Source: xmlrpc-epi Version: 0.54.2-1 Severity: grave Tags: security upstream patch Control: tags -1 fixed 0.54.2-1+deb7u1
Hi, the following vulnerability was published for xmlrpc-epi. AFAICS it is used by php7.0 in stretch from system. For stable this probably does not warrant a DSA, since nothing depending on it. CVE-2016-6296[0]: | Integer signedness error in the simplestring_addn function in | simplestring.c in xmlrpc-epi through 0.54.2, as used in PHP before | 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9, allows remote | attackers to cause a denial of service (heap-based buffer overflow) or | possibly have unspecified other impact via a long first argument to | the PHP xmlrpc_encode_request function. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-6296 Regards, Salvatore
