[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of libphp-adodb?


On Debian, the affected php script is deployed as
and NOT in a browser reachable location:

It's not in /usr/share/php/adodb/ with the rest of the library and 
/usr/share/doc/ is no longer reachable since a long while, if I remember 

Upstream wrote:
> As a workaround until hotfix is released, we recommend all users to remove
> the whole ./tests directory; it is only used for development purposes and is
> not necessary for normal ADOdb operations.

So I don't think Debian even qualify as "vulnerable".

Sure, if you unzip the example test file and create a reachable script based on 
that, you will have a problem. Note that fixing the example on which you 
created your affected script will not immediately save you...

I plan to work on packaging 5.20.6 (for sid) tomorrow I guess.

Do you still think the update would be nice to have in wheezy-security?

On Friday 09 September 2016 01:17:03 Balint Reczey wrote:
> Hello dear maintainer(s),
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of libphp-adodb:
> https://security-tracker.debian.org/tracker/CVE-2016-4855
> https://security-tracker.debian.org/tracker/TEMP-0000000-B85664
> Would you like to take care of this yourself?
> If yes, please follow the workflow we have defined here:
> https://wiki.debian.org/LTS/Development
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointing to the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.
> You can also opt-out from receiving future similar emails in your
> answer and then the LTS Team will take care of libphp-adodb updates
> for the LTS releases. (In case we don't get any answer for months,
> we may also take it as an opt-out, too.)
> Thank you very much.
> Balint Reczey,
>   on behalf of the Debian LTS team.
> PS: A member of the LTS team might start working on this update at
> any point in time. You can verify whether someone is registered
> on this update in this file:
> https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=ma
> rkup

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: