[Secure-testing-team] Bug#837211: libphp-adodb: incorrect quoting may allow SQL injection
Salvatore Bonaccorso
carnil at debian.org
Sat Sep 10 05:50:02 UTC 2016
Source: libphp-adodb
Version: 5.15-1
Severity: important
Tags: security upstream patch
Forwarded: https://github.com/ADOdb/ADOdb/issues/226
Hi
Please see [0] for details. A CVE was requested at [1]. There is a
patch upstream [2] which should go in the next upstream version. I
marked this as no-dsa for now, and could be fixed via a point release,
since it's in the PDO driver only and only if queries are build by
inlining the quoted string, both not recommended. Let us know please
if you do not agree.
Regards,
Salvatore
[0] https://github.com/ADOdb/ADOdb/issues/226
[1] http://www.openwall.com/lists/oss-security/2016/09/07/8
[2] https://github.com/ADOdb/ADOdb/commit/bd9eca9
More information about the Secure-testing-team
mailing list