GNU bug report logs -
#27808
PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Mon, 24 Jul 2017 18:58:01 UTC
Severity: normal
Tags: security
Done: Alex Sassmannshausen <alex <at> pompo.co>
Bug is archived. No further changes may be made.
Full log
Message #11 received at 27808 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Tue, Jul 25, 2017 at 05:26:35PM +0200, Alex Sassmannshausen wrote:
> Hi Leo,
>
> I've just submitted a patch to update PHP to version 7.1.7, which
> resolves the CVEs. Unfortunately PHP has 4 test errors on my machine
> (but also on the previous version), so I could not fully build it
> (disabling tests results in a working version of PHP).
I got this building with that patch:
=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Test for DateTime::modify() with absolute time statements [ext/date/tests/date-time-modify-times.phpt]
Bug #74435 (Buffer over-read into uninitialized memory) [ext/gd/tests/bug74435.phpt]
Bug #70436: Use After Free Vulnerability in unserialize() [ext/standard/tests/strings/bug70436.phpt]
Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization [ext/standard/tests/strings/bug72663_3.phpt]
=====================================================================
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 7 years and 337 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.