Debian Bug report logs -
#893668
adminer: CVE-2018-7667
Reported by: Chris Lamb <lamby@debian.org>
Date: Wed, 21 Mar 2018 02:48:02 UTC
Severity: grave
Tags: security
Found in version adminer/4.2.5-3
Fixed in versions adminer/4.5.0-1, adminer/4.2.5-3+deb9u1, adminer/3.3.3-1+deb8u1
Done: Chris Lamb <lamby@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org:
Bug#893668; Package adminer.
(Wed, 21 Mar 2018 02:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org.
(Wed, 21 Mar 2018 02:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: adminer
Version: 4.2.5-3
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
the following vulnerability was published for adminer.
CVE-2018-7667[0]:
| Adminer through 4.3.1 has SSRF via the server parameter.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-7667
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Information forwarded
to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#893668; Package adminer.
(Wed, 21 Mar 2018 06:27:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>.
(Wed, 21 Mar 2018 06:27:07 GMT) (full text, mbox, link).
Message #10 received at 893668@bugs.debian.org (full text, mbox, reply):
Hi Chris,
On Wed, Mar 21, 2018 at 02:44:29AM +0000, Chris Lamb wrote:
> Package: adminer
> Version: 4.2.5-3
> X-Debbugs-CC: team@security.debian.org
> Severity: grave
> Tags: security
>
> Hi,
>
> the following vulnerability was published for adminer.
>
> CVE-2018-7667[0]:
> | Adminer through 4.3.1 has SSRF via the server parameter.
I think there litte which upstream could do in addition to what was
done in 4.4.0 upstream do mitigate the issue, or am I missing
something? 4.4.0 did:
> Adminer 4.4.0 (released 2018-01-17):
> [...]
> Rate limit password-less login attempts from the same IP address
> Disallow connecting to privileged ports
> [...]
One thing which additionally maybe could be done is to restrict which
server/ports can be reached from the adminer interface from the
configuration file, doing like introducing a server configurations
array and so only those and specifically can be connected to.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#893668; Package adminer.
(Wed, 21 Mar 2018 12:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>:
Extra info received and forwarded to list.
(Wed, 21 Mar 2018 12:48:04 GMT) (full text, mbox, link).
Message #15 received at 893668@bugs.debian.org (full text, mbox, reply):
Hi Salvatore,
> I think there litte which upstream could do in addition to what was
> done in 4.4.0 upstream do mitigate the issue, or am I missing
> something?
I agree. I filed this bug mostly to track the uploads to wheezy,
jessie, jessie-backports and stretch :)
Can I get an ACK from you to upload those to *-security?
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#893668; Package adminer.
(Thu, 22 Mar 2018 13:51:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>:
Extra info received and forwarded to list.
(Thu, 22 Mar 2018 13:51:07 GMT) (full text, mbox, link).
Message #20 received at 893668@bugs.debian.org (full text, mbox, reply):
Chris Lamb wrote:
> > I think there litte which upstream could do in addition to what was
> > done in 4.4.0 upstream do mitigate the issue, or am I missing
> > something?
>
> I agree. I filed this bug mostly to track the uploads to wheezy,
> jessie, jessie-backports and stretch :)
>
> Can I get an ACK from you to upload those to *-security?
Gentle ping on this? :)
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Information forwarded
to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#893668; Package adminer.
(Thu, 22 Mar 2018 14:09:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Sébastien Delafond <seb@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>.
(Thu, 22 Mar 2018 14:09:06 GMT) (full text, mbox, link).
Message #25 received at 893668@bugs.debian.org (full text, mbox, reply):
On Mar/22, Chris Lamb wrote:
> > Can I get an ACK from you to upload those to *-security?
>
> Gentle ping on this? :)
Salvatore is mostly away till the end of the week, but he marked those
no-dsa on the 21st, so I guess that would go toward s-p-u instead.
Cheers,
--Seb
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#893668; Package adminer.
(Thu, 22 Mar 2018 15:15:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>:
Extra info received and forwarded to list.
(Thu, 22 Mar 2018 15:15:11 GMT) (full text, mbox, link).
Message #30 received at 893668@bugs.debian.org (full text, mbox, reply):
Hi Sébastien,
> Salvatore is mostly away till the end of the week, but he marked those
> no-dsa on the 21st, so I guess that would go toward s-p-u instead.
Thanks! I did not spot you had done that before my ping, so apologies
for that. I've filed bugs against release.debian.org as #893803 and
#893804 respectfully.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Marked as fixed in versions adminer/4.5.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 22 Mar 2018 15:33:07 GMT) (full text, mbox, link).
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Mon, 02 Apr 2018 17:21:38 GMT) (full text, mbox, link).
Notification sent
to Chris Lamb <lamby@debian.org>:
Bug acknowledged by developer.
(Mon, 02 Apr 2018 17:21:38 GMT) (full text, mbox, link).
Message #37 received at 893668-close@bugs.debian.org (full text, mbox, reply):
Source: adminer
Source-Version: 4.2.5-3+deb9u1
We believe that the bug you reported is fixed in the latest version of
adminer, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 893668@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated adminer package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 20 Mar 2018 22:40:06 -0400
Source: adminer
Binary: adminer
Architecture: source all
Version: 4.2.5-3+deb9u1
Distribution: stretch
Urgency: high
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
adminer - Web-based database administration tool
Closes: 893668
Changes:
adminer (4.2.5-3+deb9u1) stretch; urgency=high
.
* CVE-2018-7667: Adminer allowed unauthenticated connections to be initiated
to arbitrary systems and ports which could bypass external firewalls to
identify internal hosts and/or perform port scanning of other servers.
(Closes: #893668)
Checksums-Sha1:
8ae7c258df2749666d955a13663fd28af904b5dc 1809 adminer_4.2.5-3+deb9u1.dsc
05db4eb98bf092afe04052733612c2841ad97317 409762 adminer_4.2.5.orig.tar.bz2
2497a8541adf1f352942658dc352b75ea92ef99a 2732 adminer_4.2.5-3+deb9u1.debian.tar.xz
ed939788115cd89e7d002ecf2d757f1772378601 386380 adminer_4.2.5-3+deb9u1_all.deb
46244b1a3b17f2f484b0968fe04f2468b076545a 5709 adminer_4.2.5-3+deb9u1_amd64.buildinfo
Checksums-Sha256:
718c5bc1144f8f7e2b817387e236ac6a49dc96a402383d368f7b47add691a013 1809 adminer_4.2.5-3+deb9u1.dsc
69a177ba87ed0cf8d7633799248511d1c7d4cffb66c9a5742795e1de506f1946 409762 adminer_4.2.5.orig.tar.bz2
6109a0042955d441878280aa25073e97de5ad3b64384873e3914bf4a6fc4a7b6 2732 adminer_4.2.5-3+deb9u1.debian.tar.xz
1a885eeb402f1470d94908832471c397ac116ada6c24b8585ed0fe1d7a3c9a6d 386380 adminer_4.2.5-3+deb9u1_all.deb
fc17a857cd8d2fe3121530b3a3d09c3683669573b7912f6bac1394f56de8a9d9 5709 adminer_4.2.5-3+deb9u1_amd64.buildinfo
Files:
ffbbce0f60a274e0853977838cb49608 1809 web extra adminer_4.2.5-3+deb9u1.dsc
e4b85ffc6b5b674b83daadd9e9d23cfd 409762 web extra adminer_4.2.5.orig.tar.bz2
450a9aeb8d877e1bb98f914122ae213e 2732 web extra adminer_4.2.5-3+deb9u1.debian.tar.xz
29481fc81488b6f06259df8583e47b0a 386380 web extra adminer_4.2.5-3+deb9u1_all.deb
7a08ca773b4b524408408a3387d7b4da 5709 web extra adminer_4.2.5-3+deb9u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlrAmi4ACgkQHpU+J9Qx
Hlg95Q/+PYGMzgrH9Yb+fT/KppD5FanIZE79COauHORKLEBuG4OtQLTAomldvolu
FIBcZ3rgf6Y8X0iwIAlaIQivYJgF9SstHRIdBqbxDBBc238XvBApo5lhFjoXvzmJ
Iz6NIT57ozFODzqQdlV1AyfQcO1fdi6+e1PSuxXt5t7zN9Ujx8dAW2sIIj+IbGCW
LpwVBd+ZmWn00kZO3nbxVIneGhKQ7513gCBwv+qGf0g5mOmZqKM1oHRLiNW28Uwg
9np4btZKAVlrxomyzmN8c6idfCOGRdApXrg1er/Z+dXGf35NO9lbCQfAavEL8+nO
pekOOR/eAvznIWxneAF5Jr0sky2xnVa4GmlD8HI8vt4bSPPucLBsA2mh4hoxt0SN
VKGMwX07gv65eso8hdrNBIsFsJY7U6YsIHv0iQgSWdqcyor3bA4HbbOG8WKcjEwR
X7BsQwmlyQN4vBg3fG0B6q/WqKy6cTt6bqvqCDm95ZinIUyDke5NGGb0a4R4bBbl
ppSgVSYx/YfbipZOx8WcT20ax1cGwA3iJkl9478DBV02bRyHP428FH7bpIECp+4W
W4poozeQ3PtCa+cneulx9nCeJQ7Iv6gt0mH943ZTnJePr+u9GJjIra5Bayu0T0+G
rvexGzOvGy3F5kZMZ0qAmPbounckOvzmdYVUCa8/maJ4oWEhh+U=
=Yklv
-----END PGP SIGNATURE-----
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Sun, 13 May 2018 20:54:06 GMT) (full text, mbox, link).
Notification sent
to Chris Lamb <lamby@debian.org>:
Bug acknowledged by developer.
(Sun, 13 May 2018 20:54:06 GMT) (full text, mbox, link).
Message #42 received at 893668-close@bugs.debian.org (full text, mbox, reply):
Source: adminer
Source-Version: 3.3.3-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
adminer, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 893668@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated adminer package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 07 May 2018 09:06:51 -0700
Source: adminer
Binary: adminer
Architecture: source all
Version: 3.3.3-1+deb8u1
Distribution: jessie
Urgency: high
Maintainer: Medhamsh V <me@medhamsh.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
adminer - Web-based database administration tool
Closes: 893668
Changes:
adminer (3.3.3-1+deb8u1) jessie; urgency=high
.
* CVE-2018-7667: Adminer allowed unauthenticated connections to be initiated
to arbitrary systems and ports which could bypass external firewalls to
identify internal hosts and/or perform port scanning of other servers.
(Closes: #893668)
Checksums-Sha1:
b31208291084d5c6087c18248f714cda05fa63d8 1851 adminer_3.3.3-1+deb8u1.dsc
152c4969356d6330382d28dd22e6f16e0d9653bf 3404 adminer_3.3.3-1+deb8u1.debian.tar.xz
60a5a781ce2ba73955f1bd148598b08987606a1e 242238 adminer_3.3.3-1+deb8u1_all.deb
Checksums-Sha256:
f02979dd83d45231319325ec33ee1c3956589a598fb15746910463e5aa8cef57 1851 adminer_3.3.3-1+deb8u1.dsc
168cbe44a91fc809a8ff37a5ac7f077252b00d75810b2a1c18500a0bee1f4f63 3404 adminer_3.3.3-1+deb8u1.debian.tar.xz
b836b655330e4966879b72e8779b766cc457ec3a65fd3de7a8e71556a957f7ff 242238 adminer_3.3.3-1+deb8u1_all.deb
Files:
4ef4480574c57b6ed93165e06414aea2 1851 web extra adminer_3.3.3-1+deb8u1.dsc
fe7be26d19e366eb8667cd43dd01d080 3404 web extra adminer_3.3.3-1+deb8u1.debian.tar.xz
5019c04c412f7f3e1a460f33b0e10f28 242238 web extra adminer_3.3.3-1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlrweeIACgkQHpU+J9Qx
HlhpdA//YHKcK623ufQYm+Ad4GJb986YEk1p2YZy7Nv31kcCtnZsutHqihcXlhPT
WQSKGEfmaCORXzhlqx+qOjmrG+3QZa943+vUmUWgzpVIF39s/JuE2YjHSW6M5yYU
+JJCrVJ4l7kezEdMwYWd2EqjBuXCShDeEtSE8ytPAIMNnICuPF02CwCoQPDsUoDM
nXAeSZQxUUskqaZWLKOWgu3i7n5tBqYAYoN36f4Tj1PEp+ou7i/EZ80Z2jmf6W65
X6eqVYxU7LjiAuzDeVRhYEiIuPpbSnAoBA5aL5OfIe7YjQyB3ICPCXwZ60DQSA0U
gsuZf4GuPCLahaYYxmNES3vPdc3rPVmVTYNIEyfsaPLUTbU+E9rGp8lq6hQbO6kM
3jxI5AVUl3h+JCTEw213lWzXdKUdi0grkBRSsPL8aS52r5gQvZ6aG4XNlsectest
S2Kg9iKv1zR0Lg1NSV3esjpMwEnHYpaiOwyhsMMV2I6Q5KneZn73eMK/P49ODdBg
xmtH2GK8At1U6fEuYMkgnHstcpIC/oog3ZvdAicTBCU1OkrVKLkJrxhGdb7OwmsO
szJvOvfx6Hlwp++C5ko/sIxMh7axcNBQE0VwA/U9kkik1ekpNmyl5SnYDY7q+nBo
XxCRtKS4z7SnbFmshjTzPyNrJYfIEpOuQ/2uQr4ZPnP2lDT/mz8=
=wlHB
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 15 Jul 2018 07:31:30 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:13:02 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon