[Buildroot] [PATCH] php: security bump to version 7.2.13
Peter Korsgaard
peter at korsgaard.com
Sun Dec 16 19:00:19 UTC 2018
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Fixes CVE-2018-19518: University of Washington IMAP Toolkit 2007f on UNIX,
> as used in imap_open() in PHP and other products, launches an rsh command
> (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen
> function in osdep/unix/tcp_unix.c) without preventing argument injection,
> which might allow remote attackers to execute arbitrary OS commands if the
> IMAP server name is untrusted input (e.g., entered by a user of a web
> application) and if rsh has been replaced by a program with different
> argument semantics. For example, if rsh is a link to ssh (as seen on Debian
> and Ubuntu systems), then the attack can use an IMAP server name containing
> a "-oProxyCommand" argument.
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed to 2018.02.x, 2018.08.x and 2018.11.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list