Project

General

Profile

Actions

Bug #6113

closed

Workaround for Poxy potential vulnerabilities on unpatched Apache CVE-2016-5387 and PHP CVE-2016-5385

Added by beat over 8 years ago. Updated almost 8 years ago.

Status:
Closed
Priority:
Immediate
Assignee:
Target version:
Start date:
22 July 2016
Due date:
% Done:

100%

Estimated time:
Actions #1

Updated by beat over 8 years ago

  • Target version changed from CB 2.0.15 to CB 2.1
Actions #2

Updated by krileon about 8 years ago

  • Target version changed from CB 2.1 to CB 2.2
Actions #3

Updated by beat almost 8 years ago

  • Target version changed from CB 2.2 to CB 2.1.1
Actions #4

Updated by beat almost 8 years ago

Btw, Guzzle 6.2.2 now has a fork for PHP 5.3: https://packagist.org/packages/ehough/guzzle
As it has a different namespace, both PHP 5.5 versions and PHP 5.3 versions can be packaged.

Not for 2.1.1, but adding the note here to keep it in mind.

Actions #5

Updated by beat almost 8 years ago

Fixed in MR !1224

Actions #6

Updated by beat almost 8 years ago

  • Status changed from Assigned to Resolved
  • % Done changed from 0 to 100
Actions #7

Updated by beat almost 8 years ago

  • Description updated (diff)
  • Private changed from Yes to No

In fact, that is an Apache PHP vulnerability, only exploitable in some scripts, and Guzzle's fix is just implementing the avoiding of this vulnerability.

After security assessment, we believe that this vulnerability is not exploitable in core CB, and also in none of our CB Add-on uses of Guzzle, due to a second layer of security in the protocols used.

Actions #8

Updated by beat almost 8 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF