Debian alert DLA-4470-1 (phpunit)
| From: | Utkarsh Gupta <guptautkarsh2102@gmail.com> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4470-1] phpunit security update | |
| Date: | Fri, 06 Feb 2026 16:56:18 +0530 | |
| Message-ID: | <CAPP0f95a4tWv2Qb2sw3XjRkSKeghyoWaMkZGFvzuO2xGv_LAqw@mail.gmail.com> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ----------------------------------------------------------------------- Debian LTS Advisory DLA-4470-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Utkarsh Gupta February 06, 2026 https://wiki.debian.org/LTS - ----------------------------------------------------------------------- Package : phpunit Version : 9.5.2-1+deb11u1 CVE ID : CVE-2026-24765 PHPUnit is a testing framework for PHP. A vulnerability has been discovered involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()` method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious `.coverage` files are present prior to the execution of the PHPT test. For Debian 11 bullseye, this problem has been fixed in version 9.5.2-1+deb11u1. We recommend that you upgrade your phpunit packages. For the detailed security status of phpunit please refer to its security tracker page at: https://security-tracker.debian.org/tracker/phpunit Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmmFz74ACgkQgj6WdgbD S5bnhxAAt2hRDnrmew4frauLByMEOwQ2Rj8xv23x0AzibXq47a32isUIXUd+X1Z/ hfF3ObjVC0WXRgixo+wstqx6eXt3roRFsSDdAPdkUyPF5SWE9i1Cz/Da79mYh9Kk J6WN1UN3P0oqPkbvOoGy8hrgA4gTqHcR+Zcetxgi51XBY7oHTvc6429+M7neY+Nj jkCI5g4gN6++3Vp4mfl35mGRTFVfSy8f3jxpH8ni/2ZFUVCJGUBj6IvyLD4wS43w ozalpNT1TJnys2zifHMx5HkVBCocw6+/CBFtg1C6y7FvjFqDJBZE28qEdiBsuuZ2 rrMOI3i+dDXniMtfqExqb3/j9dv0cBfyk10aoC9lQCM9TTMFOTajB7VynWliui47 SB7tq4ebdjAMSL2Jmu0eqIUJ1Rl+dFlLsMN6qoP7NZn2EC+4nis7Jaz0s713pQ5S Gu8xYU0JPfQGhHa/++PUdlZhJXz3mj7mmxkJAMLLK67VO5objscvkyHFutiWhlPi k0G6+bGyhZRZd/uVEECMx+4Ydlm0hAJJ9wzzOBaehRaiLA8/5A4QFGw4Jz7IV3mu K0FGXw6N4/kjA/W+hl/n/Io1cMv4JaSzWyIIm3hdfz3KaDNwDnni0zsikFOnD1+s GbxmgCd5v8t2Iq70+Gm+BFrdNKPExkzE7XPFbKqBVBGkG/brZg8= =SUGy -----END PGP SIGNATURE-----