[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] mark CVE-2018-7667 as fixed with 4.5.0-1

Tue Mar 20 13:41:25 UTC 2018

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
844013a8 by Salvatore Bonaccorso at 2018-03-20T14:38:53+01:00
mark CVE-2018-7667 as fixed with 4.5.0-1

The 4.4.0 upstream version adds two mitigations steps for the issue,
which maybe could be better solved by restricting access to server
instances configured via a configuration file on adminer's side? (like
phpmyadmin approach).

But so far there probably not much more upstream can do, and admins af
an adminer instance could additionaly restrict access to the adminer
instance via upfront authentication.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================

--- a/data/CVE/list
+++ b/data/CVE/list
@@ -2650,7 +2650,7 @@ CVE-2018-7669
 CVE-2018-7668 (TestLink through 1.9.16 allows remote attackers to read arbitrary ...)
 	NOT-FOR-US: TestLink
 CVE-2018-7667 (Adminer through 4.3.1 has SSRF via the server parameter. ...)
-	- adminer <unfixed>
+	- adminer 4.5.0-1
 	NOTE: http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt
 	NOTE: https://github.com/vrana/adminer/commit/0fae40fb611b5c8167fa2b8d40bf576a8935a380
 	NOTE: adminer 4.4.0 disallows connecting to privileged ports, and thus not "enumerating"



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/844013a8e113f002abfb8355b5364d476522c5a4

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/844013a8e113f002abfb8355b5364d476522c5a4
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180320/e2fd2fa2/attachment.html>
