Fedora has issued an advisory on July 24: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/32G6FKD3IJA6ARX774VQKNCVAH6VF4AX/ Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Patched packages uploaded for Mageia 5, Mageia 6, and Cauldron. Advisory: ======================== Updated phpldapadmin package fixes security vulnerability: phpLDAPadmin through 1.2.3 has XSS in htdocs/entry_chooser.php via the form, element, rdn, or container parameter (CVE-2017-11107). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11107 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/32G6FKD3IJA6ARX774VQKNCVAH6VF4AX/ ======================== Updated packages in core/updates_testing: ======================== phpldapadmin-1.2.3-5.1.mga5 phpldapadmin-1.2.3-7.1.mga6 from SRPMS: phpldapadmin-1.2.3-5.1.mga5.src.rpm phpldapadmin-1.2.3-7.1.mga6.src.rpm
Assignee: bugsquad => qa-bugsWhiteboard: MGA6TOO, MGA5TOO => MGA5TOOVersion: Cauldron => 6
Whiteboard: MGA5TOO => MGA5TOO advisoryCC: (none) => lewyssmith
MGA6-32 on Asus A6000VM MATE Installation: no dependencies drawn in, but slapd is not installed, so manual fiddling necessary. LDAP administration is unknown territory for me.
CC: (none) => herman.viaene
Testing mga5 64 as far as ensuring the phpldapadmin login page is available at.. http://localhost/phpldapadmin No idea how to configure openldap to actually be able to log in there though. Any pointers?
Probing M5_64 Project site, actually rather good: http://phpldapadmin.sourceforge.net/ Configuration: http://phpldapadmin.sourceforge.net/wiki/index.php/Config has important advice about config file example & updates. The real one is at /etc/phpldapadmin/config.php BEFORE the update:
[damo] phpldapadmin-1.2.3-5.mga5 and (thanks Claire) http://localhost/phpldapadmin -> http://localhost/phpldapadmin/htdocs/index.php shows a nice "php/LDAP/admin" page. "The config.php file must be in the config/ directory. An example config.php file is provided with the PLA source code - it is called config.php.example and you will also find it in the config/ directory. You should copy or rename this file to config.php before you use PLA for the first time. Each new release will only update the config.php.example file and you may need to merge the updates to your config.php to take advantage of any new features and functions." No sign of config.php.example; nor anything in /usr/share/[doc/]. Going for a clean update only: phpldapadmin-1.2.3-5.1.mga5 Again no sign of config.php.example . /etc/phpldapadmin/config.php does not seem to have been touched. http://localhost/phpldapadmin shows the same page as previously. Enough for an OK, since we have no time currently to explore this thing.
Whiteboard: MGA5TOO advisory => MGA5TOO advisory MGA5-64-OK
Testing Mageia 6 x64 BEFORE the update: phpldapadmin-1.2.3-7.mga6 (installing which pulled in 30 pkgs, Apache included; had to start that). http://localhost/phpldapadmin showed the usual "php/LDAP/admin" page. # ls -l /etc/phpldapadmin/ -rw-r----- 1 root apache 24994 Hyd 13 2016 config.php AFTER update to: phpldapadmin-1.2.3-7.1.mga6 # ls -l /etc/phpldapadmin/ -rw-r----- 1 root apache 24994 Gor 27 17:40 config.php so I was probably wrong about this in my Comment 5. It looks like the config file is replaced by the update, but has exactly the same size. http://localhost/phpldapadmin shows the usual page, + the additional comment: "Configuration cache stale. Your configuration has been automatically refreshed." (which again I may have overlooked in Comment 5). Good enough for an OK. Validating also, both releases done.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: MGA5TOO advisory MGA5-64-OK => MGA5TOO advisory MGA5-64-OK MGA6-64-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0270.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED