ELA-560-1 libphp-adodb security update

authentication bypass

2022-02-06
Packagelibphp-adodb
Version5.15-1+deb8u2
Related CVEs CVE-2021-3850

It was found that in libphp-adodb, a PHP database abstraction layer library, an attacker can inject values into the PostgreSQL connection string by bypassing adodb_addslashes(). The function can be bypassed in phppgadmin, for example, by surrounding the username in quotes and submitting with other parameters injected in between.

For Debian 8 jessie, these problems have been fixed in version 5.15-1+deb8u2.

We recommend that you upgrade your libphp-adodb packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/