Your message dated Sun, 02 Jul 2017 23:17:09 +0000 with message-id <e1dro73-0006fv...@fasolo.debian.org> and subject line Bug#866200: fixed in phpunit 5.4.6-2~deb9u1 has caused the Debian Bug report #866200, regarding phpunit: CVE-2017-9841 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 866200: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866200 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: phpunit Version: 5.4.6-1 Severity: grave Tags: patch upstream security fixed-upstream Hi, the following vulnerability was published for phpunit. CVE-2017-9841[0]: | Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 | allows remote attackers to execute arbitrary PHP code via HTTP POST | data beginning with a "<?php " substring, as demonstrated by an attack | on a site with an exposed /vendor folder, i.e., external access to the | /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-9841 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9841 [1] https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: phpunit Source-Version: 5.4.6-2~deb9u1 We believe that the bug you reported is fixed in the latest version of phpunit, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 866...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. David Prévot <taf...@debian.org> (supplier of updated phpunit package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 28 Jun 2017 17:03:35 -1000 Source: phpunit Binary: phpunit Architecture: source Version: 5.4.6-2~deb9u1 Distribution: stretch Urgency: high Maintainer: Debian PHP PEAR Maintainers <pkg-php-p...@lists.alioth.debian.org> Changed-By: David Prévot <taf...@debian.org> Description: phpunit - Unit testing suite for PHP Closes: 866200 Changes: phpunit (5.4.6-2~deb9u1) stretch; urgency=high . * Team upload * Upload previous fix to Stretch . phpunit (5.4.6-2) unstable; urgency=high . * Team upload * Fix arbitrary PHP code execution via HTTP POST [CVE-2017-9841] (Closes: #866200) Checksums-Sha1: adf93c164ee2621a9ef8898fc4463b3ea87baec3 2121 phpunit_5.4.6-2~deb9u1.dsc 4a8cd9baaef1fd4d41ee0e55c2a08855da38dbb0 11972 phpunit_5.4.6-2~deb9u1.debian.tar.xz Checksums-Sha256: 9b27ad8e4c2cdc1da095c8697b7f303490dca11e99b14b3e8ecf8e3e0781af01 2121 phpunit_5.4.6-2~deb9u1.dsc 574b1829f8b58c60c6e24b7df9c2244956419df2c95142b05e047807a27d93fa 11972 phpunit_5.4.6-2~deb9u1.debian.tar.xz Files: 310c6cb0bef349d482e9a59c79844c34 2121 php optional phpunit_5.4.6-2~deb9u1.dsc 1d0325acd3a58a805773dd13cc0099f4 11972 php optional phpunit_5.4.6-2~deb9u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAllXHHwACgkQBYwc+UT2 vTyLvAgArzdDnzfUgq4y6n5XfIn4ADmk3iXC4ZZKGPu6eyMGY9DeWLb2e2uO2X/g GHZGEq8qpXL8CMnKXGi2rt9uOVRK0MoJQsO0Q7EGiydC/Yex0Kj25Y2p1Mu8Cq+S KAtPicTfNnKKzbE9UmRn5FU+U7pZ3Y8BaDhPA1FCMcJqKasLY9/iAxXHSZKpxW18 rnoSBZw0ZefdmnSxHus1dMUV8kDIhOL8Sh0QEb6FVHErxwG6ZwcfioOHHzEQRJEa h2d2WV1RimA2oci8H4884L+jlKoj0Rre8J00/nxyZ4U6D4Vu0FaNP0o09mJqRiiS Mq6QEOUWFHDhWTSeQdrXezZdPHjPcA== =fVJR -----END PGP SIGNATURE-----
--- End Message ---
