Bug#561975: marked as done (CVE-2009-4427: Local file inclusion vulnerability)

[Debian Bug Tracking System]

Your message dated Thu, 07 Jan 2010 01:54:26 +0000
with message-id <e1nshzy-0007kf...@ries.debian.org>
and subject line Bug#561975: fixed in phpldapadmin 1.1.0.5-6+lenny1
has caused the Debian Bug report #561975,
regarding CVE-2009-4427: Local file inclusion vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
561975: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561975
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: phpldapadmin
Severity: grave
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

A vulnerability has been discovered on phpLDAPadmin, which can be exploited by
malicious people to disclose sensitive information.

Input passed via the "cmd" parameter to cmd.php is not properly verified before
being used to include files. This can be exploited to include arbitrary files
from local resources.

See: http://www.exploit-db.com/exploits/10410
     http://secunia.com/advisories/37848/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAksvsR8ACgkQNxpp46476aqtuQCgj81pPrUhqj6AJrWiRfD7BILB
ghgAn3lQTCTMPIVPnKK+UXKVaY4G7FcW
=thz2
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: phpldapadmin
Source-Version: 1.1.0.5-6+lenny1

We believe that the bug you reported is fixed in the latest version of
phpldapadmin, which is due to be installed in the Debian FTP archive:

phpldapadmin_1.1.0.5-6+lenny1.diff.gz
  to main/p/phpldapadmin/phpldapadmin_1.1.0.5-6+lenny1.diff.gz
phpldapadmin_1.1.0.5-6+lenny1.dsc
  to main/p/phpldapadmin/phpldapadmin_1.1.0.5-6+lenny1.dsc
phpldapadmin_1.1.0.5-6+lenny1_all.deb
  to main/p/phpldapadmin/phpldapadmin_1.1.0.5-6+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 561...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iucul...@debian.org> (supplier of updated phpldapadmin 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 06 Jan 2010 17:53:30 +0100
Source: phpldapadmin
Binary: phpldapadmin
Architecture: source all
Version: 1.1.0.5-6+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Fabio Tranchitella <kob...@debian.org>
Changed-By: Giuseppe Iuculano <iucul...@debian.org>
Description: 
 phpldapadmin - web based interface for administering LDAP servers
Closes: 561975
Changes: 
 phpldapadmin (1.1.0.5-6+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2009-4427: Local file inclusion vulnerability (Closes: #561975)
Checksums-Sha1: 
 9bfe342893fdb4cef0947fb871784d690e47e8db 1068 phpldapadmin_1.1.0.5-6+lenny1.dsc
 93a7cb2466d554b431fde7278f78f2c87c5edb81 1031912 
phpldapadmin_1.1.0.5.orig.tar.gz
 e7bd3f951425ffb1966409453162c503c1390397 21645 
phpldapadmin_1.1.0.5-6+lenny1.diff.gz
 52d06e192cbfed7ac8aa025e43fe1565a0b8c4f0 933570 
phpldapadmin_1.1.0.5-6+lenny1_all.deb
Checksums-Sha256: 
 7bf0952dbc1278b6604a39014d6019dc1f728b14be61679f0438554433bcc53b 1068 
phpldapadmin_1.1.0.5-6+lenny1.dsc
 1247c3d0fb671d6c8cc27319b659ba7c9402abb70c904e0ece83c8b7dcc26e1b 1031912 
phpldapadmin_1.1.0.5.orig.tar.gz
 33d1cc9ecd712d3bb83afe72a4f71aef1841f87f9e6492d9e09a5df8d5448d57 21645 
phpldapadmin_1.1.0.5-6+lenny1.diff.gz
 a5156da9c81264454468f140b3880601068e0544fbaeec80d82ccf9a56d5e8b7 933570 
phpldapadmin_1.1.0.5-6+lenny1_all.deb
Files: 
 ebc99daefc4b94085ad54ce370e7dfed 1068 admin extra 
phpldapadmin_1.1.0.5-6+lenny1.dsc
 5ea78a6758e347c77ef291882675f266 1031912 admin extra 
phpldapadmin_1.1.0.5.orig.tar.gz
 99a56a04aebcd351d9ad737b36d7d553 21645 admin extra 
phpldapadmin_1.1.0.5-6+lenny1.diff.gz
 eedb4237de11744a51142a9dfeaec806 933570 admin extra 
phpldapadmin_1.1.0.5-6+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktEwswACgkQNxpp46476apXPgCfdOF4/MrR+nL8EY8m8ur7D6oj
a6MAnio3yi6SEWQHs0hklkQrb/zzSN3V
=MhAQ
-----END PGP SIGNATURE-----

--- End Message ---