An automated security audit (based on static code analysis of the CiviCRM codebase) indicated that a dependency (PEAR CLI from the "packages" folder) could potentially reveal semi-sensitive backtrace data if an attacker could run it and provoke an error.
An exploit of this has not been identified.
As a precautionary measure, CiviCRM v4.7.11 removes PEAR CLI.
Up through v4.6.20 and v4.7.10
v4.6.21+ and v4.7.11+
Any ONE of the following:
- Upgrade to CiviCRM v4.7.11+ or v4.6.21+
- Delete the file "packages/PEAR/Frontend/CLI.php"
- Chris Burgess (Fuzion)
- Tim Otten (CiviCRM)
- Seamus Lee (Australian Greens)
- https://github.com/civicrm/civicrm-packages/pull/152 (minimalist patch; not used)
- https://github.com/civicrm/civicrm-packages/pull/160 (4.7)
- https://github.com/civicrm/civicrm-packages/pull/164 (4.6)