Your message dated Wed, 16 Mar 2022 20:34:15 +0000
with message-id <[email protected]>
and subject line Bug#1004376: fixed in libphp-adodb 5.20.14-1+deb10u1
has caused the Debian Bug report #1004376,
regarding libphp-adodb: CVE-2021-3850 - Authentication Bypass in PostgreSQL 
connections
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1004376: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004376
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libphp-adodb
Version: 5.20.19-1
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team 
<[email protected]>

Hi,

The following vulnerability was published for libphp-adodb.

CVE-2021-3850[0]:
| Authentication Bypass by Primary Weakness in GitHub repository
| adodb/adodb prior to 5.20.21.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-3850
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3850

Please adjust the affected versions in the BTS as needed.

The upstream issue describes the problem as:
"a critical security issue - anyone relying on ADOdb < 5.20.21 and <
5.21.4 to connect to a PostgreSQL database is strongly advised to
upgrade as soon as possible."

The affected line shows up in the current package in unstable:
https://sources.debian.org/src/libphp-adodb/5.20.19-1/drivers/adodb-postgres64.inc.php/?hl=50#L54
(Same version is in bullseye).
https://sources.debian.org/src/libphp-adodb/5.20.14-1/drivers/adodb-postgres64.inc.php/#L54
(buster)

-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.15.0-3-amd64 (SMP w/16 CPU threads)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---
--- Begin Message ---
Source: libphp-adodb
Source-Version: 5.20.14-1+deb10u1
Done: Salvatore Bonaccorso <[email protected]>

We believe that the bug you reported is fixed in the latest version of
libphp-adodb, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated libphp-adodb 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 12 Mar 2022 21:05:16 +0100
Source: libphp-adodb
Architecture: source
Version: 5.20.14-1+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Cameron Dale <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1004376
Changes:
 libphp-adodb (5.20.14-1+deb10u1) buster-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Prevent auth bypass with PostgreSQL connections (CVE-2021-3850)
     (Closes: #1004376)
Checksums-Sha1:
 bf99b86607907e2bdd30650235dcad83952f62ac 2141 
libphp-adodb_5.20.14-1+deb10u1.dsc
 97cafb515c3afb7320d358456aa72409a1aa4a7c 465896 
libphp-adodb_5.20.14.orig.tar.gz
 d1e7d83c017d8add1b13eca13644036c0e77f604 13492 
libphp-adodb_5.20.14-1+deb10u1.debian.tar.xz
 96f33347a03ee8325b83a41eec82fbd22748be6f 6829 
libphp-adodb_5.20.14-1+deb10u1_source.buildinfo
Checksums-Sha256:
 80951a06f815996b11208b5fbe9736a8b33bb633a8c4f31da19d9c3fbfacdad5 2141 
libphp-adodb_5.20.14-1+deb10u1.dsc
 79b7c7266ed15c1eda7b8cf67ba80dee746ee76f915b013de04a2323452e63ae 465896 
libphp-adodb_5.20.14.orig.tar.gz
 d915f84057e6c5543998f73edf9a83bb4b7dde6b66ce122976829a3dcd89ced2 13492 
libphp-adodb_5.20.14-1+deb10u1.debian.tar.xz
 f30d759d2db18e81515e890909d1b9547709be9f18952bd24a1a9b16a671825a 6829 
libphp-adodb_5.20.14-1+deb10u1_source.buildinfo
Files:
 f444feeb5b9f6b7d3a1720aa7142f734 2141 php optional 
libphp-adodb_5.20.14-1+deb10u1.dsc
 3e0e879391e9047a06ab198f413cc866 465896 php optional 
libphp-adodb_5.20.14.orig.tar.gz
 308b75a94ae586b868614f23098ffa79 13492 php optional 
libphp-adodb_5.20.14-1+deb10u1.debian.tar.xz
 aacf69beb4feee04bca672b72140a56f 6829 php optional 
libphp-adodb_5.20.14-1+deb10u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmIs/ZxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E3J8QAImt+n9h16J9foj0iJ/wzRF2H0wVFyoF
8hpzIiTvzXLwcoFnT8SG+Sp0aFFSSlPAOCkcrG86SNXKRVE98kZhT6rlmvGwYBAF
v6yzJ9ddQfD2ESxrvhDeMIemkiN+DZkHjc1wSTyL5f4QJeSWIlp7AoMn+z1Fy/lB
WjYUfX6BNRepPWAnnLcWe+amWQqK57y++EbpLvTAyU0+yjDPcCxATkU0oTxZ8+ef
5sW6mejDQCwTnorUXrKVW3U8rw9wmCQtv+GgdVEHjGx1W2RC/ACm+DF91w2o9lHf
AApInFHtgZlieXog2RskQ8LBl4rrT3/wIB3Ogf/AWE5/DZq6sbTFRZ0xsf3CYtdM
v3i3n7YgZyTaWBbxlRo+ybaoXAaDJbdbhazBtn5E6Ls58ldKmJMxcmJDShTy0M5x
9HcfH5hxz30jE77ZopRbiu+DIu38qsgBaKTQgjzaanMxlZIAxhPB+niuoaOkJ9J7
DEpJtMD5BkvNfy3KZaFLWwqtpjBFumHNZ9wwVxe6DqJORl379ikw81/xz2K2cgJf
CHesibmpcCDICqFNwv1yTIGw46RxwnRNPsFhuY2wJN9pLxmnzlZVIzOZJLKgz1XM
UqNjJpk3k31NxOJQql8u/ZgXIBXbXw+p/giQbaMLQucZGhvVsk1dSvZShTDZ4/tY
4FJ0C43uc4zu
=R/0m
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to