CIVI-SA-2016-09: Risk of information disclosure in packaged library

Veröffentlicht
2016-06-01 14:13
Written by

A potential for information disclosure was identified in a packaged library, HTML TreeBuilder.

CiviCRM now patches the TreeBuilder library to direct debug output to the CiviCRM debug log, rather than to screen.

Security Risk
Less Critical
Vulnerability
Information Disclosure
Affected Versions

CiviCRM versions prior to 4.7.8 or 4.6.17

Fixed Versions

CiviCRM versions 4.7.8 or greater, or 4.6.17 or greater.

Solutions
  • Upgrade to CiviCRM 4.7.8 or greater, or 4.6.17 or greater
  • or, apply the patch @ https://github.com/civicrm/civicrm-core/pull/8419/commits/7c41f184adddeed484f3fee579e355d1a00f0dd9
Credits

Thanks to Hewlett Packard for reporting the issue, and to Tim Otten for the fix.

References

CRM-16898

CVE
CIVI-SA-2016-09