Debian Bug report logs -
#622674
CVE-2011-1522: SQL injection
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Wed, 13 Apr 2011 18:48:04 UTC
Severity: grave
Tags: security
Fixed in versions doctrine/1.2.2-2+squeeze1, doctrine/1.2.4-1
Done: Luk Claes <luk@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Symfony Maintainers <pkg-symfony-maint@lists.alioth.debian.org>:
Bug#622674; Package doctrine.
(Wed, 13 Apr 2011 18:48:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Symfony Maintainers <pkg-symfony-maint@lists.alioth.debian.org>.
(Wed, 13 Apr 2011 18:48:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: doctrine
Severity: grave
Tags: security
Please see http://www.doctrine-project.org/blog/doctrine-security-fix
This has been assigned CVE-2011-1522.
Cheers,
Moritz
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.38-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Symfony Maintainers <pkg-symfony-maint@lists.alioth.debian.org>:
Bug#622674; Package doctrine.
(Thu, 14 Apr 2011 06:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Federico Gimenez Nieto <fgimenez@coit.es>:
Extra info received and forwarded to list. Copy sent to Debian Symfony Maintainers <pkg-symfony-maint@lists.alioth.debian.org>.
(Thu, 14 Apr 2011 06:09:05 GMT) (full text, mbox, link).
Message #10 received at 622674@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi, thanks for your bug report. I'll try to prepare a fixed package as soon as posible.
Cheers,
Federico
On 04/13/2011 08:45 PM, Moritz Muehlenhoff wrote:
> Package: doctrine
> Severity: grave
> Tags: security
>
> Please see http://www.doctrine-project.org/blog/doctrine-security-fix
>
> This has been assigned CVE-2011-1522.
>
> Cheers,
> Moritz
>
> -- System Information:
> Debian Release: wheezy/sid
> APT prefers unstable
> APT policy: (500, 'unstable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 2.6.38-1-amd64 (SMP w/2 CPU cores)
> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
>
>
> _______________________________________________
> Pkg-symfony-maint mailing list
> Pkg-symfony-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-symfony-maint
>
--
Federico Giménez Nieto
fgimenez@coit.es
[signature.asc (application/pgp-signature, attachment)]
Added tag(s) pending.
Request was from Federico Gimenez Nieto <fgimenez@coit.es>
to control@bugs.debian.org.
(Thu, 14 Apr 2011 06:09:12 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Symfony Maintainers <pkg-symfony-maint@lists.alioth.debian.org>:
Bug#622674; Package doctrine.
(Mon, 18 Apr 2011 06:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Federico Gimenez Nieto <fgimenez@coit.es>:
Extra info received and forwarded to list. Copy sent to Debian Symfony Maintainers <pkg-symfony-maint@lists.alioth.debian.org>.
(Mon, 18 Apr 2011 06:09:03 GMT) (full text, mbox, link).
Message #17 received at 622674@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi, i am one of the maintainers of the doctrine debian package. A security related bug has arised
recently [1] and i've prepared a new package following upstream recomendations [2]. The fix involves
upgrading to a new upstream version, i've tested it and all seems to work fine, although i don't
know if this is acceptable for a security issue in the debian stable distribution.
It is uploaded at mentors [3], please, let me know if all is in good shape. I'm not sure if things
are done properly, for example, as long as it is targeted to stable-security, i've built the package
on stable...
Thanks a lot, cheers
Federico
[1] http://bugs.debian.org/622674
[2] http://www.doctrine-project.org/blog/doctrine-security-fix
[3] http://mentors.debian.net/debian/pool/main/d/doctrine/doctrine_1.2.4-1.dsc
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to Federico Gimenez Nieto <fgimenez@coit.es>:
You have taken responsibility.
(Thu, 21 Apr 2011 01:57:10 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Thu, 21 Apr 2011 01:57:10 GMT) (full text, mbox, link).
Message #22 received at 622674-close@bugs.debian.org (full text, mbox, reply):
Source: doctrine
Source-Version: 1.2.2-2+squeeze1
We believe that the bug you reported is fixed in the latest version of
doctrine, which is due to be installed in the Debian FTP archive:
doctrine_1.2.2-2+squeeze1.debian.tar.gz
to main/d/doctrine/doctrine_1.2.2-2+squeeze1.debian.tar.gz
doctrine_1.2.2-2+squeeze1.dsc
to main/d/doctrine/doctrine_1.2.2-2+squeeze1.dsc
doctrine_1.2.2-2+squeeze1_all.deb
to main/d/doctrine/doctrine_1.2.2-2+squeeze1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 622674@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Federico Gimenez Nieto <fgimenez@coit.es> (supplier of updated doctrine package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 19 Apr 2011 18:06:50 +0200
Source: doctrine
Binary: doctrine
Architecture: source all
Version: 1.2.2-2+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian Symfony Maintainers <pkg-symfony-maint@lists.alioth.debian.org>
Changed-By: Federico Gimenez Nieto <fgimenez@coit.es>
Description:
doctrine - Tool for object-relational mapping in PHP
Closes: 622674
Changes:
doctrine (1.2.2-2+squeeze1) stable-security; urgency=high
.
* Applied fixes from 1.2.4 upstream version due to CVE 2011-1522
(closes: #622674)
Checksums-Sha1:
ce2f2be94ee59ef9452b27195c900cf93ac8bef3 1583 doctrine_1.2.2-2+squeeze1.dsc
b5099a77163e18579f52b34ff55423c58ddc29ea 663317 doctrine_1.2.2.orig.tar.gz
e5771b09278ff018baf6b8f2f09740f71d1bbc2b 4880 doctrine_1.2.2-2+squeeze1.debian.tar.gz
fb74ad2f74f32a8ec5af57e5e87f9a7a9b3bdcf3 389686 doctrine_1.2.2-2+squeeze1_all.deb
Checksums-Sha256:
31f82051eab40e64ed7b14e1332c88482aae2ab1b59c83b612f70b6e016643ac 1583 doctrine_1.2.2-2+squeeze1.dsc
cc89493bd3c8fea694286972bd49d0146f72275eb51f7e98e920502f128579b8 663317 doctrine_1.2.2.orig.tar.gz
f470c5fb0649facdc1e056885b937b3e497237fa0fed2f36beda046a21368ca4 4880 doctrine_1.2.2-2+squeeze1.debian.tar.gz
30aecbcc7fde8e8c9a6600da4f598809ab2ac9e77e14031437689efa6b156e49 389686 doctrine_1.2.2-2+squeeze1_all.deb
Files:
735a8be329287a29cccc104209d74146 1583 php optional doctrine_1.2.2-2+squeeze1.dsc
a82734fad4476da2d42def97c5e7c898 663317 php optional doctrine_1.2.2.orig.tar.gz
55bc8dcaa70165d3612ce4aefb20053b 4880 php optional doctrine_1.2.2-2+squeeze1.debian.tar.gz
0c7e8cf6b573dff875ff35a16719c9a3 389686 php optional doctrine_1.2.2-2+squeeze1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJNryXEAAoJEL97/wQC1SS+48YIAJD/R5i/idmgeMSCLYGT0ref
4iLyrs1yreDVVQOAA0/j/jDtmA4y2z78Rdd/r0Rl6PCxO53pxO55XSYVE1vQmK8e
GPZnc/LYoEcoPdGAG/nQB5CFGGZoeFj3hBZbOvwOwc/A3/Ea+86AslUGVDAIDgzQ
uGiqFskO9ETRnjCZC1oIL+pwp9Vsx/9eUWqiY4V4lF3RimiTPnuUTT5XCmebBZm6
+pNT21CzM2+1EjweSy3/hR1vVc8n22VNNGlpGNp0ftnj26uv5Q8lo6L8p2lZ6FO4
JL4rSnLHn3agDGRaZMDm1umpqpZwkIh4zd84Hjz69s7GexQYgEkHKwt1fsI9smY=
=RyG5
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Jul 2011 07:37:13 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Luk Claes <luk@debian.org>
to control@bugs.debian.org.
(Thu, 29 Dec 2011 21:33:08 GMT) (full text, mbox, link).
Bug marked as fixed in version 1.2.4-1, send any further explanations to Moritz Muehlenhoff <jmm@debian.org>
Request was from Luk Claes <luk@debian.org>
to control@bugs.debian.org.
(Thu, 29 Dec 2011 21:33:09 GMT) (full text, mbox, link).
Bug archived.
Request was from Luk Claes <luk@debian.org>
to control@bugs.debian.org.
(Thu, 29 Dec 2011 21:33:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:20:39 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon