[pkg-php-pear] Bug#866200: phpunit: CVE-2017-9841

Salvatore Bonaccorso carnil at debian.org
Wed Jun 28 08:17:54 UTC 2017

Source: phpunit
Version: 5.4.6-1
Severity: grave
Tags: patch upstream security fixed-upstream


the following vulnerability was published for phpunit.

| Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3
| allows remote attackers to execute arbitrary PHP code via HTTP POST
| data beginning with a "<?php " substring, as demonstrated by an attack
| on a site with an exposed /vendor folder, i.e., external access to the
| /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9841
[1] https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5


More information about the pkg-php-pear mailing list