Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding CVE-2019-11043 with fixed versions 7.1.32 and 7.3.9. #33

Merged
merged 3 commits into from Nov 4, 2019

Conversation

@lightswitch05
Copy link
Contributor

lightswitch05 commented Oct 24, 2019

Adding CVE-2019-11043 with fixed versions 7.1.32 and 7.3.9. The CVE hasn't been published in a CVE database yet, so I'll update this pull request with the appropriate threat level and summary once its been published. This CVE allows remote code execution, so I expect it to have a high rating, but it does require a specific NGINX configuration to be exploitable.

Watching:

Bug: http://bugs.php.net/78599

I'd also like to take a minute to point out that I would still be interested in implementing #32 if there is still any interest in maintaining this project or allowing others to continue the maintenance.

…te again once the threat level and summary has been released
@enygma

This comment has been minimized.

Copy link
Member

enygma commented Oct 24, 2019

Thanks for the submission! So, do you want to just let me know on here when this is updated and I can handle that merge?

@lightswitch05

This comment has been minimized.

Copy link
Contributor Author

lightswitch05 commented Oct 24, 2019

Yes, I'll commit & comment once the missing details have been updated.

@lightswitch05

This comment has been minimized.

Copy link
Contributor Author

lightswitch05 commented Oct 25, 2019

This is kinda odd where there is still not an official entry days after the initial release and patch. I wonder if there is an argument to be made where the threat parameter can be left empty for RCE's so that a quick update can go out, and then the official threat value can be updated later once it is in the CVE database

@lightswitch05

This comment has been minimized.

Copy link
Contributor Author

lightswitch05 commented Nov 1, 2019

@enygma this is ready to merge

@lightswitch05

This comment has been minimized.

Copy link
Contributor Author

lightswitch05 commented Nov 4, 2019

@enygma - would you consider giving me merge privileges on this repo?

@colinodell

This comment has been minimized.

Copy link
Collaborator

colinodell commented Nov 4, 2019

I can merge this for now. I'll defer to @enygma on granting merge privileges. (IMO the more help the better but this isn't my repo 😛)

@colinodell colinodell merged commit 81cee8a into psecio:master Nov 4, 2019
1 check passed
1 check passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.