Hi Chris, On Fr 19 Jan 2018 03:52:29 CET, Chris Lamb wrote:
Hi Mike,Maybe you want to review the j-security patch and see if it applies to the wheezy version?It applies to the wheezy version; would you like me to go ahead and upload? :) That might be the expedient route to getting this into Debian LTS :)
If you can confirm that the patch in fact fixes the CVE we are trying to resolve, then yes, please go ahead with a Debian LTS upload.
The underlying topic of the patch is: add a file name into a PHP comment and if this file name contains "*/<some-php-code>" then this PHP code gets executed.
Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment:
pgp_WnP2j_Ufg.pgp
Description: Digitale PGP-Signatur