Debian Bug report logs - #449103
CVE-2007-5728: Cross-site scripting (XSS) vulnerability

version graph

Package: phppgadmin; Maintainer for phppgadmin is Christoph Berg <myon@debian.org>; Source for phppgadmin is src:phppgadmin.

Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>

Date: Sat, 3 Nov 2007 00:48:01 UTC

Severity: important

Tags: security

Fixed in version phppgadmin/4.1.3-0.1

Done: Tobias Klauser <tklauser@access.unizh.ch>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Isaac Clerencia <isaac@debian.org>:
Bug#449103; Package phppgadmin. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Isaac Clerencia <isaac@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2007-5728: Cross-site scripting (XSS) vulnerability
Date: Sat, 03 Nov 2007 11:54:39 +1100
Package: phppgadmin
Severity: important
Tags: security

Hi Isaac

Could you please check, if the following CVE[0] affects the debian
versions?

CVE-2007-5728:

Cross-site scripting (XSS) vulnerability in phpPgAdmin 3.5 to 4.1.1, and
possibly 4.1.2, allows remote attackers to inject arbitrary web script
or HTML via certain input available in PHP_SELF in (1) redirect.php,
possibly related to (2) login.php, different vectors than CVE-2007-2865.


Thanks for your efforts.

Cheers
Steffen

[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5728




Information forwarded to debian-bugs-dist@lists.debian.org, Isaac Clerencia <isaac@debian.org>:
Bug#449103; Package phppgadmin. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Isaac Clerencia <isaac@debian.org>. Full text and rfc822 format available.

Message #10 received at 449103@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 449103@bugs.debian.org
Subject: Re: CVE-2007-5728: Cross-site scripting (XSS) vulnerability
Date: Mon, 5 Nov 2007 12:13:52 +0100
[Message part 1 (text/plain, inline)]
Hi,
please just package the current upstream version  (4.1.3) 
which contains fixes for this.
Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Isaac Clerencia <isaac@debian.org>:
Bug#449103; Package phppgadmin. Full text and rfc822 format available.

Acknowledgement sent to Tobias Klauser <tklauser@access.unizh.ch>:
Extra info received and forwarded to list. Copy sent to Isaac Clerencia <isaac@debian.org>. Full text and rfc822 format available.

Message #15 received at 449103@bugs.debian.org (full text, mbox):

From: Tobias Klauser <tklauser@access.unizh.ch>
To: 449103@bugs.debian.org
Subject: NMU diff for #449103
Date: Sun, 13 Jan 2008 18:35:38 +0100
[Message part 1 (text/plain, inline)]
Hi,

Attached you'll find the NMU diff for phppgadmin 4.1.3-0.1

Cheers, Tobias
[449103-NMU.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Tobias Klauser <tklauser@access.unizh.ch>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #20 received at 449103-close@bugs.debian.org (full text, mbox):

From: Tobias Klauser <tklauser@access.unizh.ch>
To: 449103-close@bugs.debian.org
Subject: Bug#449103: fixed in phppgadmin 4.1.3-0.1
Date: Sun, 13 Jan 2008 18:02:05 +0000
Source: phppgadmin
Source-Version: 4.1.3-0.1

We believe that the bug you reported is fixed in the latest version of
phppgadmin, which is due to be installed in the Debian FTP archive:

phppgadmin_4.1.3-0.1.diff.gz
  to pool/main/p/phppgadmin/phppgadmin_4.1.3-0.1.diff.gz
phppgadmin_4.1.3-0.1.dsc
  to pool/main/p/phppgadmin/phppgadmin_4.1.3-0.1.dsc
phppgadmin_4.1.3-0.1_all.deb
  to pool/main/p/phppgadmin/phppgadmin_4.1.3-0.1_all.deb
phppgadmin_4.1.3.orig.tar.gz
  to pool/main/p/phppgadmin/phppgadmin_4.1.3.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 449103@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tobias Klauser <tklauser@access.unizh.ch> (supplier of updated phppgadmin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 13 Jan 2008 17:52:27 +0100
Source: phppgadmin
Binary: phppgadmin
Architecture: source all
Version: 4.1.3-0.1
Distribution: unstable
Urgency: low
Maintainer: Isaac Clerencia <isaac@debian.org>
Changed-By: Tobias Klauser <tklauser@access.unizh.ch>
Description: 
 phppgadmin - Set of PHP scripts to administrate PostgreSQL over the WWW
Closes: 449103
Changes: 
 phppgadmin (4.1.3-0.1) unstable; urgency=low
 .
   * Non-maintainer upload from the Zurich BSP.
   * Fixes cross-site scripting vulnerability (CVE 2007-5728), closes: #449103.
     The only changes introduced upstream with this version were to fix this
     bug.
Files: 
 8833eae4bc9ab59ae6c3cdb70e422aaf 588 web extra phppgadmin_4.1.3-0.1.dsc
 051ab45cdf2f9cdcd0d95a16fff48094 818934 web extra phppgadmin_4.1.3.orig.tar.gz
 02e532c4f4c89667f3d97e233fb83104 13363 web extra phppgadmin_4.1.3-0.1.diff.gz
 f506ca58df695730ffe6a162a579a12d 808384 web extra phppgadmin_4.1.3-0.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHik+S+C5cwEsrK54RAjQdAKChsLDxuqvtYerjOXiTyyWKsmGMYACfQbzs
FqGeW1LgYLkKS0rG2G++JBE=
=jw/x
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 17 Feb 2008 07:25:55 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 09:56:47 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.