VulnerableCode Package Details - pkg:deb/ubuntu/hhvm@3.12.11%2Bdfsg-1build1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-2kms-au22-aaap	CVE-2014-9767 php: ZipArchive::extractTo allows for directory traversal when creating directories	CVE-2014-9767
VCID-2pp9-5w36-aaag	HHVM does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. This issue affects HHVM versions prior to 3.9.6, all versions between 3.10.0 and 3.12.4 (inclusive), and all versions between 3.13.0 and 3.14.2 (inclusive).	CVE-2016-1000109
VCID-41cq-ax36-aaap	Integer overflow in StringUtil::implode in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors.	CVE-2016-6872
VCID-44sp-vxb7-aaar	Self recursion in compact in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors.	CVE-2016-6873
VCID-7pxm-d6cs-aaaf	hhvm before 3.12.11 has a use-after-free in the serialize_memoize_param() and ResourceBundle::__construct() functions.	CVE-2016-1000006
VCID-7ube-41ft-aaaq	The array_*_recursive functions in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors, related to recursion.	CVE-2016-6874
VCID-9e3n-37te-aaaf	[Unknown description]	CVE-2016-1552
VCID-efa3-fgp4-aaab	mcrypt_get_block_size did not enforce that the provided "module" parameter was a string, leading to type confusion if other types of data were passed in. This issue affects HHVM versions prior to 3.9.5, all versions between 3.10.0 and 3.12.3 (inclusive), and all versions between 3.13.0 and 3.14.1 (inclusive).	CVE-2016-1000005
VCID-fz9a-b2v4-aaac	Infinite recursion in wddx in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors.	CVE-2016-6875
VCID-mg8k-gw3b-aaae	Integer overflow in bcmath in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors, which triggers a buffer overflow.	CVE-2016-6871
VCID-nk4z-hdr2-aaae	Insufficient type checks were employed prior to casting input data in SimpleXMLElement_exportNode and simplexml_import_dom. This issue affects HHVM versions prior to 3.9.5, all versions between 3.10.0 and 3.12.3 (inclusive), and all versions between 3.13.0 and 3.14.1 (inclusive).	CVE-2016-1000004
VCID-s7ta-xm41-aaaj	Out-of-bounds write in the (1) mb_detect_encoding, (2) mb_send_mail, and (3) mb_detect_order functions in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors.	CVE-2016-6870
VCID-svn2-nywv-aaac	CVE-2016-6288 php: Buffer over-read in php_url_parse_ex	CVE-2016-6288

Vulnerability

Summary

Aliases

VCID-2kms-au22-aaap

CVE-2014-9767 php: ZipArchive::extractTo allows for directory traversal when creating directories

CVE-2014-9767

VCID-2pp9-5w36-aaag

HHVM does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. This issue affects HHVM versions prior to 3.9.6, all versions between 3.10.0 and 3.12.4 (inclusive), and all versions between 3.13.0 and 3.14.2 (inclusive).

CVE-2016-1000109

VCID-41cq-ax36-aaap

Integer overflow in StringUtil::implode in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors.

CVE-2016-6872

VCID-44sp-vxb7-aaar

Self recursion in compact in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors.

CVE-2016-6873

VCID-7pxm-d6cs-aaaf

hhvm before 3.12.11 has a use-after-free in the serialize_memoize_param() and ResourceBundle::__construct() functions.

CVE-2016-1000006

VCID-7ube-41ft-aaaq

The array_*_recursive functions in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors, related to recursion.

CVE-2016-6874

VCID-9e3n-37te-aaaf

[Unknown description]

CVE-2016-1552

VCID-efa3-fgp4-aaab

mcrypt_get_block_size did not enforce that the provided "module" parameter was a string, leading to type confusion if other types of data were passed in. This issue affects HHVM versions prior to 3.9.5, all versions between 3.10.0 and 3.12.3 (inclusive), and all versions between 3.13.0 and 3.14.1 (inclusive).

CVE-2016-1000005

VCID-fz9a-b2v4-aaac

Infinite recursion in wddx in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors.

CVE-2016-6875

VCID-mg8k-gw3b-aaae

Integer overflow in bcmath in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors, which triggers a buffer overflow.

CVE-2016-6871

VCID-nk4z-hdr2-aaae

Insufficient type checks were employed prior to casting input data in SimpleXMLElement_exportNode and simplexml_import_dom. This issue affects HHVM versions prior to 3.9.5, all versions between 3.10.0 and 3.12.3 (inclusive), and all versions between 3.13.0 and 3.14.1 (inclusive).

CVE-2016-1000004

VCID-s7ta-xm41-aaaj

Out-of-bounds write in the (1) mb_detect_encoding, (2) mb_send_mail, and (3) mb_detect_order functions in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors.

CVE-2016-6870

VCID-svn2-nywv-aaac

CVE-2016-6288 php: Buffer over-read in php_url_parse_ex

CVE-2016-6288