Hi, Nico Golde ha scritto: > I take care of sponsoring the upload for unstable. For > stable security the version looks wrong to me, please use > 4.0.1-3.1etch1.
Right, attached the new debdiff. Giuseppe.
diff -u phppgadmin-4.0.1/debian/changelog phppgadmin-4.0.1/debian/changelog --- phppgadmin-4.0.1/debian/changelog +++ phppgadmin-4.0.1/debian/changelog @@ -1,3 +1,11 @@ +phppgadmin (4.0.1-3.1etch1) stable-security; urgency=high + + * Non-maintainer upload. + * Fix local file inclusion vulnerability: (CVE-2008-5587) + Unset language variable before determine file includes (Closes: #508026) + + -- Giuseppe Iuculano <[email protected]> Tue, 23 Dec 2008 11:20:56 +0100 + phppgadmin (4.0.1-3.1) unstable; urgency=low * Non-maintainer upload to fix pending l10n issues. only in patch2: unchanged: --- phppgadmin-4.0.1.orig/libraries/lib.inc.php +++ phppgadmin-4.0.1/libraries/lib.inc.php @@ -94,6 +94,8 @@ } // Determine language file to import: + unset($_language); + // 1. Check for the language from a request var if (isset($_REQUEST['language']) && isset($appLangFiles[$_REQUEST['language']])) $_language = $_REQUEST['language'];
diff -u phppgadmin-4.2/debian/apache.conf phppgadmin-4.2/debian/apache.conf --- phppgadmin-4.2/debian/apache.conf +++ phppgadmin-4.2/debian/apache.conf @@ -15,7 +15,6 @@ <IfModule mod_php5.c> php_flag magic_quotes_gpc Off php_flag track_vars On - php_flag register_globals On php_value include_path . </IfModule> diff -u phppgadmin-4.2/debian/changelog phppgadmin-4.2/debian/changelog --- phppgadmin-4.2/debian/changelog +++ phppgadmin-4.2/debian/changelog @@ -1,3 +1,12 @@ +phppgadmin (4.2-1lenny1) testing-security; urgency=high + + * Non-maintainer upload. + * debian/patches/CVE-2008-5587.patch: Unset language variable before + determine file includes (CVE-2008-5587) (Closes: #508026) + * debian/apache.conf: Removing register_globals on directive + + -- Giuseppe Iuculano <[email protected]> Tue, 23 Dec 2008 10:04:17 +0100 + phppgadmin (4.2-1) unstable; urgency=low * New upstream release diff -u phppgadmin-4.2/debian/patches/series phppgadmin-4.2/debian/patches/series --- phppgadmin-4.2/debian/patches/series +++ phppgadmin-4.2/debian/patches/series @@ -2,0 +3 @@ +CVE-2008-5587.patch only in patch2: unchanged: --- phppgadmin-4.2.orig/debian/patches/CVE-2008-5587.patch +++ phppgadmin-4.2/debian/patches/CVE-2008-5587.patch @@ -0,0 +1,12 @@ +Unset language variable before determine file includes +--- a/libraries/lib.inc.php ++++ b/libraries/lib.inc.php +@@ -95,6 +95,8 @@ + } + + // Determine language file to import: ++ unset($_language); ++ + // 1. Check for the language from a request var + if (isset($_REQUEST['language']) && isset($appLangFiles[$_REQUEST['language']])) + $_language = $_REQUEST['language'];
signature.asc
Description: OpenPGP digital signature
