Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

phpunit: CVE-2017-9841

Related Vulnerabilities: CVE-2017-9841  

Source

Debian Bug report logs - #866200
phpunit: CVE-2017-9841

version graph

Package: src:phpunit; Maintainer for src:phpunit is Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 28 Jun 2017 08:21:01 UTC

Severity: grave

Tags: fixed-upstream, patch, security, upstream

Found in version phpunit/5.4.6-1

Fixed in versions phpunit/5.4.6-2, phpunit/5.4.6-2~deb9u1

Done: David Prévot <taffit@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>:
Bug#866200; Package src:phpunit. (Wed, 28 Jun 2017 08:21:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>. (Wed, 28 Jun 2017 08:21:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: phpunit: CVE-2017-9841
Date: Wed, 28 Jun 2017 10:17:54 +0200
Source: phpunit
Version: 5.4.6-1
Severity: grave
Tags: patch upstream security fixed-upstream

Hi,

the following vulnerability was published for phpunit.

CVE-2017-9841[0]:
| Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3
| allows remote attackers to execute arbitrary PHP code via HTTP POST
| data beginning with a "&lt;?php " substring, as demonstrated by an attack
| on a site with an exposed /vendor folder, i.e., external access to the
| /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9841
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9841
[1] https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5

Regards,
Salvatore

Added tag(s) pending. Request was from David Prévot <taffit@debian.org> to control@bugs.debian.org. (Thu, 29 Jun 2017 02:51:10 GMT) (full text, mbox, link).

Reply sent to David Prévot <taffit@debian.org>:
You have taken responsibility. (Thu, 29 Jun 2017 03:24:05 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 29 Jun 2017 03:24:05 GMT) (full text, mbox, link).

Message #12 received at 866200-close@bugs.debian.org (full text, mbox, reply):

From: David Prévot <taffit@debian.org>
To: 866200-close@bugs.debian.org
Subject: Bug#866200: fixed in phpunit 5.4.6-2
Date: Thu, 29 Jun 2017 03:20:09 +0000
Source: phpunit
Source-Version: 5.4.6-2

We believe that the bug you reported is fixed in the latest version of
phpunit, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 866200@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Prévot <taffit@debian.org> (supplier of updated phpunit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 28 Jun 2017 16:43:26 -1000
Source: phpunit
Binary: phpunit
Architecture: source
Version: 5.4.6-2
Distribution: unstable
Urgency: high
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Description:
 phpunit    - Unit testing suite for PHP
Closes: 866200
Changes:
 phpunit (5.4.6-2) unstable; urgency=high
 .
   * Team upload
   * Fix arbitrary PHP code execution via HTTP POST [CVE-2017-9841]
     (Closes: #866200)
Checksums-Sha1:
 16b82d278728a2bfe27c1ebb2e035aaa472bdea4 2093 phpunit_5.4.6-2.dsc
 1ed5c0394279f2acd5c5ba8ea54c29f9ce31dec3 11952 phpunit_5.4.6-2.debian.tar.xz
Checksums-Sha256:
 749af5bf798496cf48e40cc33db92c303980291dccf256f2cf99111d57c5bfd4 2093 phpunit_5.4.6-2.dsc
 62c854dfd1d43f9a718624de405dd498caa7768ec26b0d457ed278796723fa55 11952 phpunit_5.4.6-2.debian.tar.xz
Files:
 7960ae8e99e8a028122d7d2835dcbd43 2093 php optional phpunit_5.4.6-2.dsc
 7ab69c0c9814df724ed1f89c7a3ffe73 11952 php optional phpunit_5.4.6-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAllUbCAACgkQBYwc+UT2
vTyfOQf9GVm+b4uSm/p6lZqptVwLw6w0eXnj5szIkLuJLy/449sE9fdbzPFm0wOV
7sNpB8RHGWBazPqEMmQZSJ0pGjIdGQsfjyY4cfblZHy0GZqI6jM+HJACmKZbFESN
OoA3cyuzXoz1fnS+NXFmwzS763jISpaZcC1FGvfrsUm0udegrsw+SSAR6PIs7Yq9
Gyqpp3MLvpWI6nanRfd2X1T8JdkaXm6DhFtaO4xbd7L6/FD05JHoreCYP7td7R22
XmKndYGOGYT4w5NIFVxbLf/tT3gts5C3IUDWDe1eGM/6xYOSRXJFZ8OweSGWpakh
6VsJlv5FW1uYKXXE7baGy+y+YRkxYg==
=Rmsq
-----END PGP SIGNATURE-----

Reply sent to David Prévot <taffit@debian.org>:
You have taken responsibility. (Sun, 02 Jul 2017 23:21:17 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 02 Jul 2017 23:21:17 GMT) (full text, mbox, link).

Message #17 received at 866200-close@bugs.debian.org (full text, mbox, reply):

From: David Prévot <taffit@debian.org>
To: 866200-close@bugs.debian.org
Subject: Bug#866200: fixed in phpunit 5.4.6-2~deb9u1
Date: Sun, 02 Jul 2017 23:17:09 +0000
Source: phpunit
Source-Version: 5.4.6-2~deb9u1

We believe that the bug you reported is fixed in the latest version of
phpunit, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 866200@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Prévot <taffit@debian.org> (supplier of updated phpunit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 28 Jun 2017 17:03:35 -1000
Source: phpunit
Binary: phpunit
Architecture: source
Version: 5.4.6-2~deb9u1
Distribution: stretch
Urgency: high
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Description:
 phpunit    - Unit testing suite for PHP
Closes: 866200
Changes:
 phpunit (5.4.6-2~deb9u1) stretch; urgency=high
 .
   * Team upload
   * Upload previous fix to Stretch
 .
 phpunit (5.4.6-2) unstable; urgency=high
 .
   * Team upload
   * Fix arbitrary PHP code execution via HTTP POST [CVE-2017-9841]
     (Closes: #866200)
Checksums-Sha1:
 adf93c164ee2621a9ef8898fc4463b3ea87baec3 2121 phpunit_5.4.6-2~deb9u1.dsc
 4a8cd9baaef1fd4d41ee0e55c2a08855da38dbb0 11972 phpunit_5.4.6-2~deb9u1.debian.tar.xz
Checksums-Sha256:
 9b27ad8e4c2cdc1da095c8697b7f303490dca11e99b14b3e8ecf8e3e0781af01 2121 phpunit_5.4.6-2~deb9u1.dsc
 574b1829f8b58c60c6e24b7df9c2244956419df2c95142b05e047807a27d93fa 11972 phpunit_5.4.6-2~deb9u1.debian.tar.xz
Files:
 310c6cb0bef349d482e9a59c79844c34 2121 php optional phpunit_5.4.6-2~deb9u1.dsc
 1d0325acd3a58a805773dd13cc0099f4 11972 php optional phpunit_5.4.6-2~deb9u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAllXHHwACgkQBYwc+UT2
vTyLvAgArzdDnzfUgq4y6n5XfIn4ADmk3iXC4ZZKGPu6eyMGY9DeWLb2e2uO2X/g
GHZGEq8qpXL8CMnKXGi2rt9uOVRK0MoJQsO0Q7EGiydC/Yex0Kj25Y2p1Mu8Cq+S
KAtPicTfNnKKzbE9UmRn5FU+U7pZ3Y8BaDhPA1FCMcJqKasLY9/iAxXHSZKpxW18
rnoSBZw0ZefdmnSxHus1dMUV8kDIhOL8Sh0QEb6FVHErxwG6ZwcfioOHHzEQRJEa
h4d2WV1RimA2oci8H4884L+jlKoj0Rre8J00/nxyZ4U6D4Vu0FaNP0o09mJqRiiS
Mq6QEOUWFHDhWTSeQdrXezZdPHjPcA==
=fVJR
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 31 Jul 2017 07:24:47 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:58:01 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started