Hi Jean-Michel, 2016-09-10 3:01 GMT+02:00 Jean-Michel Vourgère (debian) <nir...@debian.org>: > Hi Bálint > > Actually, I was talking about CVE-2016-4855 and I totally overlooked > TEMP-0000000-B85664. > > Debian is not vulnerable to CVE-2016-4855. That was what my previous mail was > about. > > However TEMP-0000000-B85664 has a real issue that should be fixed. > > Sorry for the mess. I just commited secure-testing/data/CVE/list moving the > "unimportant" and the note about the file being an example from CVE-2016-XXXX > to CVE-2016-4855.
OK, thank you. Would you like to handle the LTS update or just unstable and stable? Cheers, Balint > > > On Friday 09 September 2016 21:49:49 Bálint Réczey wrote: >> Hi Jean-Michel, >> >> Thank you for your prompt response. >> >> 2016-09-09 20:25 GMT+02:00 Jean-Michel Vourgère (debian) > <nir...@debian.org>: >> > Hi >> > >> > On Debian, the affected php script is deployed as >> > /usr/share/doc/libphp-adodb/examples/test.php.gz >> > and NOT in a browser reachable location: >> > >> > It's not in /usr/share/php/adodb/ with the rest of the library and >> > /usr/share/doc/ is no longer reachable since a long while, if I remember >> > correctly. >> > >> > Upstream wrote: >> >> As a workaround until hotfix is released, we recommend all users to >> >> remove >> >> the whole ./tests directory; it is only used for development purposes and >> >> is not necessary for normal ADOdb operations. >> > >> > So I don't think Debian even qualify as "vulnerable". >> >> Agreed, the installed package is not vulnerable as installed. >> >> > Sure, if you unzip the example test file and create a reachable script >> > based on that, you will have a problem. Note that fixing the example on >> > which you created your affected script will not immediately save you... >> > >> > I plan to work on packaging 5.20.6 (for sid) tomorrow I guess. >> >> Thank you for taking care of that. >> >> > Do you still think the update would be nice to have in wheezy-security? >> >> I don't consider this a high priority issue either, but the package can be >> updated with the proper example and a DLA can be issued to raise >> attention of system administrators. >> >> Cheers, >> Balint >> >> > On Friday 09 September 2016 01:17:03 Balint Reczey wrote: >> >> Hello dear maintainer(s), >> >> >> >> the Debian LTS team would like to fix the security issues which are >> >> currently open in the Wheezy version of libphp-adodb: >> >> https://security-tracker.debian.org/tracker/CVE-2016-4855 >> >> https://security-tracker.debian.org/tracker/TEMP-0000000-B85664 >> >> >> >> Would you like to take care of this yourself? >> >> >> >> If yes, please follow the workflow we have defined here: >> >> https://wiki.debian.org/LTS/Development >> >> >> >> If that workflow is a burden to you, feel free to just prepare an >> >> updated source package and send it to debian-lts@lists.debian.org >> >> (via a debdiff, or with an URL pointing to the source package, >> >> or even with a pointer to your packaging repository), and the members >> >> of the LTS team will take care of the rest. Indicate clearly whether you >> >> have tested the updated package or not. >> >> >> >> If you don't want to take care of this update, it's not a problem, we >> >> will do our best with your package. Just let us know whether you would >> >> like to review and/or test the updated package before it gets released. >> >> >> >> You can also opt-out from receiving future similar emails in your >> >> answer and then the LTS Team will take care of libphp-adodb updates >> >> for the LTS releases. (In case we don't get any answer for months, >> >> we may also take it as an opt-out, too.) >> >> >> >> Thank you very much. >> >> >> >> Balint Reczey, >> >> >> >> on behalf of the Debian LTS team. >> >> >> >> PS: A member of the LTS team might start working on this update at >> >> any point in time. You can verify whether someone is registered >> >> on this update in this file: >> >> https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view >> >> =ma rkup >
