CVE-2014-9425

Publication date 31 December 2014

Last updated 24 July 2024

Ubuntu priority

Description

Double free vulnerability in the zend_ts_hash_graceful_destroy function in zend_ts_hash.c in the Zend Engine in PHP through 5.5.20 and 5.6.x through 5.6.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
php5	14.10 utopic	Not affected
	14.04 LTS trusty	Not affected
	12.04 LTS precise	Not affected
	10.04 LTS lucid	Not affected

How can I get the fixes?
What do statuses mean?

Notes

mdeslaur

ubuntu/debian packages aren't built with zts enabled

References

MITRE
NVD
Launchpad
Debian

Other references

https://bugs.php.net/bug.php?id=68676
http://openwall.com/lists/oss-security/2014/12/29/6
http://git.php.net/?p=php-src.git;a=commit;h=fbf3a6bc1abcc8a5b5226b0ad9464c37f11ddbd6
http://git.php.net/?p=php-src.git;a=commit;h=2bcf69d073190e4f032d883f3416dea1b027a39e
http://git.php.net/?p=php-src.git;a=commit;h=24125f0f26f3787c006e4a51611ba33ee3b841cb
https://www.cve.org/CVERecord?id=CVE-2014-9425