[Buildroot] [PATCH] php: security bump to version 7.2.13

Peter Korsgaard peter at korsgaard.com
Sun Dec 16 19:00:19 UTC 2018


>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Fixes CVE-2018-19518: University of Washington IMAP Toolkit 2007f on UNIX,
 > as used in imap_open() in PHP and other products, launches an rsh command
 > (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen
 > function in osdep/unix/tcp_unix.c) without preventing argument injection,
 > which might allow remote attackers to execute arbitrary OS commands if the
 > IMAP server name is untrusted input (e.g., entered by a user of a web
 > application) and if rsh has been replaced by a program with different
 > argument semantics.  For example, if rsh is a link to ssh (as seen on Debian
 > and Ubuntu systems), then the attack can use an IMAP server name containing
 > a "-oProxyCommand" argument.

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed to 2018.02.x, 2018.08.x and 2018.11.x, thanks.

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list