GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Sun Nov 19, 2017 10:26 pm Post subject: [ GLSA 201711-15 ] PHPUnit |
|
|
Gentoo Linux Security Advisory
Title: PHPUnit: Remote code execution (GLSA 201711-15)
Severity: normal
Exploitable: remote
Date: 2017-11-19
Bug(s): #635356
ID: 201711-15
Synopsis
A vulnerability was discovered in PHPUnit which may allow an
unauthenticated remote attacker to execute arbitrary PHP code.
Background
PHPUnit is a programmer-oriented testing framework for PHP. It is an
instance of the xUnit architecture for unit testing frameworks.
Affected Packages
Package: dev-php/phpunit
Vulnerable: < 5.7.15-r1
Unaffected: >= 5.7.15-r1
Architectures: All supported architectures
Description
When PHPUnit is installed in a production environment via composer and
these modules are in a web accessible directory, the eval-stdin.php file
in PHPUnit contains vulnerable statements that trigger the vulnerability.
Impact
A remote attacker could possibly execute arbitrary PHP code or cause a
Denial of Service condition.
Workaround
There are several ways to fix or mitigate this vulnerability:Remove PHPUnit from the production environment.Update PHPUnit.Manually apply the patch.Disable direct access to the composer packages by placing .htaccess file
to /vendor folder.
Resolution
All PHPUnit users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-php/phpunit-5.7.15-r1"
|
References
CVE-2017-9841
Last edited by GLSA on Mon Jan 15, 2018 4:17 am; edited 1 time in total |
|