Detections
Analytics
Fedora 25 : php-pear-PHP-CodeSniffer (2017-ca3f01bd37)
high Nessus Plugin ID 97683
Language:
Synopsis
The remote Fedora host is missing a security update.Description
**Version 2.8.1**- This release contains a fix for a security advisory related to the improper handling of shell commands
- Uses of shell_exec() and exec() were not escaping filenames and configuration settings in most cases
- A properly crafted filename or configuration option would allow for arbitrary code execution when using some features
- All users are encouraged to upgrade to this version, especially if you are checking 3rd-party code
- e.g., you run PHPCS over libraries that you did not write
- e.g., you provide a web service that runs PHPCS over user-uploaded files or 3rd-party repositories
- e.g., you allow external tool paths to be set by user-defined values
- If you are unable to upgrade but you check 3rd-party code, ensure you are not using the following features :
- The diff report
- The notify-send report
- The Generic.PHP.Syntax sniff
- The Generic.Debug.CSSLint sniff
- The Generic.Debug.ClosureLinter sniff
- The Generic.Debug.JSHint sniff
- The Squiz.Debug.JSLint sniff
- The Squiz.Debug.JavaScriptLint sniff
- The Zend.Debug.CodeAnalyzer sniff
- Thanks to Klaus Purer for the report
- The PHP-supplied T_COALESCE_EQUAL token has been replicated for PHP versions before 7.2
- PEAR.Functions.FunctionDeclaration now reports an error for blank lines found inside a function declaration
- PEAR.Functions.FunctionDeclaration no longer reports indent errors for blank lines in a function declaration
- Squiz.Functions.MultiLineFunctionDeclaration no longer reports errors for blank lines in a function declaration
- It would previously report that only one argument is allowed per line
- Squiz.Commenting.FunctionComment now corrects multi-line param comment padding more accurately
- Squiz.Commenting.FunctionComment now properly fixes pipe-separated param types
- Squiz.Commenting.FunctionComment now works correctly when function return types also contain a comment
- Thanks to Juliette Reinders Folmer for the patch
- Squiz.ControlStructures.InlineIfDeclaration now supports the elvis operator
- As this is not a real PHP operator, it enforces no spaces between ? and : when the THEN statement is empty
- Squiz.ControlStructures.InlineIfDeclaration is now able to fix the spacing errors it reports
- Fixed bug #1340 : STDIN file contents not being populated in some cases
- Thanks to David Bi?ovec for the patch
- Fixed bug #1344 :
PEAR.Functions.FunctionCallSignatureSniff throws error for blank comment lines
- Fixed bug #1347 : PSR2.Methods.FunctionCallSignature strips some comments during fixing
- Thanks to Algirdas Gurevicius for the patch
- Fixed bug #1349 :
Squiz.Strings.DoubleQuoteUsage.NotRequired message is badly formatted when string contains a CR newline char
- Thanks to Algirdas Gurevicius for the patch
- Fixed bug #1350 : Invalid Squiz.Formatting.OperatorBracket error when using namespaces
- Fixed bug #1369 : Empty line in multi-line function declaration cause infinite loop
Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
Solution
Update the affected php-pear-PHP-CodeSniffer package.See Also
https://bodhi.fedoraproject.org/updates/FEDORA-2017-ca3f01bd37
Plugin Details
Severity: High
ID: 97683
File Name: fedora_2017-ca3f01bd37.nasl
Version: 3.5
Type: local
Agent: unix
Family: Fedora Local Security Checks
Published: 3/13/2017
Updated: 1/6/2021
Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus
Vulnerability Information
CPE: p-cpe:/a:fedoraproject:fedora:php-pear-php-codesniffer, cpe:/o:fedoraproject:fedora:25
Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list
Patch Publication Date: 3/10/2017
Vulnerability Publication Date: 3/10/2017
Reference Information
FEDORA: 2017-ca3f01bd37