Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2012-0834: XSS

Related Vulnerabilities: CVE-2012-0834  

Source

Debian Bug report logs - #658907
CVE-2012-0834: XSS

version graph

Package: phpldapadmin; Maintainer for phpldapadmin is Fabio Tranchitella <kobold@debian.org>; Source for phpldapadmin is src:phpldapadmin (PTS, buildd, popcon).

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Mon, 6 Feb 2012 17:57:03 UTC

Severity: grave

Tags: security

Fixed in version phpldapadmin/1.2.2-2

Done: Fabio Tranchitella <kobold@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Fabio Tranchitella <kobold@debian.org>:
Bug#658907; Package phpldapadmin. (Mon, 06 Feb 2012 17:57:06 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Fabio Tranchitella <kobold@debian.org>. (Mon, 06 Feb 2012 17:57:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2012-0834: XSS
Date: Mon, 06 Feb 2012 18:54:19 +0100
Package: phpldapadmin
Severity: grave
Tags: security

Hi,
this is CVE-2012-0834:
http://sourceforge.net/tracker/index.php?func=detail&aid=3477910&group_id=61828&atid=498546

Fix:
http://phpldapadmin.git.sourceforge.net/git/gitweb.cgi?p=phpldapadmin/phpldapadmin;a=commit;h=7dc8d57d6952fe681cb9e8818df7f10322+0457bd

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Fabio Tranchitella <kobold@debian.org>:
Bug#658907; Package phpldapadmin. (Tue, 07 Feb 2012 21:54:03 GMT) (full text, mbox, link).

Acknowledgement sent to Arno Töll <debian@toell.net>:
Extra info received and forwarded to list. Copy sent to Fabio Tranchitella <kobold@debian.org>. (Tue, 07 Feb 2012 21:54:03 GMT) (full text, mbox, link).

Message #10 received at 658907@bugs.debian.org (full text, mbox, reply):

From: Arno Töll <debian@toell.net>
To: 658907@bugs.debian.org
Subject: RE: CVE-2012-0834: XSS
Date: Tue, 07 Feb 2012 22:51:57 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FWIW: Debian Mentors has a ready NMU which fixes the problem. The NMU
itself might be not suitable as such, but it fixes  CVE-2012-0834 for
Sid [1][2].

[1] http://lists.debian.org/debian-mentors/2012/02/msg00203.html
[2] http://mentors.debian.net/package/phpldapadmin

- -- 
with kind regards,
Arno Töll
IRC: daemonkeeper on Freenode/OFTC
GnuPG Key-ID: 0x9D80F36D
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPMZz9AAoJEMcrUe6dgPNtytQQAITxv4T3sj1xVtDy+A8gLXVm
N2fuRM8TS0fIEUSQu93jMj7PakssrfGkgwHkHaS7TEW9QiKzfeqGh42+eAtbtwLK
sUG0EYXOJWLeOEadE4VcR8o1v7XR9W9dtKhYdo7TlLKZOcId45omh4LTu9a74Few
TQRSd73X34iMXtshHeBYEIOVLxMA7u8mqxpR0XYQZu8b+/2kmadQ0qdjVKapI3R5
MtfGOFy1dFh6novVpsZn0LkozQRQwXbafaFv00MEKIx7OoRGSnP3+GAvee0lWaJV
hHgQANqMDWzL5WE335y1AJIu7hLKYKGawCpJCRv3bBRLrxdTz/z+PEb6ZInI2A8G
89DbiCb/QBbzbYPimxVb2EUyzYtxK3vWR7BL4EfRmPatl3TENOon4qepzYG/TL/O
Kunqhkjfx+XevZguCQQKaoK7RKpf7NpW+D+pLxld8KstFmYjAVeeibY1ewxasJw1
4J1VAEtWpobxODRrT8jVJPEXjNdBuf8Cyicu5pWUW7C+k57ER4bSivXtf5BwNuog
X5PRlS8EZSJEr4WUMmLvstve9/OnVK6YlnYZ3B1OOvQAEEIRuMWrEqUXMJigs5cs
D+biynSlOh0MJ9ZaUf+2CK3DGoPaIq41hbLeea/4mO/psXSs5m/1w00rTmAERwPj
HDU+m+ZlOkESoR/4g1ea
=0U8z
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Fabio Tranchitella <kobold@debian.org>:
Bug#658907; Package phpldapadmin. (Sun, 19 Feb 2012 14:18:06 GMT) (full text, mbox, link).

Acknowledgement sent to Marcus Osdoba <marcus.osdoba@googlemail.com>:
Extra info received and forwarded to list. Copy sent to Fabio Tranchitella <kobold@debian.org>. (Sun, 19 Feb 2012 14:18:06 GMT) (full text, mbox, link).

Message #15 received at 658907@bugs.debian.org (full text, mbox, reply):

From: Marcus Osdoba <marcus.osdoba@googlemail.com>
To: 658907@bugs.debian.org
Subject: XSS in phpldapadmin already fixed in new version
Date: Sun, 19 Feb 2012 15:16:22 +0100
Hi ,

This fix is alread included in version
phpldapadmin (1.2.2-1) unstable; urgency=low
[...]
   * SF Bug #3477910 - XSS vulnerability in query
[...]

See also 
https://gitorious.org/debian/pkg-phpldapadmin/blobs/master/phpldapadmin-1.2.2/debian/patches/upstream-XSS.patch

The version is already included as normal maintainer upload in Sid:
http://packages.debian.org/changelogs/pool/main/p/phpldapadmin/phpldapadmin_1.2.2-1/changelog

Regards,
Marcus

Reply sent to Fabio Tranchitella <kobold@debian.org>:
You have taken responsibility. (Wed, 22 Feb 2012 08:54:03 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Wed, 22 Feb 2012 08:54:09 GMT) (full text, mbox, link).

Message #20 received at 658907-close@bugs.debian.org (full text, mbox, reply):

From: Fabio Tranchitella <kobold@debian.org>
To: 658907-close@bugs.debian.org
Subject: Bug#658907: fixed in phpldapadmin 1.2.2-2
Date: Wed, 22 Feb 2012 08:47:36 +0000
Source: phpldapadmin
Source-Version: 1.2.2-2

We believe that the bug you reported is fixed in the latest version of
phpldapadmin, which is due to be installed in the Debian FTP archive:

phpldapadmin_1.2.2-2.debian.tar.gz
  to main/p/phpldapadmin/phpldapadmin_1.2.2-2.debian.tar.gz
phpldapadmin_1.2.2-2.dsc
  to main/p/phpldapadmin/phpldapadmin_1.2.2-2.dsc
phpldapadmin_1.2.2-2_all.deb
  to main/p/phpldapadmin/phpldapadmin_1.2.2-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 658907@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Fabio Tranchitella <kobold@debian.org> (supplier of updated phpldapadmin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 22 Feb 2012 08:45:48 +0100
Source: phpldapadmin
Binary: phpldapadmin
Architecture: source all
Version: 1.2.2-2
Distribution: unstable
Urgency: low
Maintainer: Fabio Tranchitella <kobold@debian.org>
Changed-By: Fabio Tranchitella <kobold@debian.org>
Description: 
 phpldapadmin - web based interface for administering LDAP servers
Closes: 561387 652221 658907 659411 659445 659477 659572 660024 660225 660234 660703 660709
Changes: 
 phpldapadmin (1.2.2-2) unstable; urgency=low
 .
   [ Marcus Osdoba ]
   * Not reproducible (Closes: #561387)
   * Fix pending l10n issues. Debconf translations:
     - French (Christian Perrier). Closes: #659411
     - Danish (Joe Dalton) Closes: #659445
     - Polish (Michał Kułach). Closes: #659477
     - Czech (Miroslav Kure) Closes: #659572
     - Dutch (Jeroen Schot) Closes: #660225
     - Russian (Yuri Kozlov) Closes: #660234
     - Portuguese (Traduz) Closes: #660703
     - German (Matthias Julius) Closes: #660709
   * CVE-2012-0834: XSS (Closes: #658907)
     (already included in last version SF Bug #3477910)
   * it.po with mailing address debian-l10n-italian (Closes: #660024)
   * Line 390 includes the closing comment already (Closes: #652221)
 .
   [ Fabio Tranchitella ]
   * Added Marcus Osdoba as Uploader.
Checksums-Sha1: 
 7906308590313bd91cf4c2d9259dfcbf56e8ecbb 1145 phpldapadmin_1.2.2-2.dsc
 43c08af5a7f36f79ed94f70efe1057c762b310cf 29463 phpldapadmin_1.2.2-2.debian.tar.gz
 067d7102d059ca21382e7343dec72bb6705999d1 1290854 phpldapadmin_1.2.2-2_all.deb
Checksums-Sha256: 
 b31e25582ad59c1072268a15391c3b7f30d10310b5952f8472019712a0581af8 1145 phpldapadmin_1.2.2-2.dsc
 ddff2c0fc145412e0ab6a59f3bfab2968e41f75349a1922ac82155c158060fa6 29463 phpldapadmin_1.2.2-2.debian.tar.gz
 89d0bac2a5bab2a6a629760add325cb68bea0dbd6416619d8948ea2c1df8b496 1290854 phpldapadmin_1.2.2-2_all.deb
Files: 
 e8f36fcaabfd8e09e5ec5a172702cc1c 1145 admin extra phpldapadmin_1.2.2-2.dsc
 770f2cd0cdbe6493e77cabe1bbc84716 29463 admin extra phpldapadmin_1.2.2-2.debian.tar.gz
 270f7a5d54467fbcdf6a215cf517568a 1290854 admin extra phpldapadmin_1.2.2-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk9Ent8ACgkQK/juK3+WFWRBNACfW23bSk7vgOdCN+BSQGwRpkeh
V9IAoJF30zL6/L2Bz3r63TXxt2ZA3vXC
=SUHj
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 22 Mar 2012 07:35:06 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:44:25 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started