Date: Thu, 1 Sep 2005 13:55:22 +0100 (BST) From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: FreeBSD-gnats-submit@FreeBSD.org Cc: security-team@FreeBSD.org Subject: ports/85567: [maintainer] net/phpldapadmin -- security update to 0.9.7-alpha6 Message-ID: <200509011255.j81CtMPl097538@lack-of-gravitas.thebunker.net> Resent-Message-ID: <200509011300.j81D0eaE024405@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 85567
>Category: ports
>Synopsis: [maintainer] net/phpldapadmin -- security update to 0.9.7-alpha6
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Thu Sep 01 13:00:39 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Matthew Seaman
>Release: FreeBSD 6.0-BETA3 i386
>Organization:
Infracaninophile
>Environment:
System: FreeBSD lack-of-gravitas.thebunker.net 6.0-BETA3 FreeBSD 6.0-BETA3 #3: Tue Aug 30 13:36:31 BST 2005 root@lack-of-gravitas.thebunker.net:/usr/obj/usr/src/sys/LACK-OF-GRAVITAS i386
>Description:
Security update to version 0.9.7-alpha6 which closes the
vulnerabilities mentioned in:
http://secunia.com/advisories/16617/
http://secunia.com/advisories/16611/
(16617 in particular allows remote access to arbitrary files on the
web server or uploading files from an arbitrary location and executing
them in the context of the PHP interpreter in the httpd. Nasty.)
The following patches can be applied as a workaround if you don't want
to upgrade from 0.9.6c just yet:
http://cvs.sourceforge.net/viewcvs.py/phpldapadmin/phpldapadmin/login.php?r1=1.45&r2=1.46
http://cvs.sourceforge.net/viewcvs.py/phpldapadmin/phpldapadmin/welcome.php?r1=1.20&r2=1.21
>How-To-Repeat:
>Fix:
--- phpldapadmin.diff begins here ---
diff -Nur /usr/ports/net/phpldapadmin/Makefile phpldapadmin/Makefile
--- /usr/ports/net/phpldapadmin/Makefile Tue Jun 14 08:48:53 2005
+++ phpldapadmin/Makefile Thu Sep 1 13:22:39 2005
@@ -6,11 +6,12 @@
#
PORTNAME= phpldapadmin
-PORTVERSION= 0.9.6c
+PORTVERSION= 0.9.7.a6
PORTEPOCH= 1
CATEGORIES= net www
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= phpldapadmin
+DISTNAME= ${PORTNAME}-${PORTVERSION:C/\.a(.)/-alpha\1/}
MAINTAINER= m.seaman@infracaninophile.co.uk
COMMENT= A set of PHP-scripts to administer LDAP servers over the web
diff -Nur /usr/ports/net/phpldapadmin/distinfo phpldapadmin/distinfo
--- /usr/ports/net/phpldapadmin/distinfo Tue Jun 7 09:00:11 2005
+++ phpldapadmin/distinfo Thu Sep 1 13:23:03 2005
@@ -1,2 +1,2 @@
-MD5 (phpldapadmin-0.9.6c.tar.gz) = 8404fa6f0ad3185cc9353c94bf44ae56
-SIZE (phpldapadmin-0.9.6c.tar.gz) = 707109
+MD5 (phpldapadmin-0.9.7-alpha6.tar.gz) = 08109739708f5b00c197422fb883a7b9
+SIZE (phpldapadmin-0.9.7-alpha6.tar.gz) = 739882
--- phpldapadmin.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200509011255.j81CtMPl097538>