Bug#893803: stretch-pu: package adminer/4.2.5-3+deb9u1
tags 893803 + pending
thanks
Dear Adam,
> > adminer (4.2.5-3+deb9u1) stretch; urgency=high
[…]
> s/coul /could /
Well spotted and thanks for the ACK. adminer_4.2.5-3+deb9u1_amd64.changes
uploaded. For completeness, I've also attached the full updated debdiff.
(I assume another RT member is responsible for ACK/NACK on jessie's
equivalent here? ie. #893804)
Best wishes,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
diffstat for adminer-4.2.5 adminer-4.2.5
changelog | 9 +++++++++
patches/CVE-2018-7667.patch | 13 +++++++++++++
patches/series | 1 +
3 files changed, 23 insertions(+)
diff -Nru adminer-4.2.5/debian/changelog adminer-4.2.5/debian/changelog
--- adminer-4.2.5/debian/changelog 2016-09-04 09:16:31.000000000 +0100
+++ adminer-4.2.5/debian/changelog 2018-03-21 02:40:06.000000000 +0000
@@ -1,3 +1,12 @@
+adminer (4.2.5-3+deb9u1) stretch; urgency=high
+
+ * CVE-2018-7667: Adminer allowed unauthenticated connections to be initiated
+ to arbitrary systems and ports which could bypass external firewalls to
+ identify internal hosts and/or perform port scanning of other servers.
+ (Closes: #893668)
+
+ -- Chris Lamb <lamby@debian.org> Tue, 20 Mar 2018 22:40:06 -0400
+
adminer (4.2.5-3) unstable; urgency=medium
* Move mysql-server to default-mysql-server due to
diff -Nru adminer-4.2.5/debian/patches/CVE-2018-7667.patch adminer-4.2.5/debian/patches/CVE-2018-7667.patch
--- adminer-4.2.5/debian/patches/CVE-2018-7667.patch 1970-01-01 01:00:00.000000000 +0100
+++ adminer-4.2.5/debian/patches/CVE-2018-7667.patch 2018-03-21 02:40:06.000000000 +0000
@@ -0,0 +1,13 @@
+--- a/adminer/include/auth.inc.php
++++ b/adminer/include/auth.inc.php
+@@ -162,6 +162,10 @@ if (isset($_GET["username"])) {
+ page_footer("auth");
+ exit;
+ }
++ list($host, $port) = explode(":", SERVER, 2);
++ if (is_numeric($port) && $port < 1024) {
++ auth_error('Connecting to privileged ports is not allowed.');
++ }
+ $connection = connect();
+ }
+
diff -Nru adminer-4.2.5/debian/patches/series adminer-4.2.5/debian/patches/series
--- adminer-4.2.5/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ adminer-4.2.5/debian/patches/series 2018-03-21 02:40:06.000000000 +0000
@@ -0,0 +1 @@
+CVE-2018-7667.patch
Reply to: