Hi,today I have looked into fixing CVE-2018-12689 for phpldapadmin. The code is full of potential passages that might actually trigger the exploit behind CVE-2018-12689. This surely needs some deeper investigation. I also tried to reproduce the exploit for CVE-2018-12689 against a phpldapadmin as found in jessie, but failed. I have contacted the exploit author with the hope of getting more details.
Unfortunately, I can only continue working on this when back from vacation (13th Aug). I will remove my name from the package in dla-needed.txt and if noone else has picked it up until then, I will continue my work that I already started today.
The other open issue for phpldapadmin (no-dsa, actually) CVE-2017-11107 is easy to fix (Ubuntu has a patch for it).
Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment:
pgpZ6VfmUB8nt.pgp
Description: Digitale PGP-Signatur