Debian Bug report logs - #358872
libphp-adodb: Multiple cross-site scripting (XSS) vulnerabilities

version graph

Package: libphp-adodb; Maintainer for libphp-adodb is Cameron Dale <camrdale@gmail.com>; Source for libphp-adodb is src:libphp-adodb.

Reported by: Cameron Dale <camrdale@gmail.com>

Date: Fri, 24 Mar 2006 22:18:05 UTC

Severity: grave

Tags: fixed, security

Found in version libphp-adodb/4.52-1

Fixed in version 4.72-0.1

Done: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Thorsten Sauter <tsauter@debian.org>:
Bug#358872; Package libphp-adodb. Full text and rfc822 format available.

Acknowledgement sent to Cameron Dale <camrdale@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Thorsten Sauter <tsauter@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Cameron Dale <camrdale@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libphp-adodb: Multiple cross-site scripting (XSS) vulnerabilities
Date: Fri, 24 Mar 2006 14:00:56 -0800
Package: libphp-adodb
Version: 4.72-0.1
Severity: grave
Tags: security
Justification: user security hole


Another vulnerability:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0806

See also:

http://www.securityfocus.com/archive/1/archive/1/425393/100/0/threaded

Is fixed in 4.72:

http://sourceforge.net/project/shownotes.php?release_id=395252&group_id=42718



-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-k7
Locale: LANG=en_CA, LC_CTYPE=en_CA (charmap=ISO-8859-1)

Versions of packages libphp-adodb depends on:
ii  debconf [debconf-2.0]         1.4.70     Debian configuration management sy
ii  libapache2-mod-php5 [phpapi-2 5.1.2-1    server-side, HTML-embedded scripti
ii  php4-cgi [phpapi-20050606]    4:4.4.2-1  server-side, HTML-embedded scripti
ii  php5-cli [phpapi-20051025]    5.1.2-1    command-line interpreter for the p

Versions of packages libphp-adodb recommends:
ii  php4-mysql                    4:4.4.2-1  MySQL module for php4
pn  php4-odbc | php5-odbc         <none>     (no description available)
ii  php4-pgsql                    4:4.4.2-1  PostgreSQL module for php4
pn  php4-sybase | php5-sybase     <none>     (no description available)
ii  php5-mysql                    5.1.2-1    MySQL module for php5
ii  php5-pgsql                    5.1.2-1    PostgreSQL module for php5

-- debconf information:
* libphp-adodb/pathmove:



Bug marked as not found in version 4.72-0.1. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as found in version 4.52-1. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Thorsten Sauter <tsauter@debian.org>:
Bug#358872; Package libphp-adodb. Full text and rfc822 format available.

Acknowledgement sent to Cameron Dale <camrdale@gmail.com>:
Extra info received and forwarded to list. Copy sent to Thorsten Sauter <tsauter@debian.org>. Full text and rfc822 format available.

Message #14 received at 358872@bugs.debian.org (full text, mbox):

From: Cameron Dale <camrdale@gmail.com>
To: 358872@bugs.debian.org
Subject: Re: Processed: notfound 358872 in 4.72-0.1, found 358872 in 4.52-1
Date: Sat, 25 Mar 2006 12:15:50 -0800
[Message part 1 (text/plain, inline)]
Debian Bug Tracking System wrote:
> Processing commands for control@bugs.debian.org:
> 
>> # Automatically generated email from bts, devscripts version 2.9.15
>> notfound 358872 4.72-0.1
> Bug#358872: libphp-adodb: Multiple cross-site scripting (XSS) vulnerabilities
> Bug marked as not found in version 4.72-0.1.
> 
>>  # I assume; but not in the version that is claimed to fix it...
>> found 358872 4.52-1
> Bug#358872: libphp-adodb: Multiple cross-site scripting (XSS) vulnerabilities
> Bug marked as found in version 4.52-1.
> 
> End of message, stopping processing here.
> 
> Please contact me if you need assistance.
> 
> Debian bug tracking system administrator
> (administrator, Debian Bugs database)
> 
> 
> 

Oops, looks like I submitted the bug on my locally created package
instead of the proper one. The current version in testing and unstable
(4.64-4) does suffer from this bug as well as the version in stable
(4.52-1).

Sorry.

-- 
Cameron Dale
camrdale@gmail.com

[signature.asc (application/pgp-signature, attachment)]

Tags added: fixed Request was from Micah Anderson <micah@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Thorsten Sauter <tsauter@debian.org>:
Bug#358872; Package libphp-adodb. Full text and rfc822 format available.

Acknowledgement sent to Cameron Dale <camrdale@gmail.com>:
Extra info received and forwarded to list. Copy sent to Thorsten Sauter <tsauter@debian.org>. Full text and rfc822 format available.

Message #21 received at 358872@bugs.debian.org (full text, mbox):

From: Cameron Dale <camrdale@gmail.com>
To: 358872@bugs.debian.org
Subject: Re: Bug#358872: libphp-adodb: Multiple cross-site scripting (XSS) vulnerabilities
Date: Sat, 1 Apr 2006 13:11:25 -0800
[Message part 1 (text/plain, inline)]
Attached is a patch I have prepared that backports the fix of this
vulnerability to the version in sarge (4.52-1).

-- 

Cameron Dale
[04_adodb-pager.inc.php.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Bug marked as fixed in version 4.72-0.1, send any further explanations to Cameron Dale <camrdale@gmail.com> Request was from "Adam D. Barratt" <debian-bts@adam-barratt.org.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Message sent on to Cameron Dale <camrdale@gmail.com>:
Bug#358872. Full text and rfc822 format available.

Message #26 received at 358872-submitter@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>
To: 358872-submitter@bugs.debian.org
Subject: Debian bug #358872
Date: Thu, 26 Oct 2006 20:33:35 +0100
Hi,

You should have recently received (or will soon receive) an e-mail
telling you that I've closed Debian bug #358872 in the libphp-adodb 
package, which you reported.

Due to the fact that the package was uploaded by someone who does not
normally do so, the bug was marked as "fixed" rather than closed.

Debian's bug tracking system now allows for this information to be
recorded in a more useful manner, enabling these bugs to be closed.

Due to the volume of bugs affected by this change, we are unfortunately
not sending individualized explanations for each bug. If you have
questions about the fix for your particular bug or about this email,
please contact me directly or follow up to the bug report in the Debian
BTS.

[It's possible you may receive multiple messages stating that the bug
was fixed in several different versions of the package. There are two
common reasons for this:

  - the bug was fixed in one version but subsequently found to exist
    in a later version

  - the bug existed in multiple distributions (for instance, "unstable"
    and "stable") and was thus fixed in a separate upload to each
    distribution
]

Regards,

Adam



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 12:06:13 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 00:33:54 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.