Your message dated Sat, 22 Jul 2017 13:17:18 +0100
with message-id <1500725838.14212.3.ca...@adam-barratt.org.uk>
and subject line Closing bugs for 9.1 p-u fixes
has caused the Debian Bug report #866351,
regarding stretch-pu: package phpunit/5.4.6-2~deb9u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
866351: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866351
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Hi stable managers,
Please, allow this patched version of phpunit, built and tested in a
Stretch environment, fixing an arbitrary PHP code execution via HTTP
POST [CVE-2017-9841], aka #866200. As discussed with the security team,
PHPUnit should not be available on a production server, even less
publicly accessible (so we’d prefer to pass on a proper DSA), yet, we’d
prefer not to let such a big flaw available, so please, accept it in the
next stable update.
Regards
David
diff -Nru phpunit-5.4.6/debian/changelog phpunit-5.4.6/debian/changelog
--- phpunit-5.4.6/debian/changelog 2016-06-18 12:34:11.000000000 -1000
+++ phpunit-5.4.6/debian/changelog 2017-06-28 17:03:35.000000000 -1000
@@ -1,3 +1,18 @@
+phpunit (5.4.6-2~deb8u1) stretch; urgency=high
+
+ * Team upload
+ * Upload previous fix to Stretch
+
+ -- David Prévot <taf...@debian.org> Wed, 28 Jun 2017 17:03:35 -1000
+
+phpunit (5.4.6-2) unstable; urgency=high
+
+ * Team upload
+ * Fix arbitrary PHP code execution via HTTP POST [CVE-2017-9841]
+ (Closes: #866200)
+
+ -- David Prévot <taf...@debian.org> Wed, 28 Jun 2017 16:43:26 -1000
+
phpunit (5.4.6-1) unstable; urgency=medium
* Team upload
diff -Nru phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch
--- phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch 1969-12-31 14:00:00.000000000 -1000
+++ phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch 2017-06-28 16:41:16.000000000 -1000
@@ -0,0 +1,34 @@
+From: Bob Weinand <bobw...@hotmail.com>
+Date: Sun, 13 Nov 2016 18:52:50 +0100
+Subject: Correct fix for #1956
+
+Origin: upstream, https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5
+Bug: https://github.com/sebastianbergmann/phpunit/pull/2356
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866200
+---
+ src/Util/PHP/Template/TestCaseMethod.tpl.dist | 2 +-
+ src/Util/PHP/eval-stdin.php | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/Util/PHP/Template/TestCaseMethod.tpl.dist b/src/Util/PHP/Template/TestCaseMethod.tpl.dist
+index 47ef6e4..c7172b9 100644
+--- a/src/Util/PHP/Template/TestCaseMethod.tpl.dist
++++ b/src/Util/PHP/Template/TestCaseMethod.tpl.dist
+@@ -58,7 +58,7 @@ function __phpunit_run_isolated_test()
+ $output = $test->getActualOutput();
+ }
+
+- rewind(STDOUT);
++ @rewind(STDOUT); /* @ as not every STDOUT target stream is rewindable */
+ if ($stdout = stream_get_contents(STDOUT)) {
+ $output = $stdout . $output;
+ }
+diff --git a/src/Util/PHP/eval-stdin.php b/src/Util/PHP/eval-stdin.php
+index fe1b8bd..3b3a6d0 100644
+--- a/src/Util/PHP/eval-stdin.php
++++ b/src/Util/PHP/eval-stdin.php
+@@ -1,3 +1,3 @@
+ <?php
+
+-eval('?>' . file_get_contents('php://input'));
++eval('?>' . file_get_contents('php://stdin'));
diff -Nru phpunit-5.4.6/debian/patches/series phpunit-5.4.6/debian/patches/series
--- phpunit-5.4.6/debian/patches/series 2016-06-18 12:15:55.000000000 -1000
+++ phpunit-5.4.6/debian/patches/series 2017-06-28 16:41:16.000000000 -1000
@@ -1 +1,2 @@
0001-Remove-Composer-autoload.patch
+0002-Correct-fix-for-1956.patch
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: 9.1
Hi,
These bugs all relate to updates which were included in today's stretch
point release.
Regards,
Adam
--- End Message ---
