CVE-2017-7272 (retired)

Priority
Description
PHP through 7.1.11 enables potential SSRF in applications that accept an
fsockopen or pfsockopen hostname argument with an expectation that the port
number is constrained. Because a :port syntax is recognized, fsockopen will
use the port number that is specified in the hostname argument, instead of
the port number in the second argument of the function.
Notes
 mdeslaur> the change in behaviour broke applications relying on
 mdeslaur> undocumented behaviour so was reverted in subsequent releases
 mdeslaur> We will not be fixing this in stable releases. Marking as ignored.
Package
Source: php5 (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):ignored
Ubuntu 14.04 LTS (Trusty Tahr):ignored
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Package
Upstream:released (7.0.18)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):ignored
Patches:
Upstream:https://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a
Package
Upstream:released (7.1.4)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
More Information

Updated: 2019-03-26 12:26:19 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)