[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Getting phpldapadmin (CVE-2018-12869) fixed



Hi,

today I have looked into fixing CVE-2018-12689 for phpldapadmin. The code is full of potential passages that might actually trigger the exploit behind CVE-2018-12689. This surely needs some deeper investigation. I also tried to reproduce the exploit for CVE-2018-12689 against a phpldapadmin as found in jessie, but failed. I have contacted the exploit author with the hope of getting more details.

Unfortunately, I can only continue working on this when back from vacation (13th Aug). I will remove my name from the package in dla-needed.txt and if noone else has picked it up until then, I will continue my work that I already started today.

The other open issue for phpldapadmin (no-dsa, actually) CVE-2017-11107 is easy to fix (Ubuntu has a patch for it).

Greets,
Mike
--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgpvG1cctQA6E.pgp
Description: Digitale PGP-Signatur


Reply to: