[SECURITY] [DLA 4470-1] phpunit security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4470-1] phpunit security update
From: Utkarsh Gupta <guptautkarsh2102@gmail.com>
Date: Fri, 6 Feb 2026 16:56:18 +0530
Message-id: <[🔎] CAPP0f95a4tWv2Qb2sw3XjRkSKeghyoWaMkZGFvzuO2xGv_LAqw@mail.gmail.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4470-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
February 06, 2026                           https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : phpunit
Version        : 9.5.2-1+deb11u1
CVE ID         : CVE-2026-24765

PHPUnit is a testing framework for PHP. A vulnerability has been
discovered involving unsafe deserialization of code coverage data in
PHPT test execution. The vulnerability exists in the
`cleanupForCoverage()` method, which deserializes code coverage files
without validation, potentially allowing remote code execution if
malicious `.coverage` files are present prior to the execution of the
PHPT test.

For Debian 11 bullseye, this problem has been fixed in version
9.5.2-1+deb11u1.

We recommend that you upgrade your phpunit packages.

For the detailed security status of phpunit please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/phpunit

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmmFz74ACgkQgj6WdgbD
S5bnhxAAt2hRDnrmew4frauLByMEOwQ2Rj8xv23x0AzibXq47a32isUIXUd+X1Z/
hfF3ObjVC0WXRgixo+wstqx6eXt3roRFsSDdAPdkUyPF5SWE9i1Cz/Da79mYh9Kk
J6WN1UN3P0oqPkbvOoGy8hrgA4gTqHcR+Zcetxgi51XBY7oHTvc6429+M7neY+Nj
jkCI5g4gN6++3Vp4mfl35mGRTFVfSy8f3jxpH8ni/2ZFUVCJGUBj6IvyLD4wS43w
ozalpNT1TJnys2zifHMx5HkVBCocw6+/CBFtg1C6y7FvjFqDJBZE28qEdiBsuuZ2
rrMOI3i+dDXniMtfqExqb3/j9dv0cBfyk10aoC9lQCM9TTMFOTajB7VynWliui47
SB7tq4ebdjAMSL2Jmu0eqIUJ1Rl+dFlLsMN6qoP7NZn2EC+4nis7Jaz0s713pQ5S
Gu8xYU0JPfQGhHa/++PUdlZhJXz3mj7mmxkJAMLLK67VO5objscvkyHFutiWhlPi
k0G6+bGyhZRZd/uVEECMx+4Ydlm0hAJJ9wzzOBaehRaiLA8/5A4QFGw4Jz7IV3mu
K0FGXw6N4/kjA/W+hl/n/Io1cMv4JaSzWyIIm3hdfz3KaDNwDnni0zsikFOnD1+s
GbxmgCd5v8t2Iq70+Gm+BFrdNKPExkzE7XPFbKqBVBGkG/brZg8=
=SUGy
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4469-1] alsa-lib security update
Next by Date: [SECURITY] [DLA 4471-1] debian-security-support update
Previous by thread: [SECURITY] [DLA 4469-1] alsa-lib security update
Next by thread: [SECURITY] [DLA 4471-1] debian-security-support update
Index(es):
- Date
- Thread