Security vulnerability in phpldapadmin

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

The latest debian package (in security updates) already include the fix: 1.2.0.5-2 -> 1.2.0.5-2+squeeze1.

Should I create a debdiff or there is a simpler way to pull the update? If debdiff is the way, I've to create one for each version (Lucid, Maverick,...)?

Please advise. Thanks,
Gabriel

Precise has 1.2.0.5-2.1ubuntu1, which contains the fix.

Because there are Ubuntu-specific changes, we cannot just sync from Debian so debdiffs must be provided. Please see https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Notes_for_Contributors for details on getting your patches into Ubuntu. Thanks for looking at this! :)

Sorry for the long delay, but I'm working on my extra hours on this one.
I'm new to debdiff. If you need any refactoring, let me know.

Thanks for your patch! Someone from the security team will process this soon. Subscribing ubuntu-security-sponsors as per https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Notes_for_Contributors.

Thanks for the debdiff, ACK.

Since basically the same version is in lucid-oneiric, I've used your debdiff with some minor adjustments to fix all releases. Packages will be published to -security in the next few hours.

Thanks!

This bug was fixed in the package phpldapadmin - 1.2.0.5-2ubuntu1.11.10.1

---------------
phpldapadmin (1.2.0.5-2ubuntu1.11.10.1) oneiric-security; urgency=high

  * Merge from debian security updates. (LP: #887290)
    - CVE-2011-4074 Fix XSS vulnerability in debug code
    - CVE-2011-4075 Fix arbitrary code execution by unauthenticated users
 -- <email address hidden> (Gabriel A. von Winckler) Thu, 24 Nov 2011 14:39:09 -0200

This bug was fixed in the package phpldapadmin - 1.2.0.5-2ubuntu1.11.04.1

---------------
phpldapadmin (1.2.0.5-2ubuntu1.11.04.1) natty-security; urgency=high

  * Merge from debian security updates. (LP: #887290)
    - CVE-2011-4074 Fix XSS vulnerability in debug code
    - CVE-2011-4075 Fix arbitrary code execution by unauthenticated users
 -- <email address hidden> (Gabriel A. von Winckler) Thu, 24 Nov 2011 14:39:09 -0200

This bug was fixed in the package phpldapadmin - 1.2.0.5-1.1ubuntu1.1

---------------
phpldapadmin (1.2.0.5-1.1ubuntu1.1) maverick-security; urgency=high

  * Merge from debian security updates. (LP: #887290)
    - CVE-2011-4074 Fix XSS vulnerability in debug code
    - CVE-2011-4075 Fix arbitrary code execution by unauthenticated users
 -- <email address hidden> (Gabriel A. von Winckler) Thu, 24 Nov 2011 14:39:09 -0200

This bug was fixed in the package phpldapadmin - 1.2.0.5-1ubuntu1.10.04.2

---------------
phpldapadmin (1.2.0.5-1ubuntu1.10.04.2) lucid-security; urgency=high

  * Merge from debian security updates. (LP: #887290)
    - CVE-2011-4074 Fix XSS vulnerability in debug code
    - CVE-2011-4075 Fix arbitrary code execution by unauthenticated users
 -- <email address hidden> (Gabriel A. von Winckler) Thu, 24 Nov 2011 14:39:09 -0200