Publié
2016-02-02 02:12
The 4.6.11 release of CiviCRM addresses multiple vulnerabilities in DOMPDF, a library used within CiviCRM to generate PDFs.
For more information, see the DOMPDF release notes for DOMPDF v0.6.2
Security Risk
Moderately Critical
Vulnerability
Arbitrary PHP Code Execution
Information Disclosure
Other
Affected Versions
- CiviCRM before 4.6.11
Fixed Versions
- CiviCRM 4.6.11 and later
Solutions
- Upgrade to CiviCRM 4.6.11 or later, OR
-
Apply patches from CRM-17733:
- For 4.4, https://github.com/civicrm/civicrm-packages/pull/136
- For 4.6+, https://github.com/civicrm/civicrm-core/pull/7478
Credits
This issue was reported by Neil Drumm of the Drupal Security Team. The fix was co-ordinated by Tim Otten of CiviCRM, and Chris Burgess of Fuzion Aotearoa.
References
- https://github.com/dompdf/dompdf/releases/tag/v0.6.2
