CVE-2017-8923

Name	CVE-2017-8923
Description	The zend_string_extend function in Zend/zend_string.h in PHP through 7.1.5 does not prevent changes to string objects that result in a negative length, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact by leveraging a script's use of .= with a long string.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	881538, 881539

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
php7.0	source	(unstable)	(unfixed)			881538
php7.1	source	(unstable)	(unfixed)			881539

Notes

[stretch] - php7.0 <ignored> (Minor issue)
PHP Bug: https://bugs.php.net/bug.php?id=74577
(Duplicate of) PHP Bug: https://bugs.php.net/bug.php?id=73122