Your message dated Thu, 29 Jun 2017 03:20:09 +0000 with message-id <e1dqq01-000avf...@fasolo.debian.org> and subject line Bug#866200: fixed in phpunit 5.4.6-2 has caused the Debian Bug report #866200, regarding phpunit: CVE-2017-9841 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 866200: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866200 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: phpunit Version: 5.4.6-1 Severity: grave Tags: patch upstream security fixed-upstream Hi, the following vulnerability was published for phpunit. CVE-2017-9841[0]: | Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 | allows remote attackers to execute arbitrary PHP code via HTTP POST | data beginning with a "<?php " substring, as demonstrated by an attack | on a site with an exposed /vendor folder, i.e., external access to the | /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-9841 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9841 [1] https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: phpunit Source-Version: 5.4.6-2 We believe that the bug you reported is fixed in the latest version of phpunit, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 866...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. David Prévot <taf...@debian.org> (supplier of updated phpunit package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 28 Jun 2017 16:43:26 -1000 Source: phpunit Binary: phpunit Architecture: source Version: 5.4.6-2 Distribution: unstable Urgency: high Maintainer: Debian PHP PEAR Maintainers <pkg-php-p...@lists.alioth.debian.org> Changed-By: David Prévot <taf...@debian.org> Description: phpunit - Unit testing suite for PHP Closes: 866200 Changes: phpunit (5.4.6-2) unstable; urgency=high . * Team upload * Fix arbitrary PHP code execution via HTTP POST [CVE-2017-9841] (Closes: #866200) Checksums-Sha1: 16b82d278728a2bfe27c1ebb2e035aaa472bdea4 2093 phpunit_5.4.6-2.dsc 1ed5c0394279f2acd5c5ba8ea54c29f9ce31dec3 11952 phpunit_5.4.6-2.debian.tar.xz Checksums-Sha256: 749af5bf798496cf48e40cc33db92c303980291dccf256f2cf99111d57c5bfd4 2093 phpunit_5.4.6-2.dsc 62c854dfd1d43f9a718624de405dd498caa7768ec26b0d457ed278796723fa55 11952 phpunit_5.4.6-2.debian.tar.xz Files: 7960ae8e99e8a028122d7d2835dcbd43 2093 php optional phpunit_5.4.6-2.dsc 7ab69c0c9814df724ed1f89c7a3ffe73 11952 php optional phpunit_5.4.6-2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAllUbCAACgkQBYwc+UT2 vTyfOQf9GVm+b4uSm/p6lZqptVwLw6w0eXnj5szIkLuJLy/449sE9fdbzPFm0wOV 7sNpB8RHGWBazPqEMmQZSJ0pGjIdGQsfjyY4cfblZHy0GZqI6jM+HJACmKZbFESN OoA3cyuzXoz1fnS+NXFmwzS763jISpaZcC1FGvfrsUm0udegrsw+SSAR6PIs7Yq9 Gyqpp3MLvpWI6nanRfd2X1T8JdkaXm6DhFtaO4xbd7L6/FD05JHoreCYP7td7R22 XmKndYGOGYT4w5NIFVxbLf/tT3gts5C3IUDWDe1eGM/6xYOSRXJFZ8OweSGWpakh 6VsJlv5FW1uYKXXE7baGy+y+YRkxYg== =Rmsq -----END PGP SIGNATURE-----
--- End Message ---
