Fedora has issued an advisory on December 21: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6XA42XDSUPCOXL5ZCP5RGD3FD4JQQWNX/ The issue is fixed upstream in 1.2.6.2.
Another parentless SRPM, so assigning this globally.
Assignee: bugsquad => pkg-bugs
new version 1.2.6.2 uploaded into updates_testing: src: phpldapadmin-1.2.6.2-1.mga7
CC: (none) => mageiaAssignee: pkg-bugs => qa-bugs
Advisory: ======================== Updated phpldapadmin package fixes security vulnerability: An XSS issue has been discovered in phpLDAPadmin before 1.2.6.2 that allows users to store malicious values that may be executed by other users at a later time via get_request in lib/function.php (CVE-2020-35132). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35132 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6XA42XDSUPCOXL5ZCP5RGD3FD4JQQWNX/ ======================== Updated packages in core/updates_testing: ======================== phpldapadmin-1.2.6.2-1.mga7 from phpldapadmin-1.2.6.2-1.mga7.src.rpm
I'd like to test this, but I can't get php integration with apache web-server right now. apache-mod-php 7.3.6 is broken from what I can tell. I install that and the httpd server fails.
CC: (none) => brtians1
(In reply to Brian Rockwell from comment #4) > I'd like to test this, but I can't get php integration with apache > web-server right now. > > apache-mod-php 7.3.6 is broken from what I can tell. I install that and the > httpd server fails. There's an updated apache-mod-php in the repos. Does that help you with this?
CC: (none) => andrewsfarm
Hey TJ - are you talking about apache-mod-php 7.3.26? If so, it won't install.
7.3.27 won't either. Looks like they might be trying to fix the problem, not sure wh it won't install.
HI TJ - I got further on this, but it is a job to configure. Installs fine and I am able to get httpd server working now with it. Your call if good enough.
(In reply to Brian Rockwell from comment #7) > 7.3.27 won't either. Looks like they might be trying to fix the problem, > not sure wh it won't install. Yes, bug 27436 is rearing its ugly head. But from what I read, that only seems to affect drakrpm. You can work around it by using urpmi, which doesn't seem to have the same problem.
(In reply to Brian Rockwell from comment #8) > HI TJ - I got further on this, but it is a job to configure. > > Installs fine and I am able to get httpd server working now with it. > > Your call if good enough. I think so, but it's another time when it's not one of my areas. I'll send it through, and if it isn't enough I'm sure we'll be told. Validating. Advisory in Comment 3.
Whiteboard: (none) => MGA7-64-OKCC: (none) => sysadmin-bugsKeywords: (none) => validated_update
Advisory committed to SVN.
CVE: (none) => CVE-2020-35132Keywords: (none) => advisoryCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0080.html
Status: NEW => RESOLVEDResolution: (none) => FIXED