Bug 27905 - phpldapadmin new security issue CVE-2020-35132
Summary: phpldapadmin new security issue CVE-2020-35132
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-12-22 17:40 CET by David Walser
Modified: 2021-02-11 21:38 CET (History)
5 users (show)

See Also:
Source RPM: phpldapadmin-1.2.3-9.p2.mga7.src.rpm
CVE: CVE-2020-35132
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-12-22 17:40:12 CET 
Fedora has issued an advisory on December 21:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6XA42XDSUPCOXL5ZCP5RGD3FD4JQQWNX/

The issue is fixed upstream in 1.2.6.2.
Comment 1 Lewis Smith 2020-12-22 20:48:53 CET 
Another parentless SRPM, so assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Lécureuil 2020-12-24 00:32:08 CET 
new version 1.2.6.2 uploaded into updates_testing:

src: phpldapadmin-1.2.6.2-1.mga7

CC: (none) => mageia
Assignee: pkg-bugs => qa-bugs

Comment 3 David Walser 2020-12-24 00:37:26 CET 
Advisory:
========================

Updated phpldapadmin package fixes security vulnerability:

An XSS issue has been discovered in phpLDAPadmin before 1.2.6.2 that allows
users to store malicious values that may be executed by other users at a later
time via get_request in lib/function.php (CVE-2020-35132).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35132
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6XA42XDSUPCOXL5ZCP5RGD3FD4JQQWNX/
========================

Updated packages in core/updates_testing:
========================
phpldapadmin-1.2.6.2-1.mga7

from phpldapadmin-1.2.6.2-1.mga7.src.rpm
Comment 4 Brian Rockwell 2021-01-18 16:16:40 CET 
I'd like to test this, but I can't get php integration with apache web-server right now.  

apache-mod-php 7.3.6 is broken from what I can tell.  I install that and the httpd server fails.

CC: (none) => brtians1

Comment 5 Thomas Andrews 2021-02-09 18:23:31 CET 
(In reply to Brian Rockwell from comment #4)
> I'd like to test this, but I can't get php integration with apache
> web-server right now.  
> 
> apache-mod-php 7.3.6 is broken from what I can tell.  I install that and the
> httpd server fails.

There's an updated apache-mod-php in the repos. Does that help you with this?

CC: (none) => andrewsfarm

Comment 6 Brian Rockwell 2021-02-11 00:57:55 CET 
Hey TJ - are you talking about apache-mod-php 7.3.26?

If so, it won't install.
Comment 7 Brian Rockwell 2021-02-11 01:07:59 CET 
7.3.27 won't either.  Looks like they might be trying to fix the problem, not sure wh it won't install.
Comment 8 Brian Rockwell 2021-02-11 02:28:23 CET 
HI TJ - I got further on this, but it is a job to configure.

Installs fine and I am able to get httpd server working now with it.

Your call if good enough.
Comment 9 Thomas Andrews 2021-02-11 02:48:56 CET 
(In reply to Brian Rockwell from comment #7)
> 7.3.27 won't either.  Looks like they might be trying to fix the problem,
> not sure wh it won't install.

Yes, bug 27436 is rearing its ugly head. But from what I read, that only seems to affect drakrpm. You can work around it by using urpmi, which doesn't seem to have the same problem.
Comment 10 Thomas Andrews 2021-02-11 02:54:23 CET 
(In reply to Brian Rockwell from comment #8)
> HI TJ - I got further on this, but it is a job to configure.
> 
> Installs fine and I am able to get httpd server working now with it.
> 
> Your call if good enough.

I think so, but it's another time when it's not one of my areas. I'll send it through, and if it isn't enough I'm sure we'll be told.

Validating. Advisory in Comment 3.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 11 Aurelien Oudelet 2021-02-11 18:02:51 CET 
Advisory committed to SVN.

CVE: (none) => CVE-2020-35132
Keywords: (none) => advisory
CC: (none) => ouaurelien

Comment 12 Mageia Robot 2021-02-11 21:38:06 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0080.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.