Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
844013a8 by Salvatore Bonaccorso at 2018-03-20T14:38:53+01:00
mark CVE-2018-7667 as fixed with 4.5.0-1
The 4.4.0 upstream version adds two mitigations steps for the issue,
which maybe could be better solved by restricting access to server
instances configured via a configuration file on adminer's side? (like
phpmyadmin approach).
But so far there probably not much more upstream can do, and admins af
an adminer instance could additionaly restrict access to the adminer
instance via upfront authentication.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -2650,7 +2650,7 @@ CVE-2018-7669
CVE-2018-7668 (TestLink through 1.9.16 allows remote attackers to read
arbitrary ...)
NOT-FOR-US: TestLink
CVE-2018-7667 (Adminer through 4.3.1 has SSRF via the server parameter. ...)
- - adminer <unfixed>
+ - adminer 4.5.0-1
NOTE:
http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt
NOTE:
https://github.com/vrana/adminer/commit/0fae40fb611b5c8167fa2b8d40bf576a8935a380
NOTE: adminer 4.4.0 disallows connecting to privileged ports, and thus
not "enumerating"
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/844013a8e113f002abfb8355b5364d476522c5a4
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/844013a8e113f002abfb8355b5364d476522c5a4
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
