Joined: 12 May 2004
|Posted: Sun Nov 19, 2017 10:26 pm Post subject: [ GLSA 201711-15 ] PHPUnit
|Gentoo Linux Security Advisory
Title: PHPUnit: Remote code execution (GLSA 201711-15)
A vulnerability was discovered in PHPUnit which may allow an
unauthenticated remote attacker to execute arbitrary PHP code.
PHPUnit is a programmer-oriented testing framework for PHP. It is an
instance of the xUnit architecture for unit testing frameworks.
Vulnerable: < 5.7.15-r1
Unaffected: >= 5.7.15-r1
Architectures: All supported architectures
When PHPUnit is installed in a production environment via composer and
these modules are in a web accessible directory, the eval-stdin.php file
in PHPUnit contains vulnerable statements that trigger the vulnerability.
A remote attacker could possibly execute arbitrary PHP code or cause a
Denial of Service condition.
There are several ways to fix or mitigate this vulnerability:Remove PHPUnit from the production environment.Update PHPUnit.Manually apply the patch.Disable direct access to the composer packages by placing .htaccess file
to /vendor folder.
All PHPUnit users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-php/phpunit-5.7.15-r1"
Last edited by GLSA on Mon Jan 15, 2018 4:17 am; edited 1 time in total