Package: php-xdebug Version: 2.5.0-1 Severity: important Tags: security Dear Maintainer,
there seems to be publicly known security vulnerability in Xdebug versions 2.5.5 and prior which allows the attacker to execute arbitrary php code as the context of the web user. Here you can find more information: https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/ https://github.com/nqxcode/xdebug-exploit https://www.exploit-db.com/exploits/44568 I suppose that Debian Stretch is still widely used and updating Xdebug would be more than useful. Regards, Mario -- System Information: Debian Release: 9.11 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-11-amd64 (SMP w/16 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages php-xdebug depends on: ii libapache2-mod-php7.0 [phpapi-20151012] 7.0.33-0+deb9u6 ii libc6 2.24-11+deb9u4 ii php-common 1:49 ii php7.0-cli [phpapi-20151012] 7.0.33-0+deb9u6 ii ucf 3.0036 php-xdebug recommends no packages. php-xdebug suggests no packages. -- Configuration Files: /etc/php/7.0/mods-available/xdebug.ini changed [not included] -- no debconf information