Re: Wheezy update of libphp-adodb?
Hi Jean-Michel,
2016-09-10 3:01 GMT+02:00 Jean-Michel Vourgère (debian) <nirgal@debian.org>:
> Hi Bálint
>
> Actually, I was talking about CVE-2016-4855 and I totally overlooked
> TEMP-0000000-B85664.
>
> Debian is not vulnerable to CVE-2016-4855. That was what my previous mail was
> about.
>
> However TEMP-0000000-B85664 has a real issue that should be fixed.
>
> Sorry for the mess. I just commited secure-testing/data/CVE/list moving the
> "unimportant" and the note about the file being an example from CVE-2016-XXXX
> to CVE-2016-4855.
OK, thank you. Would you like to handle the LTS update or just
unstable and stable?
Cheers,
Balint
>
>
> On Friday 09 September 2016 21:49:49 Bálint Réczey wrote:
>> Hi Jean-Michel,
>>
>> Thank you for your prompt response.
>>
>> 2016-09-09 20:25 GMT+02:00 Jean-Michel Vourgère (debian)
> <nirgal@debian.org>:
>> > Hi
>> >
>> > On Debian, the affected php script is deployed as
>> > /usr/share/doc/libphp-adodb/examples/test.php.gz
>> > and NOT in a browser reachable location:
>> >
>> > It's not in /usr/share/php/adodb/ with the rest of the library and
>> > /usr/share/doc/ is no longer reachable since a long while, if I remember
>> > correctly.
>> >
>> > Upstream wrote:
>> >> As a workaround until hotfix is released, we recommend all users to
>> >> remove
>> >> the whole ./tests directory; it is only used for development purposes and
>> >> is not necessary for normal ADOdb operations.
>> >
>> > So I don't think Debian even qualify as "vulnerable".
>>
>> Agreed, the installed package is not vulnerable as installed.
>>
>> > Sure, if you unzip the example test file and create a reachable script
>> > based on that, you will have a problem. Note that fixing the example on
>> > which you created your affected script will not immediately save you...
>> >
>> > I plan to work on packaging 5.20.6 (for sid) tomorrow I guess.
>>
>> Thank you for taking care of that.
>>
>> > Do you still think the update would be nice to have in wheezy-security?
>>
>> I don't consider this a high priority issue either, but the package can be
>> updated with the proper example and a DLA can be issued to raise
>> attention of system administrators.
>>
>> Cheers,
>> Balint
>>
>> > On Friday 09 September 2016 01:17:03 Balint Reczey wrote:
>> >> Hello dear maintainer(s),
>> >>
>> >> the Debian LTS team would like to fix the security issues which are
>> >> currently open in the Wheezy version of libphp-adodb:
>> >> https://security-tracker.debian.org/tracker/CVE-2016-4855
>> >> https://security-tracker.debian.org/tracker/TEMP-0000000-B85664
>> >>
>> >> Would you like to take care of this yourself?
>> >>
>> >> If yes, please follow the workflow we have defined here:
>> >> https://wiki.debian.org/LTS/Development
>> >>
>> >> If that workflow is a burden to you, feel free to just prepare an
>> >> updated source package and send it to debian-lts@lists.debian.org
>> >> (via a debdiff, or with an URL pointing to the source package,
>> >> or even with a pointer to your packaging repository), and the members
>> >> of the LTS team will take care of the rest. Indicate clearly whether you
>> >> have tested the updated package or not.
>> >>
>> >> If you don't want to take care of this update, it's not a problem, we
>> >> will do our best with your package. Just let us know whether you would
>> >> like to review and/or test the updated package before it gets released.
>> >>
>> >> You can also opt-out from receiving future similar emails in your
>> >> answer and then the LTS Team will take care of libphp-adodb updates
>> >> for the LTS releases. (In case we don't get any answer for months,
>> >> we may also take it as an opt-out, too.)
>> >>
>> >> Thank you very much.
>> >>
>> >> Balint Reczey,
>> >>
>> >> on behalf of the Debian LTS team.
>> >>
>> >> PS: A member of the LTS team might start working on this update at
>> >> any point in time. You can verify whether someone is registered
>> >> on this update in this file:
>> >> https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view
>> >> =ma rkup
>
Reply to: