CVE-2018-19274 - An attacker with control over a founder admin account could escalate to remote code execution by abusing PHP’s default unserialization of metadata in Phar files. More information about this technique can be found here[1]. - Fixed in 3.2.4 [1] https://blog.ripstech.com/2018/new-php-exploitation-technique/
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=87065954b8372c4ce06d42d09cc7b7311a42e8b2 commit 87065954b8372c4ce06d42d09cc7b7311a42e8b2 Author: James Le Cuirot <chewi@gentoo.org> AuthorDate: 2019-06-24 21:29:31 +0000 Commit: James Le Cuirot <chewi@gentoo.org> CommitDate: 2019-06-24 21:29:31 +0000 www-apps/phpBB: Drop old and vulnerable 3.1.10 Bug: https://bugs.gentoo.org/678512 Package-Manager: Portage-2.3.67, Repoman-2.3.13 Signed-off-by: James Le Cuirot <chewi@gentoo.org> www-apps/phpBB/Manifest | 1 - www-apps/phpBB/phpBB-3.1.10-r1.ebuild | 42 ----------------------------------- 2 files changed, 43 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7180d5f150295b7a8f5fd492a637f8a7b10f0253 commit 7180d5f150295b7a8f5fd492a637f8a7b10f0253 Author: James Le Cuirot <chewi@gentoo.org> AuthorDate: 2019-06-24 21:27:39 +0000 Commit: James Le Cuirot <chewi@gentoo.org> CommitDate: 2019-06-24 21:27:39 +0000 www-apps/phpBB: Version bump to 3.2.7 Bug: https://bugs.gentoo.org/678512 Closes: https://bugs.gentoo.org/615182 Package-Manager: Portage-2.3.67, Repoman-2.3.13 Signed-off-by: James Le Cuirot <chewi@gentoo.org> www-apps/phpBB/Manifest | 1 + www-apps/phpBB/files/permissions | 19 +++++++++++++ www-apps/phpBB/files/postinstall-en.txt | 30 ++++++++------------ www-apps/phpBB/metadata.xml | 11 ++++++++ www-apps/phpBB/phpBB-3.2.7.ebuild | 50 +++++++++++++++++++++++++++++++++ 5 files changed, 92 insertions(+), 19 deletions(-)
Tree is clean.
