phpLDAPadmin <= 1.2.3 'entry_chooser.php' Multiple Cross-Site Scripting

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Here is a debdiff.

The attachment "phpldapadmin_1.2.2-5.2ubuntu2.1.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Hello Ismail, thanks for taking on this task.

There's a few small things that I'd like changed before we sponsor this:

- Since Ubuntu doesn't really have package 'maintainers', there's no need to point out it's a non-maintainer upload
- We like the security updates to all have consistent formatting as described on: https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging
- We like the patches to have DEP-3 tags to indicate at least where the patch came from, so future readers can verify patches independently. (While DEP-3 is kind of complicated and involved, it's basically just adding Subject: with something short and descriptive and Origin: with a link to the patch.) The full DEP-3 guide is at http://dep.debian.net/deps/dep3/ but don't feel compelled to read it unless I did a poor job describing it here.

Could you submit a new patch with these items fixed up?

Thanks

Hello Seth, Thank you for replying.

I hope this one will do.

Very nice, thanks; I've asked what I think is upstream for feedback https://github.com/leenooks/phpLDAPadmin/issues/50

Thanks

Thanks for providing the debdiff. This package has been built and is available in the security-proposed PPA for testing.
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa

This bug was fixed in the package phpldapadmin - 1.2.2-5.2ubuntu2.1

---------------
phpldapadmin (1.2.2-5.2ubuntu2.1) xenial-security; urgency=low

  * SECURITY UPDATE: Multiple Cross-Site Scripting vulnerabilities in
    file htdocs/entry_chooser.php (LP: #1701731)
    - debian/patches/fix-XSS-3.patch: sanitize user inputs in
      file htdocs/entry_chooser.php.
    - CVE-2017-11107

 -- Ismail Belkacim <email address hidden> Fri, 07 Jul 2017 05:38:54 -0700