[pkg-php-pear] Bug#866200: phpunit: CVE-2017-9841
Salvatore Bonaccorso
carnil at debian.org
Wed Jun 28 08:17:54 UTC 2017
Source: phpunit
Version: 5.4.6-1
Severity: grave
Tags: patch upstream security fixed-upstream
Hi,
the following vulnerability was published for phpunit.
CVE-2017-9841[0]:
| Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3
| allows remote attackers to execute arbitrary PHP code via HTTP POST
| data beginning with a "<?php " substring, as demonstrated by an attack
| on a site with an exposed /vendor folder, i.e., external access to the
| /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-9841
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9841
[1] https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5
Regards,
Salvatore
More information about the pkg-php-pear
mailing list