Bug#646769: marked as done (phpldapadmin: cross-site scripting vulnerability)

[Debian Bug Tracking System]

Your message dated Sun, 30 Oct 2011 19:56:47 +0000
with message-id <e1rkbut-00085t...@franck.debian.org>
and subject line Bug#646769: fixed in phpldapadmin 1.2.0.5-2+squeeze1
has caused the Debian Bug report #646769,
regarding phpldapadmin: cross-site scripting vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
646769: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=646769
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: phpldapadmin
Severity: serious
Justification: security vulnerability
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for phpldapadmin.

CVE-2011-4074[0]:
| Input appended to the URL in cmd.php (when "cmd" is set to "_debug")
| is not properly sanitised before being returned to the user. This can be
| exploited to execute arbitrary HTML and script code in a user's browser
| session in context of an affected site.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4074
    http://security-tracker.debian.org/tracker/CVE-2011-4074

-- 
Jonathan Wiltshire                                      j...@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

--- End Message ---

--- Begin Message ---

Source: phpldapadmin
Source-Version: 1.2.0.5-2+squeeze1

We believe that the bug you reported is fixed in the latest version of
phpldapadmin, which is due to be installed in the Debian FTP archive:

phpldapadmin_1.2.0.5-2+squeeze1.diff.gz
  to main/p/phpldapadmin/phpldapadmin_1.2.0.5-2+squeeze1.diff.gz
phpldapadmin_1.2.0.5-2+squeeze1.dsc
  to main/p/phpldapadmin/phpldapadmin_1.2.0.5-2+squeeze1.dsc
phpldapadmin_1.2.0.5-2+squeeze1_all.deb
  to main/p/phpldapadmin/phpldapadmin_1.2.0.5-2+squeeze1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 646...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <j...@debian.org> (supplier of updated phpldapadmin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 27 Oct 2011 17:51:24 +0100
Source: phpldapadmin
Binary: phpldapadmin
Architecture: source all
Version: 1.2.0.5-2+squeeze1
Distribution: squeeze-security
Urgency: high
Maintainer: Fabio Tranchitella <kob...@debian.org>
Changed-By: Jonathan Wiltshire <j...@debian.org>
Description: 
 phpldapadmin - web based interface for administering LDAP servers
Closes: 646754 646769
Changes: 
 phpldapadmin (1.2.0.5-2+squeeze1) squeeze-security; urgency=high
 .
   * Non-maintainer upload by the security team.
   * CVE-2011-4074 Fix XSS vulnerability in debug code (Closes: #646769)
   * CVE-2011-4075 Fix arbitrary code execution by unauthenticated users
     (Closes: #646754)
Checksums-Sha1: 
 32500f560da479e07774a772473ee0dc60f5d476 1706 
phpldapadmin_1.2.0.5-2+squeeze1.dsc
 0720ec05bfe91520bdd15e38c79f949f18d355eb 1345901 
phpldapadmin_1.2.0.5.orig.tar.gz
 06a06a7b9549cf9b17b4369cd3d393e408ceda7f 25416 
phpldapadmin_1.2.0.5-2+squeeze1.diff.gz
 c191e208bae5304eb6a5e39037fcea5232e5ff55 1266770 
phpldapadmin_1.2.0.5-2+squeeze1_all.deb
Checksums-Sha256: 
 2ff274359b1cf7281be7576f941bc32b9415ebd2436b979c7f5eb1760082055c 1706 
phpldapadmin_1.2.0.5-2+squeeze1.dsc
 ee75da1dbba023499fdf50d6cedea9bcdb9caad017b15ed2e31700bcc61dfcfd 1345901 
phpldapadmin_1.2.0.5.orig.tar.gz
 cdca51e68f7c6e7ea76cb75ee542bcfa8706397057f6f07641fc205cd3a3a054 25416 
phpldapadmin_1.2.0.5-2+squeeze1.diff.gz
 5da574473bca34b15d05e9a6af966278b7a59bc1a90fa43b3388d7bac613e3c6 1266770 
phpldapadmin_1.2.0.5-2+squeeze1_all.deb
Files: 
 1813659cd851ac1787ab02a9d2272524 1706 admin extra 
phpldapadmin_1.2.0.5-2+squeeze1.dsc
 d75f043686da4c1e333ca160b0d26c01 1345901 admin extra 
phpldapadmin_1.2.0.5.orig.tar.gz
 1e1ec2d06146fda81f3c7a7dfb934b32 25416 admin extra 
phpldapadmin_1.2.0.5-2+squeeze1.diff.gz
 c06fd719544825c62e1f2ca1b58efc89 1266770 admin extra 
phpldapadmin_1.2.0.5-2+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJOqbbIAAoJEFOUR53TUkxREh0QAI6rwGVF1cbMaKA5/FNo2bPS
FKo+z7WU3RbMcVeB0zH8Q5i746DtMbBGfNZozs3Wv10amFcF2FUHvbfs6O067320
Cn/EoyeTmkaldjhWbCfrHqtqYmZUwvbKtP176ZvwrjSkiCD9TO+T0ons9HddvMdT
phHk5eGa1kigdfmzH9syz1PrLEC4DC7vanWhUepTXmql1TSdU2dS/gVgIcmZTPBm
lme3ZZkWjX6gi8W7ykqYeMaRhk8m4PNxWguHz+fb78Ipspmw9tEkSGSvbpN70O2z
xDfrzVSchP9xniRlfazjCL15kbyHRDIQvigRJUQwoapi7YZYA/OQJNYZ1MgSnP88
oxz9abqz/2pZtOr4jT4lbJ7Qi/k9u1whetOYYWHaNcepSdE8r3fN1CyCbXWFNnvb
bV7F/utuTH4TgtVBVQf0SrOaz0peHpmnV1hWHtWdvaTjG7qokFa27f7oc/Ya2Iwh
h6nAIL57Rw101s6DOsPCZ7WkUMRj4Fq2r/wyZFhKNshgjn/V5Cy3ueSWEPDxXxe7
R7LHWXIVx5ZX6LZ5zm0uR4Umw+7dmuDhbDcIjoZm8XdU3vLJoEld7YoErn3fTESo
BPIweSpY3B1dkdYgbn8ESmzoMDdrudyVR8Xs1vBFygNpXcSoJQ5y454RZ4Xj3FCn
cmQtV2GQS7UppUxJquND
=ZPtU
-----END PGP SIGNATURE-----

--- End Message ---