CIVI-SA-2016-11: Potential backtrace leak

An automated security audit (based on static code analysis of the CiviCRM codebase) indicated that a dependency (PEAR CLI from the "packages" folder) could potentially reveal semi-sensitive backtrace data if an attacker could run it and provoke an error.

An exploit of this has not been identified.

As a precautionary measure, CiviCRM v4.7.11 removes PEAR CLI.

Security Risk

Not Critical

Vulnerability

Information Disclosure

Affected Versions

Up through v4.6.20 and v4.7.10

Fixed Versions

v4.6.21+ and v4.7.11+

Solutions

Any ONE of the following:

Upgrade to CiviCRM v4.7.11+ or v4.6.21+
Delete the file "packages/PEAR/Frontend/CLI.php"

Credits

Chris Burgess (Fuzion)
Tim Otten (CiviCRM)
Seamus Lee (Australian Greens)

References

https://github.com/civicrm/civicrm-packages/pull/152 (minimalist patch; not used)
https://github.com/civicrm/civicrm-packages/pull/160 (4.7)
https://github.com/civicrm/civicrm-packages/pull/164 (4.6)

CIVI-SA-2016-11: Potential backtrace leak

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2016-11: Potential backtrace leak

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM