Your message dated Sat, 23 Jun 2018 12:32:13 +0100 with message-id <1529753533.11744.69.ca...@adam-barratt.org.uk> and subject line Closing bugs for requests included in the EoL jessie point release has caused the Debian Bug report #893804, regarding jessie-pu: package adminer/3.3.3-1+deb8u1 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 893804: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893804 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu Dear stable release manager, Please consider adminer (3.3.3-1+deb8u1) for jessie: adminer (3.3.3-1+deb8u1) jessie; urgency=high * CVE-2018-7667: Adminer allowed unauthenticated connections to be initiated to arbitrary systems and ports which coul bypass external firewalls to identify internal hosts and/or perform port scanning of other servers. (Closes: #893668) The full diff is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-commit 05a84a7afd8c8e059f9e08a9502417fa5f79e63d Author: Chris Lamb <la...@debian.org> Date: Thu Mar 22 10:56:21 2018 -0400 CVE-2018-7667 diff --git a/debian/changelog b/debian/changelog index 9e044c6..d878f1e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +adminer (3.3.3-1+deb8u1) jessie; urgency=high + + * CVE-2018-7667: Adminer allowed unauthenticated connections to be initiated + to arbitrary systems and ports which coul bypass external firewalls to + identify internal hosts and/or perform port scanning of other servers. + (Closes: #893668) + + -- Chris Lamb <la...@debian.org> Tue, 20 Mar 2018 22:40:06 -0400 + adminer (3.3.3-1) unstable; urgency=low * Initial release (Closes: #658861) diff --git a/debian/patches/CVE-2018-7667.patch b/debian/patches/CVE-2018-7667.patch new file mode 100644 index 0000000..1d445a2 --- /dev/null +++ b/debian/patches/CVE-2018-7667.patch @@ -0,0 +1,13 @@ +--- pkg-adminer.orig/adminer/include/auth.inc.php ++++ pkg-adminer/adminer/include/auth.inc.php +@@ -90,6 +90,10 @@ if (isset($_GET["username"])) { + page_footer("auth"); + exit; + } ++ list($host, $port) = explode(":", SERVER, 2); ++ if (is_numeric($port) && $port < 1024) { ++ auth_error('Connecting to privileged ports is not allowed.'); ++ } + $connection = connect(); + } + if (is_string($connection) || !$adminer->login($_GET["username"], get_session("pwds"))) { diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..e4d99c3 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2018-7667.patch
--- End Message ---
--- Begin Message ---Version: 8.11 Hi, The updates referenced by these bugs were included in today's EoL point release for jessie (8.11). Regards, Adam
--- End Message ---
