Bug 27905 - phpldapadmin new security issue CVE-2020-35132
Summary: phpldapadmin new security issue CVE-2020-35132
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-12-22 17:40 CET by David Walser
Modified: 2021-01-18 16:16 CET (History)
2 users (show)

See Also:
Source RPM: phpldapadmin-1.2.3-9.p2.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-12-22 17:40:12 CET
Fedora has issued an advisory on December 21:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6XA42XDSUPCOXL5ZCP5RGD3FD4JQQWNX/

The issue is fixed upstream in 1.2.6.2.
Comment 1 Lewis Smith 2020-12-22 20:48:53 CET
Another parentless SRPM, so assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Lécureuil 2020-12-24 00:32:08 CET
new version 1.2.6.2 uploaded into updates_testing:

src: phpldapadmin-1.2.6.2-1.mga7

Assignee: pkg-bugs => qa-bugs
CC: (none) => mageia

Comment 3 David Walser 2020-12-24 00:37:26 CET
Advisory:
========================

Updated phpldapadmin package fixes security vulnerability:

An XSS issue has been discovered in phpLDAPadmin before 1.2.6.2 that allows
users to store malicious values that may be executed by other users at a later
time via get_request in lib/function.php (CVE-2020-35132).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35132
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6XA42XDSUPCOXL5ZCP5RGD3FD4JQQWNX/
========================

Updated packages in core/updates_testing:
========================
phpldapadmin-1.2.6.2-1.mga7

from phpldapadmin-1.2.6.2-1.mga7.src.rpm
Comment 4 Brian Rockwell 2021-01-18 16:16:40 CET
I'd like to test this, but I can't get php integration with apache web-server right now.  

apache-mod-php 7.3.6 is broken from what I can tell.  I install that and the httpd server fails.

CC: (none) => brtians1


Note You need to log in before you can comment on or make changes to this bug.