Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding CVE-2019-11043 with fixed versions 7.1.32 and 7.3.9. #33

Merged
merged 3 commits into from Nov 4, 2019

Conversation

lightswitch05
Copy link
Contributor

@lightswitch05 lightswitch05 commented Oct 24, 2019

Adding CVE-2019-11043 with fixed versions 7.1.32 and 7.3.9. The CVE hasn't been published in a CVE database yet, so I'll update this pull request with the appropriate threat level and summary once its been published. This CVE allows remote code execution, so I expect it to have a high rating, but it does require a specific NGINX configuration to be exploitable.

Watching:

Bug: http://bugs.php.net/78599

I'd also like to take a minute to point out that I would still be interested in implementing #32 if there is still any interest in maintaining this project or allowing others to continue the maintenance.

…te again once the threat level and summary has been released
@enygma
Copy link
Member

@enygma enygma commented Oct 24, 2019

Thanks for the submission! So, do you want to just let me know on here when this is updated and I can handle that merge?

@lightswitch05
Copy link
Contributor Author

@lightswitch05 lightswitch05 commented Oct 24, 2019

Yes, I'll commit & comment once the missing details have been updated.

@lightswitch05
Copy link
Contributor Author

@lightswitch05 lightswitch05 commented Oct 25, 2019

This is kinda odd where there is still not an official entry days after the initial release and patch. I wonder if there is an argument to be made where the threat parameter can be left empty for RCE's so that a quick update can go out, and then the official threat value can be updated later once it is in the CVE database

@lightswitch05
Copy link
Contributor Author

@lightswitch05 lightswitch05 commented Nov 1, 2019

@enygma this is ready to merge

@lightswitch05
Copy link
Contributor Author

@lightswitch05 lightswitch05 commented Nov 4, 2019

@enygma - would you consider giving me merge privileges on this repo?

@colinodell
Copy link
Collaborator

@colinodell colinodell commented Nov 4, 2019

I can merge this for now. I'll defer to @enygma on granting merge privileges. (IMO the more help the better but this isn't my repo 😛)

@colinodell colinodell merged commit 81cee8a into psecio:master Nov 4, 2019
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants