Debian Bug report logs - #622674
CVE-2011-1522: SQL injection

version graph

Package: doctrine; Maintainer for doctrine is Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>; Source for doctrine is src:doctrine.

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Wed, 13 Apr 2011 18:48:04 UTC

Severity: grave

Tags: security

Fixed in versions doctrine/1.2.2-2+squeeze1, doctrine/1.2.4-1

Done: Luk Claes <luk@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Symfony Maintainers <pkg-symfony-maint@lists.alioth.debian.org>:
Bug#622674; Package doctrine. (Wed, 13 Apr 2011 18:48:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Symfony Maintainers <pkg-symfony-maint@lists.alioth.debian.org>. (Wed, 13 Apr 2011 18:48:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2011-1522: SQL injection
Date: Wed, 13 Apr 2011 20:45:47 +0200
Package: doctrine
Severity: grave
Tags: security

Please see http://www.doctrine-project.org/blog/doctrine-security-fix  

This has been assigned CVE-2011-1522.

Cheers,
        Moritz

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Symfony Maintainers <pkg-symfony-maint@lists.alioth.debian.org>:
Bug#622674; Package doctrine. (Thu, 14 Apr 2011 06:09:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Federico Gimenez Nieto <fgimenez@coit.es>:
Extra info received and forwarded to list. Copy sent to Debian Symfony Maintainers <pkg-symfony-maint@lists.alioth.debian.org>. (Thu, 14 Apr 2011 06:09:05 GMT) Full text and rfc822 format available.

Message #10 received at 622674@bugs.debian.org (full text, mbox):

From: Federico Gimenez Nieto <fgimenez@coit.es>
To: Moritz Muehlenhoff <jmm@debian.org>, 622674@bugs.debian.org
Cc: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Re: [Pkg-symfony-maint] Bug#622674: CVE-2011-1522: SQL injection
Date: Thu, 14 Apr 2011 07:40:17 +0200
[Message part 1 (text/plain, inline)]
Hi, thanks for your bug report. I'll try to prepare a fixed package as soon as posible.

Cheers,
Federico

On 04/13/2011 08:45 PM, Moritz Muehlenhoff wrote:
> Package: doctrine
> Severity: grave
> Tags: security
> 
> Please see http://www.doctrine-project.org/blog/doctrine-security-fix  
> 
> This has been assigned CVE-2011-1522.
> 
> Cheers,
>         Moritz
> 
> -- System Information:
> Debian Release: wheezy/sid
>   APT prefers unstable
>   APT policy: (500, 'unstable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 2.6.38-1-amd64 (SMP w/2 CPU cores)
> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> 
> 
> 
> _______________________________________________
> Pkg-symfony-maint mailing list
> Pkg-symfony-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-symfony-maint
> 

-- 
Federico Giménez Nieto
fgimenez@coit.es


[signature.asc (application/pgp-signature, attachment)]

Added tag(s) pending. Request was from Federico Gimenez Nieto <fgimenez@coit.es> to control@bugs.debian.org. (Thu, 14 Apr 2011 06:09:12 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Symfony Maintainers <pkg-symfony-maint@lists.alioth.debian.org>:
Bug#622674; Package doctrine. (Mon, 18 Apr 2011 06:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Federico Gimenez Nieto <fgimenez@coit.es>:
Extra info received and forwarded to list. Copy sent to Debian Symfony Maintainers <pkg-symfony-maint@lists.alioth.debian.org>. (Mon, 18 Apr 2011 06:09:03 GMT) Full text and rfc822 format available.

Message #17 received at 622674@bugs.debian.org (full text, mbox):

From: Federico Gimenez Nieto <fgimenez@coit.es>
To: 622674@bugs.debian.org, security@debian.org
Subject: Updated package due to bug 622674, CVE 2011-1522
Date: Mon, 18 Apr 2011 08:04:13 +0200
[Message part 1 (text/plain, inline)]
Hi, i am one of the maintainers of the doctrine debian package. A security related bug has arised
recently [1] and i've prepared a new package following upstream recomendations [2]. The fix involves
upgrading to a new upstream version, i've tested it and all seems to work fine, although i don't
know if this is acceptable for a security issue in the debian stable distribution.

It is uploaded at mentors [3], please, let me know if all is in good shape. I'm not sure if things
are done properly, for example, as long as it is targeted to stable-security, i've built the package
on stable...

Thanks a lot, cheers
Federico

[1] http://bugs.debian.org/622674
[2] http://www.doctrine-project.org/blog/doctrine-security-fix
[3] http://mentors.debian.net/debian/pool/main/d/doctrine/doctrine_1.2.4-1.dsc




[signature.asc (application/pgp-signature, attachment)]

Reply sent to Federico Gimenez Nieto <fgimenez@coit.es>:
You have taken responsibility. (Thu, 21 Apr 2011 01:57:10 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Thu, 21 Apr 2011 01:57:10 GMT) Full text and rfc822 format available.

Message #22 received at 622674-close@bugs.debian.org (full text, mbox):

From: Federico Gimenez Nieto <fgimenez@coit.es>
To: 622674-close@bugs.debian.org
Subject: Bug#622674: fixed in doctrine 1.2.2-2+squeeze1
Date: Thu, 21 Apr 2011 01:55:13 +0000
Source: doctrine
Source-Version: 1.2.2-2+squeeze1

We believe that the bug you reported is fixed in the latest version of
doctrine, which is due to be installed in the Debian FTP archive:

doctrine_1.2.2-2+squeeze1.debian.tar.gz
  to main/d/doctrine/doctrine_1.2.2-2+squeeze1.debian.tar.gz
doctrine_1.2.2-2+squeeze1.dsc
  to main/d/doctrine/doctrine_1.2.2-2+squeeze1.dsc
doctrine_1.2.2-2+squeeze1_all.deb
  to main/d/doctrine/doctrine_1.2.2-2+squeeze1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 622674@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Federico Gimenez Nieto <fgimenez@coit.es> (supplier of updated doctrine package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 19 Apr 2011 18:06:50 +0200
Source: doctrine
Binary: doctrine
Architecture: source all
Version: 1.2.2-2+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian Symfony Maintainers <pkg-symfony-maint@lists.alioth.debian.org>
Changed-By: Federico Gimenez Nieto <fgimenez@coit.es>
Description: 
 doctrine   - Tool for object-relational mapping in PHP
Closes: 622674
Changes: 
 doctrine (1.2.2-2+squeeze1) stable-security; urgency=high
 .
   * Applied fixes from 1.2.4 upstream version due to CVE 2011-1522
     (closes: #622674)
Checksums-Sha1: 
 ce2f2be94ee59ef9452b27195c900cf93ac8bef3 1583 doctrine_1.2.2-2+squeeze1.dsc
 b5099a77163e18579f52b34ff55423c58ddc29ea 663317 doctrine_1.2.2.orig.tar.gz
 e5771b09278ff018baf6b8f2f09740f71d1bbc2b 4880 doctrine_1.2.2-2+squeeze1.debian.tar.gz
 fb74ad2f74f32a8ec5af57e5e87f9a7a9b3bdcf3 389686 doctrine_1.2.2-2+squeeze1_all.deb
Checksums-Sha256: 
 31f82051eab40e64ed7b14e1332c88482aae2ab1b59c83b612f70b6e016643ac 1583 doctrine_1.2.2-2+squeeze1.dsc
 cc89493bd3c8fea694286972bd49d0146f72275eb51f7e98e920502f128579b8 663317 doctrine_1.2.2.orig.tar.gz
 f470c5fb0649facdc1e056885b937b3e497237fa0fed2f36beda046a21368ca4 4880 doctrine_1.2.2-2+squeeze1.debian.tar.gz
 30aecbcc7fde8e8c9a6600da4f598809ab2ac9e77e14031437689efa6b156e49 389686 doctrine_1.2.2-2+squeeze1_all.deb
Files: 
 735a8be329287a29cccc104209d74146 1583 php optional doctrine_1.2.2-2+squeeze1.dsc
 a82734fad4476da2d42def97c5e7c898 663317 php optional doctrine_1.2.2.orig.tar.gz
 55bc8dcaa70165d3612ce4aefb20053b 4880 php optional doctrine_1.2.2-2+squeeze1.debian.tar.gz
 0c7e8cf6b573dff875ff35a16719c9a3 389686 php optional doctrine_1.2.2-2+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJNryXEAAoJEL97/wQC1SS+48YIAJD/R5i/idmgeMSCLYGT0ref
4iLyrs1yreDVVQOAA0/j/jDtmA4y2z78Rdd/r0Rl6PCxO53pxO55XSYVE1vQmK8e
GPZnc/LYoEcoPdGAG/nQB5CFGGZoeFj3hBZbOvwOwc/A3/Ea+86AslUGVDAIDgzQ
uGiqFskO9ETRnjCZC1oIL+pwp9Vsx/9eUWqiY4V4lF3RimiTPnuUTT5XCmebBZm6
+pNT21CzM2+1EjweSy3/hR1vVc8n22VNNGlpGNp0ftnj26uv5Q8lo6L8p2lZ6FO4
JL4rSnLHn3agDGRaZMDm1umpqpZwkIh3zd84Hjz69s7GexQYgEkHKwt1fsI9smY=
=RyG5
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jul 2011 07:37:13 GMT) Full text and rfc822 format available.

Bug unarchived. Request was from Luk Claes <luk@debian.org> to control@bugs.debian.org. (Thu, 29 Dec 2011 21:33:08 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 1.2.4-1, send any further explanations to Moritz Muehlenhoff <jmm@debian.org> Request was from Luk Claes <luk@debian.org> to control@bugs.debian.org. (Thu, 29 Dec 2011 21:33:09 GMT) Full text and rfc822 format available.

Bug archived. Request was from Luk Claes <luk@debian.org> to control@bugs.debian.org. (Thu, 29 Dec 2011 21:33:09 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 20:44:11 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.