Hi On Debian, the affected php script is deployed as /usr/share/doc/libphp-adodb/examples/test.php.gz and NOT in a browser reachable location: It's not in /usr/share/php/adodb/ with the rest of the library and /usr/share/doc/ is no longer reachable since a long while, if I remember correctly. Upstream wrote: > As a workaround until hotfix is released, we recommend all users to remove > the whole ./tests directory; it is only used for development purposes and is > not necessary for normal ADOdb operations. So I don't think Debian even qualify as "vulnerable". Sure, if you unzip the example test file and create a reachable script based on that, you will have a problem. Note that fixing the example on which you created your affected script will not immediately save you... I plan to work on packaging 5.20.6 (for sid) tomorrow I guess. Do you still think the update would be nice to have in wheezy-security? On Friday 09 September 2016 01:17:03 Balint Reczey wrote: > Hello dear maintainer(s), > > the Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of libphp-adodb: > https://security-tracker.debian.org/tracker/CVE-2016-4855 > https://security-tracker.debian.org/tracker/TEMP-0000000-B85664 > > Would you like to take care of this yourself? > > If yes, please follow the workflow we have defined here: > https://wiki.debian.org/LTS/Development > > If that workflow is a burden to you, feel free to just prepare an > updated source package and send it to firstname.lastname@example.org > (via a debdiff, or with an URL pointing to the source package, > or even with a pointer to your packaging repository), and the members > of the LTS team will take care of the rest. Indicate clearly whether you > have tested the updated package or not. > > If you don't want to take care of this update, it's not a problem, we > will do our best with your package. Just let us know whether you would > like to review and/or test the updated package before it gets released. > > You can also opt-out from receiving future similar emails in your > answer and then the LTS Team will take care of libphp-adodb updates > for the LTS releases. (In case we don't get any answer for months, > we may also take it as an opt-out, too.) > > Thank you very much. > > Balint Reczey, > on behalf of the Debian LTS team. > > PS: A member of the LTS team might start working on this update at > any point in time. You can verify whether someone is registered > on this update in this file: > https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=ma > rkup
Description: This is a digitally signed message part.