Debian Bug report logs -
#837211
libphp-adodb: CVE-2016-7405: incorrect quoting may allow SQL injection
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Cameron Dale <camrdale@gmail.com>:
Bug#837211; Package src:libphp-adodb.
(Sat, 10 Sep 2016 05:54:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Cameron Dale <camrdale@gmail.com>.
(Sat, 10 Sep 2016 05:54:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libphp-adodb
Version: 5.15-1
Severity: important
Tags: security upstream patch
Forwarded: https://github.com/ADOdb/ADOdb/issues/226
Hi
Please see [0] for details. A CVE was requested at [1]. There is a
patch upstream [2] which should go in the next upstream version. I
marked this as no-dsa for now, and could be fixed via a point release,
since it's in the PDO driver only and only if queries are build by
inlining the quoted string, both not recommended. Let us know please
if you do not agree.
Regards,
Salvatore
[0] https://github.com/ADOdb/ADOdb/issues/226
[1] http://www.openwall.com/lists/oss-security/2016/09/07/8
[2] https://github.com/ADOdb/ADOdb/commit/bd9eca9
Reply sent
to Jean-Michel Vourgère <nirgal@debian.org>:
You have taken responsibility.
(Sat, 10 Sep 2016 17:21:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 10 Sep 2016 17:21:09 GMT) (full text, mbox, link).
Message #10 received at 837211-close@bugs.debian.org (full text, mbox, reply):
Source: libphp-adodb
Source-Version: 5.20.6-1
We believe that the bug you reported is fixed in the latest version of
libphp-adodb, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 837211@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jean-Michel Vourgère <nirgal@debian.org> (supplier of updated libphp-adodb package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 10 Sep 2016 18:41:17 +0200
Source: libphp-adodb
Binary: libphp-adodb
Architecture: source all
Version: 5.20.6-1
Distribution: unstable
Urgency: high
Maintainer: Cameron Dale <camrdale@gmail.com>
Changed-By: Jean-Michel Vourgère <nirgal@debian.org>
Description:
libphp-adodb - ${phpcomposer:description}
Closes: 837211
Changes:
libphp-adodb (5.20.6-1) unstable; urgency=high
.
* New upstream version fixing CVE-2016-4855.
* New patch pdo-qstr-sql-injection. (Closes: #837211)
* Dropped Suggests: on removed php-adodb package.
* Bumped policy to 3.9.8. No change required.
Checksums-Sha1:
aba88f0bc2e0dc9a9a2285d399123ad8992d82ea 1974 libphp-adodb_5.20.6-1.dsc
71b963d2e8c523b2539e269a6bd1f9ed1a05f973 461685 libphp-adodb_5.20.6.orig.tar.gz
b19941c5642d060208a247d15147e9820e30aa42 13500 libphp-adodb_5.20.6-1.debian.tar.xz
8c84e2ee21ee636ea64efb0254433983d15a701f 361354 libphp-adodb_5.20.6-1_all.deb
Checksums-Sha256:
ceec18b55bc52abec5e93140570f15ade9b1e99f4170917e145a1e3f6bd75de2 1974 libphp-adodb_5.20.6-1.dsc
65d29a0dc38d90786309ce0b13c07598dd942c069dc3e29731b570c9bf41c1c7 461685 libphp-adodb_5.20.6.orig.tar.gz
493b215a218096fd298968d4d8f5e9cde0af701f5422c565427233507bd69cd1 13500 libphp-adodb_5.20.6-1.debian.tar.xz
e295fc28a4c0f9ccdb3d78c5880fa0e38ca9f7fb71500f6ea91c529b13849909 361354 libphp-adodb_5.20.6-1_all.deb
Files:
19e1dabff03b10cc6c01a4d0f839e2b4 1974 php optional libphp-adodb_5.20.6-1.dsc
15eeb4cf28228776bfa9474bd744cb62 461685 php optional libphp-adodb_5.20.6.orig.tar.gz
069b7b0ab55439e7dcaf4b5b7649980d 13500 php optional libphp-adodb_5.20.6-1.debian.tar.xz
46cc8237ab5b4c7f9abb3a42073c3eb6 361354 php optional libphp-adodb_5.20.6-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJX1D2xAAoJEDtcLHGiGNg8u40P/3scRlHpVzQYPqmrAJbrk+xm
R3uvqS8o/z2bzHNG2rRlJIwk6wjjf/q7sCGJiFZrbScWCfSGPKF0O7FacPCel7XW
S0VKnIB1Mr0uVxGxIQQbkCN10lXJKOWAYRZbQ9bEeIuaVjAfrYAljqYnzzV6Jcuw
g28bZkzQdqJ7MLt+wQaw7PXK36ecxhgkuk1Bdn7FZqvffG0VJUgjnYMqxMN1pv12
EtD/Vm7ZJ/nf5zawkCezAc3EZv0I1bG6Q92qZPcW4GI8pHCZBur0JBet1G7leEPl
7AYjCs5ol8wxhYdCjGLUGUwZPd2jFsIHsf/VagmjdOlUXYsKr7ulutXDNqFxLtlY
eeH8yzbxSwClOKTbhfQOccG9TB2AFDGbHa93iz8q66ML/+a5N9fke/8pS2H/fMHi
YKKySKIHWUrAolbG+z6FYt0WGXpQPE+oT0MRIt18NXDjG/RpYnfS3I3kKbtHZcM9
H/h4ejUm6IR5UVQbtHwx0RXS8mTfNLdSVJ3nTbbkm3BhOQvBmTsG276MWMss4nUx
yClIl1eWW1ZIO4JzgvCaKaVD67gOdwOeu9+8VoC8kvcddAAv/xbEHhMji75z6/WR
5nC7EX7guFyq62/xmEmha8GbtBoyLAhl2OOwTh6fsEoCmnZ/N7hAyn6w0HWHcw4S
cpsiVlu3tkNRGryS95cD
=J6x4
-----END PGP SIGNATURE-----
Changed Bug title to 'libphp-adodb: CVE-2016-7405: incorrect quoting may allow SQL injection' from 'libphp-adodb: incorrect quoting may allow SQL injection'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 15 Sep 2016 05:21:10 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 26 Oct 2016 07:27:43 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:32:07 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon