CVE-2017-7272 (retired)

Priority
Description
PHP through 7.1.11 enables potential SSRF in applications that accept an
fsockopen or pfsockopen hostname argument with an expectation that the port
number is constrained. Because a :port syntax is recognized, fsockopen will
use the port number that is specified in the hostname argument, instead of
the port number in the second argument of the function.
Notes
mdeslaurthe change in behaviour broke applications relying on
undocumented behaviour so was reverted in subsequent releases
We will not be fixing this in stable releases. Marking as ignored.
Package
Source: php5 (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):ignored
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Package
Upstream:released (7.0.18)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 16.04 LTS (Xenial Xerus):ignored
Patches:
Upstream:https://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a
Package
Upstream:released (7.1.4)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
More Information

Updated: 2019-10-09 08:01:33 UTC (commit 33aea848a182c0afcd0a3f927a01a7ecd9a061ee)