Debian Bug report logs - #662050
Multiple vulnerabilities

version graph

Package: phpldapadmin; Maintainer for phpldapadmin is Fabio Tranchitella <kobold@debian.org>; Source for phpldapadmin is src:phpldapadmin.

Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>

Date: Fri, 2 Mar 2012 13:21:04 UTC

Severity: grave

Tags: security

Fixed in version phpldapadmin/1.2.2-3

Done: Fabio Tranchitella <kobold@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Roland Gruber <post@rolandgruber.de>:
Bug#661904; Package ldap-account-manager. (Fri, 02 Mar 2012 13:21:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Roland Gruber <post@rolandgruber.de>. (Fri, 02 Mar 2012 13:21:12 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Multiple vulnerabilities
Date: Fri, 02 Mar 2012 14:16:45 +0100
Package: ldap-account-manager
Severity: grave
Tags: security

The following was reported to full-disclosure:
http://www.vulnerability-lab.com/get_content.php?id=458

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#661904; Package ldap-account-manager. (Fri, 02 Mar 2012 21:24:14 GMT) Full text and rfc822 format available.

Acknowledgement sent to Roland Gruber <post@rolandgruber.de>:
Extra info received and forwarded to list. (Fri, 02 Mar 2012 21:24:14 GMT) Full text and rfc822 format available.

Message #10 received at 661904@bugs.debian.org (full text, mbox):

From: Roland Gruber <post@rolandgruber.de>
To: Moritz Muehlenhoff <muehlenhoff@univention.de>, 661904@bugs.debian.org
Subject: Re: Bug#661904: Multiple vulnerabilities
Date: Fri, 02 Mar 2012 22:10:10 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

the first problem in user listing cannot be reproduced:

* The filter value which should contain malicious code is correctly
sanitized with htmlspecialchars() in LAM 3.6 and 3.1.0-2 (stable).
* list.php-filter-Dateien/error.png is not a script that is included in LAM

The other points are under investigation. I will work on a patch.


Best regards

Roland



Am 02.03.2012 14:16, schrieb Moritz Muehlenhoff:
> Package: ldap-account-manager
> Severity: grave
> Tags: security
> 
> The following was reported to full-disclosure:
> http://www.vulnerability-lab.com/get_content.php?id=458
> 
> Cheers,
>         Moritz
> 
> 
> 

- -- 

Mit freundlichen Grüßen

Roland Gruber
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9RNyQACgkQq/ywNCsrGZ6k8QCeP9+Ii9eD0kj/5hJHVRUN/Zom
R2MAn2d38e0C8fAsJkinZRBE9RzILJ2W
=DPNE
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#661904; Package ldap-account-manager. (Sat, 03 Mar 2012 19:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Roland Gruber <post@rolandgruber.de>:
Extra info received and forwarded to list. (Sat, 03 Mar 2012 19:57:03 GMT) Full text and rfc822 format available.

Message #15 received at 661904@bugs.debian.org (full text, mbox):

From: Roland Gruber <post@rolandgruber.de>
To: Moritz Muehlenhoff <muehlenhoff@univention.de>, 661904@bugs.debian.org
Cc: Deon George <deon@wurley.net>
Subject: Re: Bug#661904: Multiple vulnerabilities
Date: Sat, 03 Mar 2012 20:52:43 +0100
clone 661904 -1
reassign -1 phpldapadmin

stop


This problem is located in the phpLDAPadmin part of LAM's code.
Therefore, the phpldapadmin package is also affected.

Patches for LAM upstream that may be ported to PLA:

http://lam.cvs.sourceforge.net/viewvc/lam/lam/templates/3rdParty/pla/lib/export_functions.php?r1=1.4&r2=1.5
http://lam.cvs.sourceforge.net/viewvc/lam/lam/templates/3rdParty/pla/htdocs/export.php?r1=1.1&r2=1.2
http://lam.cvs.sourceforge.net/viewvc/lam/lam/templates/3rdParty/pla/htdocs/add_value_form.php?r1=1.6&r2=1.7

Bug report with better description:

http://secunia.com/advisories/48221/


Best regards

Roland




Bug 661904 cloned as bug 662050. Request was from Roland Gruber <post@rolandgruber.de> to control@bugs.debian.org. (Sat, 03 Mar 2012 21:07:44 GMT) Full text and rfc822 format available.

Bug reassigned from package 'ldap-account-manager' to 'phpldapadmin'. Request was from Roland Gruber <post@rolandgruber.de> to control@bugs.debian.org. (Sat, 03 Mar 2012 21:07:47 GMT) Full text and rfc822 format available.

Reply sent to Fabio Tranchitella <kobold@debian.org>:
You have taken responsibility. (Thu, 08 Mar 2012 16:36:12 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. (Thu, 08 Mar 2012 16:36:13 GMT) Full text and rfc822 format available.

Message #24 received at 662050-close@bugs.debian.org (full text, mbox):

From: Fabio Tranchitella <kobold@debian.org>
To: 662050-close@bugs.debian.org
Subject: Bug#662050: fixed in phpldapadmin 1.2.2-3
Date: Thu, 08 Mar 2012 16:33:51 +0000
Source: phpldapadmin
Source-Version: 1.2.2-3

We believe that the bug you reported is fixed in the latest version of
phpldapadmin, which is due to be installed in the Debian FTP archive:

phpldapadmin_1.2.2-3.debian.tar.gz
  to main/p/phpldapadmin/phpldapadmin_1.2.2-3.debian.tar.gz
phpldapadmin_1.2.2-3.dsc
  to main/p/phpldapadmin/phpldapadmin_1.2.2-3.dsc
phpldapadmin_1.2.2-3_all.deb
  to main/p/phpldapadmin/phpldapadmin_1.2.2-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 662050@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Fabio Tranchitella <kobold@debian.org> (supplier of updated phpldapadmin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 08 Mar 2012 17:07:50 +0100
Source: phpldapadmin
Binary: phpldapadmin
Architecture: source all
Version: 1.2.2-3
Distribution: unstable
Urgency: high
Maintainer: Fabio Tranchitella <kobold@debian.org>
Changed-By: Fabio Tranchitella <kobold@debian.org>
Description: 
 phpldapadmin - web based interface for administering LDAP servers
Closes: 662050
Changes: 
 phpldapadmin (1.2.2-3) unstable; urgency=high
 .
   * debian/patches/upstream-XSS-2.patch: fixes XSS vulnerabilities.
     Patch provided by Roland Gruber <post@rolandgruber.de>.
     CVE-2012-1114, CVE-2012-1115 (Closes: #662050)
Checksums-Sha1: 
 c342a98aaa131b61873be64cf6c4229b7bd25123 1145 phpldapadmin_1.2.2-3.dsc
 765aca893d605d5bc2459e1f4f85990825c301a0 30290 phpldapadmin_1.2.2-3.debian.tar.gz
 a3a42ca4f6da84979b9a88516c47400b447481b8 1298626 phpldapadmin_1.2.2-3_all.deb
Checksums-Sha256: 
 68eb1328c2e44d5e23a229a939cf3ccc09206e6e8a7e03db7d0062e59ff25b89 1145 phpldapadmin_1.2.2-3.dsc
 edbad6865993619a4f30e35d6e4eabe31f15bb8559caaab6c6a14e611095a8a3 30290 phpldapadmin_1.2.2-3.debian.tar.gz
 393b8705672f0267884f6d48702d4207f22a7c5b2409538166a0e83e7ea0d8b2 1298626 phpldapadmin_1.2.2-3_all.deb
Files: 
 cb1e4da13b4aa196016fbcd0fff586df 1145 admin extra phpldapadmin_1.2.2-3.dsc
 21eac7c28bb1601607098f887d8f0f18 30290 admin extra phpldapadmin_1.2.2-3.debian.tar.gz
 45675ca00cb8487eb8c4fe13e7f730fc 1298626 admin extra phpldapadmin_1.2.2-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk9Y2msACgkQK/juK3+WFWRs/gCfQx8Nu1sSRq9HEUFq4NbkoXo3
H2cAn1sdGc6eJIPc6DW0Cd0chhbCz+qZ
=7BRJ
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 08 Apr 2012 07:35:29 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 02:59:53 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.