Adding CVE-2019-11043 with fixed versions 7.1.32 and 7.3.9.

[lightswitch05]

Adding CVE-2019-11043 with fixed versions 7.1.32 and 7.3.9. The CVE hasn't been published in a CVE database yet, so I'll update this pull request with the appropriate threat level and summary once its been published. This CVE allows remote code execution, so I expect it to have a high rating, but it does require a specific NGINX configuration to be exploitable.

Watching:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11043
• https://nvd.nist.gov/vuln/detail/CVE-2019-11043

Bug: http://bugs.php.net/78599

I'd also like to take a minute to point out that I would still be interested in implementing #32 if there is still any interest in maintaining this project or allowing others to continue the maintenance.

[enygma]

Thanks for the submission! So, do you want to just let me know on here when this is updated and I can handle that merge?

[lightswitch05]

Yes, I'll commit & comment once the missing details have been updated.

[lightswitch05]

This is kinda odd where there is still not an official entry days after the initial release and patch. I wonder if there is an argument to be made where the threat parameter can be left empty for RCE's so that a quick update can go out, and then the official threat value can be updated later once it is in the CVE database

[lightswitch05]

@enygma this is ready to merge

[lightswitch05]

@enygma - would you consider giving me merge privileges on this repo?

[colinodell]

I can merge this for now. I'll defer to @enygma on granting merge privileges. (IMO the more help the better but this isn't my repo 😛)