Your message dated Mon, 14 Mar 2022 21:17:38 +0000 with message-id <e1nts4q-000gju...@fasolo.debian.org> and subject line Bug#1004376: fixed in libphp-adodb 5.20.19-1+deb11u1 has caused the Debian Bug report #1004376, regarding libphp-adodb: CVE-2021-3850 - Authentication Bypass in PostgreSQL connections to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1004376: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004376 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libphp-adodb Version: 5.20.19-1 Severity: grave Tags: security Justification: user security hole X-Debbugs-Cc: codeh...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for libphp-adodb. CVE-2021-3850[0]: | Authentication Bypass by Primary Weakness in GitHub repository | adodb/adodb prior to 5.20.21. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-3850 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3850 Please adjust the affected versions in the BTS as needed. The upstream issue describes the problem as: "a critical security issue - anyone relying on ADOdb < 5.20.21 and < 5.21.4 to connect to a PostgreSQL database is strongly advised to upgrade as soon as possible." The affected line shows up in the current package in unstable: https://sources.debian.org/src/libphp-adodb/5.20.19-1/drivers/adodb-postgres64.inc.php/?hl=50#L54 (Same version is in bullseye). https://sources.debian.org/src/libphp-adodb/5.20.14-1/drivers/adodb-postgres64.inc.php/#L54 (buster) -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.15.0-3-amd64 (SMP w/16 CPU threads) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---Source: libphp-adodb Source-Version: 5.20.19-1+deb11u1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of libphp-adodb, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1004...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated libphp-adodb package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 12 Mar 2022 21:04:13 +0100 Source: libphp-adodb Architecture: source Version: 5.20.19-1+deb11u1 Distribution: bullseye-security Urgency: high Maintainer: Cameron Dale <camrd...@gmail.com> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 1004376 Changes: libphp-adodb (5.20.19-1+deb11u1) bullseye-security; urgency=high . * Non-maintainer upload by the Security Team. * Prevent auth bypass with PostgreSQL connections (CVE-2021-3850) (Closes: #1004376) Checksums-Sha1: fe5413c0fa305bb6a83b6d9e917a17a96e5d96e2 2112 libphp-adodb_5.20.19-1+deb11u1.dsc 5156874aafbb4f2b1ed7de876fb83ece4835da0d 467457 libphp-adodb_5.20.19.orig.tar.gz d45673d19ae278847ab2e5bff1982f2e8a9795b2 8644 libphp-adodb_5.20.19-1+deb11u1.debian.tar.xz 5f36ccb91a55a6027beee5d97ad4a543e9434b0d 6829 libphp-adodb_5.20.19-1+deb11u1_source.buildinfo Checksums-Sha256: 03bc8b0f5c723e01906a42fc71b693c0cdd6b45c70dd97a60c770aec57078cee 2112 libphp-adodb_5.20.19-1+deb11u1.dsc c89e69e9bdd49faeecf5b0153979daac93d6f80133f8e78916d5a5078a2246ab 467457 libphp-adodb_5.20.19.orig.tar.gz 00a8ab2b31a86ea1218df3bd20bcd5c577fed7e41e00acc1de4738b7c47d5754 8644 libphp-adodb_5.20.19-1+deb11u1.debian.tar.xz 52214c03c9c4db95226a47a24ec1b644715de48ca40041efcb0aa6506e831172 6829 libphp-adodb_5.20.19-1+deb11u1_source.buildinfo Files: 364e507b8f492e2c087a6d6394167ddd 2112 php optional libphp-adodb_5.20.19-1+deb11u1.dsc bdc7f959c34345f7c968b6ef44b06223 467457 php optional libphp-adodb_5.20.19.orig.tar.gz e46037c8ef8f6d23e31ec6ae84d308f9 8644 php optional libphp-adodb_5.20.19-1+deb11u1.debian.tar.xz b2e7e42f31b1f399893dc1702dbc2f3a 6829 php optional libphp-adodb_5.20.19-1+deb11u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmIs/aZfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EHW4P/2GwGU9zgP7h6UeVI3cfEoZOsh3xBTNz 7FpUnXuPQ0C49nRz7USa7mcf2Ji+GAEqr9Tb/WDAo/3/67eN4/OeyGiFWFcI9gsj qclRl1K/5WKtA1DbMVPYblPV3xiOY7deafzN9V8VmjCA44juGSNohC5mipksIDAQ 9Mp16H+CR43xVBKKO76vggWAZXhT+LY09g4P+P8eY2yFErSYnMJzwZ7VWD4KjDlz 4kijAz2JKVO9oAKn736riZSYvCvcwHFnCy+9WDZ5zrA7N9Hx52EVZ+H2dI7VvjaA UnLNDL3xY8DUN1n49hgi4ige0LNWwGEElFGVmUlPaQBQuugCGVR8+mjaXaeRak5j sJ8cfSoMnlVgyS1PsyvvcvCG0WB/meHh9mb+yoCf6/iX8D3rstYe46QZRqq97zI1 Ym6GPlFyM4uW3lfy5zfDr7N9oG5+CFYJ2uu/CyqpQ1rVPMqG0xLQZxEiRsWUfdxe gAmkEwfw5bAS72ZvVFDXdNJxzsM3zrSxxFP2+XCL4qNX+/SGKEcX+A8r2L9krFlp osEf3h+ZrqAdf08YOvzsps+3NzG/cbG8VSb++a9YIzrOXsQRbdjlRTAROBgmWzZU gNLCI1mOXHhf74kgDs7E04F7HZ/Q/vHznlv68tOjJ952i7couIBGrzommL2BKBJo iollNXSnjCEx =LPM6 -----END PGP SIGNATURE-----
--- End Message ---
