=309221
https://www.debian.org/security/2011/dsa-2266
https://www.mandriva.com/security/advisories?name=MDVSA-2011:052
https://www.mandriva.com/security/advisories?name=MDVSA-2011:053
https://www.php.net/archive/2011.php
https://www.php.net/ChangeLog-5.php
https://www.php.net/releases/5_3_6.php
https://www.securityfocus.com/bid/46854
https://www.vupen.com/english/advisories/2011/0744
https://www.vupen.com/english/advisories/2011/0764
https://www.vupen.com/english/advisories/2011/0890
https://bugzilla.redhat.com/show_bug.cgi?id=688378
https://exchange.xforce.ibmcloud.com/vulnerabilities/66079
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Input validation error
EUVDB-ID: #VU45227
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2011-1092
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Integer overflow in ext/shmop/shmop.c in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (crash) and possibly read sensitive memory via a large third argument to the shmop_read function.
MitigationInstall update from vendor's website.
Vulnerable software versionsPHP: 1.0 - 5.3.4
CPE2.3https://bugs.php.net/bug.php?id=54193
https://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
https://marc.info/?l=bugtraq&m=133469208622507&w=2
https://securityreason.com/securityalert/8130
https://support.apple.com/kb/HT5002
https://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/shmop/shmop.c?r1=306939&r2=309018&pathrev=309018
https://www.exploit-db.com/exploits/16966
https://www.mandriva.com/security/advisories?name=MDVSA-2011:052
https://www.mandriva.com/security/advisories?name=MDVSA-2011:053
https://www.openwall.com/lists/oss-security/2011/03/08/11
https://www.openwall.com/lists/oss-security/2011/03/08/9
https://www.php.net/archive/2011.php
https://www.php.net/ChangeLog-5.php
https://www.php.net/releases/5_3_6.php
https://www.securityfocus.com/bid/46786
https://www.vupen.com/english/advisories/2011/0744
https://bugzilla.redhat.com/show_bug.cgi?id=683183
https://exchange.xforce.ibmcloud.com/vulnerabilities/65988
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
12) Input validation error
EUVDB-ID: #VU45475
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2010-4645
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
strtod.c, as used in the zend_strtod function in PHP 5.2 before 5.2.17 and 5.3 before 5.3.5, and other products, allows context-dependent attackers to cause a denial of service (infinite loop) via a certain floating-point value in scientific notation, which is not properly handled in x87 FPU registers, as demonstrated using 2.2250738585072011e-308.
MitigationInstall update from vendor's website.
Vulnerable software versionsPHP: 5.2.0 - 5.3.4
CPE2.3 External linkshttps://bugs.php.net/53632
https://hal.archives-ouvertes.fr/docs/00/28/14/29/PDF/floating-point-article.pdf
https://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
https://lists.fedoraproject.org/pipermail/package-announce/2011-January/053333.html
https://lists.fedoraproject.org/pipermail/package-announce/2011-January/053355.html
https://marc.info/?l=bugtraq&m=133226187115472&w=2
https://marc.info/?l=bugtraq&m=133469208622507&w=2
https://secunia.com/advisories/42812
https://secunia.com/advisories/42843
https://secunia.com/advisories/43051
https://secunia.com/advisories/43189
https://slackware.com/security/viewer.php?l=slackware-security&y=2011&m=slackware-security.484686
https://support.apple.com/kb/HT5002
https://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/Zend/zend_strtod.c?r1=266327&r2=307095&pathrev=307095
https://www.exploringbinary.com/php-hangs-on-numeric-value-2-2250738585072011e-308/
https://www.openwall.com/lists/oss-security/2011/01/05/2
https://www.openwall.com/lists/oss-security/2011/01/05/8
https://www.openwall.com/lists/oss-security/2011/01/06/5
https://www.redhat.com/support/errata/RHSA-2011-0195.html
https://www.redhat.com/support/errata/RHSA-2011-0196.html
https://www.securityfocus.com/bid/45668
https://www.ubuntu.com/usn/USN-1042-1
https://www.vupen.com/english/advisories/2011/0060
https://www.vupen.com/english/advisories/2011/0066
https://www.vupen.com/english/advisories/2011/0077
https://www.vupen.com/english/advisories/2011/0198
https://exchange.xforce.ibmcloud.com/vulnerabilities/64470
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
