search

progmaticltd / homebox

A set of ansible scripts to build a personal mail server / private cloud / etc.
https://homebox.space/
GNU General Public License v3.0
467 stars 52 forks source link

CVE-2019-11043: PHP 7 Vulnerability, update to 7.2.24 needed #263

Closed robert6661 closed 4 years ago

robert6661 commented 4 years ago

https://bugs.php.net/bug.php?id=78599

Exploit is available here

I think by default homebox comes with PHP 7.0, which is vulnerable.

arodier commented 4 years ago

Homebox download the latest version of PHP, from Stretch, when installing. Actually, 7.0+49.

This vulnerability has been fixed both in Stretch and Buster: https://security-tracker.debian.org/tracker/CVE-2019-11043.

robert6661 commented 4 years ago

It does when you install it for the first time but after that you have to manually update PHP.