Actions
Bug #6113
closed
Workaround for Poxy potential vulnerabilities on unpatched Apache CVE-2016-5387 and PHP CVE-2016-5385
Updated by beat over 7 years ago
- Target version changed from CB 2.0.15 to CB 2.1
Updated by krileon over 7 years ago
- Target version changed from CB 2.1 to CB 2.2
Updated by beat over 7 years ago
Btw, Guzzle 6.2.2 now has a fork for PHP 5.3: https://packagist.org/packages/ehough/guzzle
As it has a different namespace, both PHP 5.5 versions and PHP 5.3 versions can be packaged.
Not for 2.1.1, but adding the note here to keep it in mind.
Updated by beat over 7 years ago
- Status changed from Assigned to Resolved
- % Done changed from 0 to 100
Updated by beat over 7 years ago
- Description updated (diff)
- Private changed from Yes to No
In fact, that is an Apache PHP vulnerability, only exploitable in some scripts, and Guzzle's fix is just implementing the avoiding of this vulnerability.
After security assessment, we believe that this vulnerability is not exploitable in core CB, and also in none of our CB Add-on uses of Guzzle, due to a second layer of security in the protocols used.
Actions