Security vulnerability in phpldapadmin

Bug #887290 reported by Winckler on 2011-11-07
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
phpldapadmin (Ubuntu)
Undecided
Unassigned
Lucid
Medium
Unassigned
Maverick
Medium
Unassigned
Natty
Medium
Unassigned
Oneiric
Medium
Unassigned
Precise
Undecided
Unassigned

Bug Description

Last week phpldapadmin (PLA) release a new version (1.2.2) that fix a critical security issue. Our server (10.04 LTS) was already target of a successful attack (I suspect an automated attack). I recommend high priority in updating this package. There is no update on debian at this moment.

Jamie Strandboge (jdstrand) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

visibility: private → public
visibility: private → public
Changed in phpldapadmin (Ubuntu):
status: New → Confirmed
Winckler (winckler) wrote :

The latest debian package (in security updates) already include the fix: 1.2.0.5-2 -> 1.2.0.5-2+squeeze1.

Should I create a debdiff or there is a simpler way to pull the update? If debdiff is the way, I've to create one for each version (Lucid, Maverick,...)?

Please advise. Thanks,
Gabriel

Jamie Strandboge (jdstrand) wrote :

Precise has 1.2.0.5-2.1ubuntu1, which contains the fix.

Changed in phpldapadmin (Ubuntu Precise):
status: Confirmed → Fix Released
Changed in phpldapadmin (Ubuntu Lucid):
status: New → Triaged
importance: Undecided → Medium
Changed in phpldapadmin (Ubuntu Maverick):
status: New → Triaged
importance: Undecided → Medium
Changed in phpldapadmin (Ubuntu Natty):
status: New → Triaged
importance: Undecided → Medium
Changed in phpldapadmin (Ubuntu Oneiric):
status: New → Triaged
importance: Undecided → Medium
Jamie Strandboge (jdstrand) wrote :

Because there are Ubuntu-specific changes, we cannot just sync from Debian so debdiffs must be provided. Please see https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Notes_for_Contributors for details on getting your patches into Ubuntu. Thanks for looking at this! :)

Winckler (winckler) wrote :

Sorry for the long delay, but I'm working on my extra hours on this one.
I'm new to debdiff. If you need any refactoring, let me know.

Winckler (winckler) wrote :
Jamie Strandboge (jdstrand) wrote :

Thanks for your patch! Someone from the security team will process this soon. Subscribing ubuntu-security-sponsors as per https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Notes_for_Contributors.

Marc Deslauriers (mdeslaur) wrote :

Thanks for the debdiff, ACK.

Since basically the same version is in lucid-oneiric, I've used your debdiff with some minor adjustments to fix all releases. Packages will be published to -security in the next few hours.

Thanks!

Changed in phpldapadmin (Ubuntu Lucid):
status: Triaged → Fix Committed
Changed in phpldapadmin (Ubuntu Maverick):
status: Triaged → Fix Committed
Changed in phpldapadmin (Ubuntu Natty):
status: Triaged → Fix Committed
Changed in phpldapadmin (Ubuntu Oneiric):
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package phpldapadmin - 1.2.0.5-2ubuntu1.11.10.1

---------------
phpldapadmin (1.2.0.5-2ubuntu1.11.10.1) oneiric-security; urgency=high

  * Merge from debian security updates. (LP: #887290)
    - CVE-2011-4074 Fix XSS vulnerability in debug code
    - CVE-2011-4075 Fix arbitrary code execution by unauthenticated users
 -- <email address hidden> (Gabriel A. von Winckler) Thu, 24 Nov 2011 14:39:09 -0200

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package phpldapadmin - 1.2.0.5-2ubuntu1.11.04.1

---------------
phpldapadmin (1.2.0.5-2ubuntu1.11.04.1) natty-security; urgency=high

  * Merge from debian security updates. (LP: #887290)
    - CVE-2011-4074 Fix XSS vulnerability in debug code
    - CVE-2011-4075 Fix arbitrary code execution by unauthenticated users
 -- <email address hidden> (Gabriel A. von Winckler) Thu, 24 Nov 2011 14:39:09 -0200

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package phpldapadmin - 1.2.0.5-1.1ubuntu1.1

---------------
phpldapadmin (1.2.0.5-1.1ubuntu1.1) maverick-security; urgency=high

  * Merge from debian security updates. (LP: #887290)
    - CVE-2011-4074 Fix XSS vulnerability in debug code
    - CVE-2011-4075 Fix arbitrary code execution by unauthenticated users
 -- <email address hidden> (Gabriel A. von Winckler) Thu, 24 Nov 2011 14:39:09 -0200

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package phpldapadmin - 1.2.0.5-1ubuntu1.10.04.2

---------------
phpldapadmin (1.2.0.5-1ubuntu1.10.04.2) lucid-security; urgency=high

  * Merge from debian security updates. (LP: #887290)
    - CVE-2011-4074 Fix XSS vulnerability in debug code
    - CVE-2011-4075 Fix arbitrary code execution by unauthenticated users
 -- <email address hidden> (Gabriel A. von Winckler) Thu, 24 Nov 2011 14:39:09 -0200

Changed in phpldapadmin (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in phpldapadmin (Ubuntu Maverick):
status: Fix Committed → Fix Released
Changed in phpldapadmin (Ubuntu Natty):
status: Fix Committed → Fix Released
Changed in phpldapadmin (Ubuntu Oneiric):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers