Univention Corporate Server 4.1 erratum 330 (security)

This update addresses the following issue(s):
* Denial of service due to crash of the phar extension caused
  by NULL pointer dereference when processing tar archives containing
  links referring to non-existing files. (CVE-2015-7803)
* Denial of service and potential information disclosure due to
  the phar extension incorrectly processing directory entries found
  in archive files with the name "/". (CVE-2015-7804)
* The file_check_mem function in funcs.c in file before 5.23, as used
  in the Fileinfo component in PHP before 5.5.34, mishandles
  continuation-level jumps, which allows context-dependent attackers to
  cause a denial of service (buffer overflow and application crash) or
  possibly execute arbitrary code via a crafted magic file (CVE-2015-8865)
* libxml_disable_entity_loader setting is shared between threads
  ext/libxml/libxml.c in PHP before 5.5.22, when PHP-FPM is used, does not
  isolate each thread from libxml_disable_entity_loader changes in other
  threads, which allows remote attackers to conduct XML External Entity
  (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document,
  a related issue to CVE-2015-5161 (CVE-2015-8866)
* main/php_open_temporary_file.c in PHP before 5.5.28 does not ensure
  thread safety, which allows remote attackers to cause a denial of
  service (race condition and heap memory corruption) by leveraging
  an application that performs many temporary-file accesses (CVE-2015-8878)
* The odbc_bindcols function in ext/odbc/php_odbc.c in PHP before 5.6.12
  mishandles driver behavior for SQL_WVARCHAR columns, which allows remote
  attackers to cause a denial of service (application crash) in
  opportunistic circumstances by leveraging use of the odbc_fetch_array
  function to access a certain type of Microsoft SQL Server table
  (CVE-2015-8879)
* Integer overflow in the php_raw_url_encode function in ext/standard/url.c
  in PHP before 5.5.34 allows remote attackers to cause a denial of service
  (application crash) via a long string to the rawurlencode function
  (CVE-2016-4070)
* Format string vulnerability in the php_snmp_error function in
  ext/snmp/snmp.c in PHP before 5.5.34 allows remote attackers to execute
  arbitrary code via format string specifiers in an SNMP::get call
  (CVE-2016-4071)
* The Phar extension in PHP before 5.5.34 allows remote attackers to
  execute arbitrary code via a crafted filename, as demonstrated by
  mishandling of \0 characters by the phar_analyze_path function in
  ext/phar/phar.c (CVE-2016-4072)
* Multiple integer overflows in the mbfl_strcut function in
  ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before 5.5.34 allow remote
  attackers to cause a denial of service (application crash) or possibly
  execute arbitrary code via a crafted mb_strcut call (CVE-2016-4073)
* The phar_make_dirstream function in ext/phar/dirstream.c in PHP before
  5.6.18 mishandles zero-size ././@LongLink files, which allows remote
  attackers to cause a denial of service (uninitialized pointer dereference)
  or possibly have unspecified other impact via a crafted TAR archive
  (CVE-2016-4343)
* The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35 accepts
  a negative integer for the scale argument, which allows remote attackers
  to cause a denial of service or possibly have unspecified other impact
  via a crafted call (CVE-2016-4537)
* The xml_parse_into_struct function in ext/xml/xml.c in PHP before 5.5.35
  allows remote attackers to cause a denial of service (buffer under-read
  and segmentation fault) or possibly have unspecified other impact via
  crafted XML data in the second argument, leading to a parser level of
  zero (CVE-2016-4539)
* The grapheme_strpos function in ext/intl/grapheme/grapheme_string.c in
  PHP before 5.5.35 allows remote attackers to cause a denial of service
  (out-of-bounds read) or possibly have unspecified other impact via a
  negative offset (CVE-2016-4540, CVE-2016-4541)
* The exif_process_* function in ext/exif/exif.c in PHP before 5.5.35 does
  not validate IFD sizes, which allows remote attackers to cause a denial
  of service (out-of-bounds read) or possibly have unspecified other impact
  via crafted header data (CVE-2016-4542, CVE-2016-4543, CVE-2016-4544)
* Absence of null character causes unexpected zend_string length and
  leaks heap memory. The test script uses locale_get_primary_language
  to reach get_icu_value_internal but there are some other functions
  that also trigger this issue: locale_canonicalize, locale_filter_matches,
  locale_lookup, locale_parse (CVE-2016-5093)
* Don't create strings with lengths outside int range
  (CVE-2016-5094, CVE-2016-5095)
* Type (int/size_t) confusion in fread (CVE-2016-5096)
* Use After Free Vulnerability in WDDX Packet Deserialization
  (Debian bug 70661)
* Type Confusion Vulnerability in PHP_to_XMLRPC_worker()
  (Debian bug 70728)
* Session WDDX Packet Deserialization Type Confusion Vulnerability
  (Debian bug 70741)
* php_url_parse_ex() buffer overflow read
  (Debian bug 70480 / CVE-2016-6288)
* An invalid free may occur under certain conditions when processing
  phar-compatible archives (CVE-2016-4473)
* Remote denial of service or unspecified other impact via crafted call
  to the bcpowmod function in ext/bcmath/bcmath.c (CVE-2016-4538)
* sapi/fpm/fpm/fpm_log.c misinterprets the semantics of the snprintf
  return value, which allows attackers to obtain sensitive information
  from process memory or cause a denial of service (out-of-bounds read
  and buffer overflow) via a long string, as demonstrated by a long URI
  in a configuration with custom REQUEST_URI logging (CVE-2016-5114)
* Improper error handling in bzread (CVE-2016-5399)
* Double free vulnerability in the _php_mb_regex_ereg_replace_exec
  function in php_mbregex.c in the mbstring extension allows remote
  attackers to execute arbitrary code or cause a denial of service
  (application crash) by leveraging a callback exception (CVE-2016-5768)
* Multiple integer overflows in mcrypt.c in the mcrypt extension allow
  remote attackers to cause a denial of service (heap-based buffer
  overflow and application crash) or possibly have unspecified other
  impact via a crafted length value, related to the (1) mcrypt_generic
  and (2) mdecrypt_generic functions (CVE-2016-5769)
* Integer overflow in the SplFileObject::fread function spl_directory.c
  allows remote attackers to cause a denial of service or possibly have
  unspecified other impact via a large integer argument, a related issue
  to CVE-2016-5096 (CVE-2016-5770)
* spl_array.c in the SPL extension improperly interacts with the
  unserialize implementation and garbage collection, which allows remote
  attackers to execute arbitrary code or cause a denial of service
  (use-after-free and application crash) via crafted serialized data
  (CVE-2016-5771)
* Double free vulnerability in the php_wddx_process_data function in
  wddx.c in the WDDX extension allows remote attackers to cause a denial
  of service (application crash) or possibly execute arbitrary code via
  crafted XML data that is mishandled in a wddx_deserialize call
  (CVE-2016-5772)
* php_zip.c in the zip extension improperly interacts with the
  unserialize implementation and garbage collection, which allows
  remote attackers to execute arbitrary code or cause a denial of
  service (use-after-free and application crash) via crafted serialized
  data containing a ZipArchive object (CVE-2016-5773)
* Integer overflow in the virtual_file_ex function in
  TSRM/tsrm_virtual_cwd.c allows remote attackers to cause a denial
  of service (stack-based buffer overflow) or possibly have unspecified
  other impact via a crafted extract operation on a ZIP archive
  (CVE-2016-6289)
* ext/session/session.c does not properly maintain a certain hash data
  structure, which allows remote attackers to cause a denial of service
  (use-after-free) or possibly have unspecified other Impact via vectors
  related to session deserialization (CVE-2016-6290)
* The exif_process_IFD_in_MAKERNOTE function in ext/exif/exif.c allows
  remote attackers to cause a denial of service (out-of-bounds array
  access and memory corruption), obtain sensitive information from
  process memory, or possibly have unspecified other impact via a
  crafted JPEG image (CVE-2016-6291)
* The exif_process_user_comment function in ext/exif/exif.c allows remote
  attackers to cause a denial of service (NULL pointer dereference and
  application crash) via a crafted JPEG image (CVE-2016-6292)
* The locale_accept_from_http function in ext/intl/locale/locale_methods.c
  does not properly restrict calls to the ICU uloc_acceptLanguageFromHTTP
  function, which allows remote ttackers to cause a denial of service
  (out-of-bounds read) or possibly have unspecified other impact via a 
  call with a long argument (CVE-2016-6294)
* ext/snmp/snmp.c improperly interacts with the unserialize implementation
  and garbage collection, which allows remote attackers to cause a denial
  of service (use-after-free and application crash) or possibly have
  unspecified other impact via crafted serialized data, a related issue
  to CVE-2016-5773 (CVE-2016-6295)
* Integer signedness error in the simplestring_addn function in
  simplestring.c in xmlrpc-epi through 0.54.2 allows remote attackers to
  cause a denial of service (heap-based buffer overflow) or possibly have
  unspecified other impact via a long first argument to the PHP
  xmlrpc_encode_request function (CVE-2016-6296)
* Integer overflow in the php_stream_zip_opener function in
  ext/zip/zip_stream.c allows remote attackers to cause a denial of
  service (stack-based buffer overflow) or possibly have unspecified
  other impact via a crafted zip:// URL (CVE-2016-6297)
* Use After Free Vulnerability in unserialize() (Debian bug 70436)
* PHP Session Data Injection Vulnerability, consume data even if not
  storing it (Debian bug 72681)