diff options
| author | Peter Korsgaard <peter@korsgaard.com> | 2018-12-08 00:09:14 +0100 |
|---|---|---|
| committer | Peter Korsgaard <peter@korsgaard.com> | 2018-12-08 10:55:53 +0100 |
| commit | 1af52321389f56cec4888389b2161cc1ee2bfaed (patch) | |
| tree | ab4d31d1a93808fd9b0bbe18aef7847c73b2c3ff /package/php/php.hash | |
| parent | 60eb2cec80e5258a0c43090f539749606744e182 (diff) | |
| download | buildroot-1af52321389f56cec4888389b2161cc1ee2bfaed.tar.gz buildroot-1af52321389f56cec4888389b2161cc1ee2bfaed.zip | |
php: security bump to version 7.2.13
Fixes CVE-2018-19518: University of Washington IMAP Toolkit 2007f on UNIX,
as used in imap_open() in PHP and other products, launches an rsh command
(by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen
function in osdep/unix/tcp_unix.c) without preventing argument injection,
which might allow remote attackers to execute arbitrary OS commands if the
IMAP server name is untrusted input (e.g., entered by a user of a web
application) and if rsh has been replaced by a program with different
argument semantics. For example, if rsh is a link to ssh (as seen on Debian
and Ubuntu systems), then the attack can use an IMAP server name containing
a "-oProxyCommand" argument.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Diffstat (limited to 'package/php/php.hash')
| -rw-r--r-- | package/php/php.hash | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/package/php/php.hash b/package/php/php.hash index cea6997aa2..094977c548 100644 --- a/package/php/php.hash +++ b/package/php/php.hash @@ -1,5 +1,5 @@ # From http://php.net/downloads.php -sha256 989c04cc879ee71a5e1131db867f3c5102f1f7565f805e2bb8bde33f93147fe1 php-7.2.12.tar.xz +sha256 14b0429abdb46b65c843e5882c9a8c46b31dfbf279c747293b8ab950c2644a4b php-7.2.13.tar.xz # License file sha256 f689b8fa63bea7950ce6a21bf52ed88ea0d77673ee76e6de12f51191174d91b8 LICENSE |
