Ubuntu
smbind package

It looks like you could make SQL injection with $_POST['host'] or some other variables.

Bug #657473 reported by Lazy
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
smbind (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

Binary package hint: smbind

Templates should also use: |escape:'html'

Revision history for this message
Lazy (ubuntu-bugs-oittaa) wrote :
Revision history for this message
Lazy (ubuntu-bugs-oittaa) wrote :

Commit.php breaks easily, if you use something like ns1.example.org as primary or secondary NS for the domain example.org, because it can't find A record for it. This patch fixes that problem and speeds up iteration of good zones by many orders of magnitudes.

Revision history for this message
Kees Cook (kees) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in smbind (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
visibility: private → public
Revision history for this message
Giuseppe Iuculano (giuseppe-iuculano) wrote : Re: [Bug 657473] Re: It looks like you could make SQL injection with $_POST['host'] or some other variables.

Hi,

On 02/05/2011 12:30 AM, Kees Cook wrote:
> Since the package referred to in this bug is in universe or
> multiverse, it is community maintained. If you are able, I suggest
> posting a debdiff for this issue. When a debdiff is available, members
> of the security team will review it and publish the package. See the
> following link for more information:
> https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures
>
> ** Changed in: smbind (Ubuntu)
> Status: New => Confirmed
>
> ** Changed in: smbind (Ubuntu)
> Importance: Undecided => Medium
>
> ** Visibility changed to: Public
>

Before making it public, an email to the Debian maintainer or better to
the Debian Security team would be appreciated.

Cheers,
Giuseppe.

Brian Murray (brian-murray)
tags: added: patch
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Has upstream been notified?

Changed in smbind (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Lazy (ubuntu-bugs-oittaa) wrote :

Jamie, yes I notified them two years ago: http://sourceforge.net/tracker/?func=detail&aid=3083361&group_id=101135&atid=629100

Jamie Strandboge (jdstrand)
Changed in smbind (Ubuntu):
status: Incomplete → Triaged
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.