Source: phpunit Version: 5.4.6-1 Severity: grave Tags: patch upstream security fixed-upstream
Hi, the following vulnerability was published for phpunit. CVE-2017-9841[0]: | Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 | allows remote attackers to execute arbitrary PHP code via HTTP POST | data beginning with a "<?php " substring, as demonstrated by an attack | on a site with an exposed /vendor folder, i.e., external access to the | /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-9841 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9841 [1] https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5 Regards, Salvatore