Your message dated Tue, 22 Apr 2025 21:39:42 +0000
with message-id <e1u7llc-009ph7...@fasolo.debian.org>
and subject line Bug#1103881: fixed in php-laravel-framework 10.48.29+dfsg-1
has caused the Debian Bug report #1103881,
regarding php-laravel-framework: CVE-2025-27515
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1103881: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103881
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: php-laravel-framework
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for php-laravel-framework.
CVE-2025-27515[0]:
| Laravel is a web application framework. When using wildcard
| validation to validate a given file or image field (`files.*`), a
| user-crafted malicious request could potentially bypass the
| validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.
https://github.com/laravel/framework/security/advisories/GHSA-78fx-h6xr-vch4
https://github.com/laravel/framework/commit/2d133034fefddfb047838f4caca3687a3ba811a5
(v12.1.1)
There are also two other security issues affecting sid/trixie and
which are already fixed in experimental:
https://security-tracker.debian.org/tracker/CVE-2024-13918
https://security-tracker.debian.org/tracker/CVE-2024-13919
So possibly trixie should be moved to 11.44.1 unless it's a very
breaking change between 10 and 11?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-27515
https://www.cve.org/CVERecord?id=CVE-2025-27515
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: php-laravel-framework
Source-Version: 10.48.29+dfsg-1
Done: Robin Gustafsson <rg...@debian.org>
We believe that the bug you reported is fixed in the latest version of
php-laravel-framework, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1103...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Robin Gustafsson <rg...@debian.org> (supplier of updated php-laravel-framework
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 22 Apr 2025 22:32:53 +0200
Source: php-laravel-framework
Architecture: source
Version: 10.48.29+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-p...@lists.alioth.debian.org>
Changed-By: Robin Gustafsson <rg...@debian.org>
Closes: 1103881
Changes:
php-laravel-framework (10.48.29+dfsg-1) unstable; urgency=medium
.
* New upstream version 10.48.29+dfsg
- Fix security issue: validation bypass (CVE-2025-27515, Closes: #1103881)
Checksums-Sha1:
9f13bda01f255e1235d2f7033874f0c622d51c85 4734
php-laravel-framework_10.48.29+dfsg-1.dsc
1066b10cb0ba3daf7c7e348c123a74bce86ed315 1221496
php-laravel-framework_10.48.29+dfsg.orig.tar.xz
da41d25659572e64b540adfdc9731f35b4e8a929 8636
php-laravel-framework_10.48.29+dfsg-1.debian.tar.xz
52b4cd7747c9385b53263064d92f78f39130bd64 17817
php-laravel-framework_10.48.29+dfsg-1_amd64.buildinfo
Checksums-Sha256:
16e9ff5e041b04991dd407fa5aceee44f41d016f59e821142f6088f12d1b70f7 4734
php-laravel-framework_10.48.29+dfsg-1.dsc
72517158f282487a117c6badf7b32df384dbc258dc88eae77ab7ffabe564852c 1221496
php-laravel-framework_10.48.29+dfsg.orig.tar.xz
ebb339b0f30c4f0894466acd05a171d77ef4bbe62c1c64f3b74135545e371c88 8636
php-laravel-framework_10.48.29+dfsg-1.debian.tar.xz
9d6ce663a650913e1ce20213f22c9e0b54e5d1da55088108443dfd4926ef2463 17817
php-laravel-framework_10.48.29+dfsg-1_amd64.buildinfo
Files:
9794e68e05c4f2d9b80b33b218f84390 4734 php optional
php-laravel-framework_10.48.29+dfsg-1.dsc
a2b161352529643b34db36dbb1a1c6b3 1221496 php optional
php-laravel-framework_10.48.29+dfsg.orig.tar.xz
91a5d180e82466a584edd734ec77c99f 8636 php optional
php-laravel-framework_10.48.29+dfsg-1.debian.tar.xz
ae10b7cc941d41fb01c16a9907b1e51c 17817 php optional
php-laravel-framework_10.48.29+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEESLC/dKNbQnm0zJBRnS1ied5zQWEFAmgIAO4ACgkQnS1ied5z
QWEQSA//TQ+t4KtBbrj4fJF1kCyha+BU5nXj+/yfX+Pz+ZaFVM6gqpeDzg+6Cq51
zyTJ846CbLHq9aEN+bYymDk4FFu0wNRci7ZYDdMhP8EkFewFfHFKZzln4DHzszZh
RZqmZJAe1vC+6AdtAW5ahvkrwuPij82Q7nPxvtpYZl5boDuRvdaqdfb5h0VOBa2J
ScDqMekStk6xYWE6KQtdLmnqvlNhyMpPT8wGWNrrRmSstFtamNMMFU6dddQFqCHI
/KcpcCNVzXF6DfjNbcGeoVI075AXkBjrMzrpb0BTf3QDFx9OCAZLlXaIyYkpvoaK
10CpLADYDcA5FA7o/fw+kAptuHG0qOpPVkjBnLd04lrCyYtiP6IALdhmPawJHEqE
/pRGFN4+a4bQKbSfgpkpYcEYzy3PJoWmXn3JmGNPF+3LFa2+Ltw9MuJ5Kc802m//
u77AyHX4cljaPm6EEyVM9Zwxl5HgY1L5DEteyRxV1f6wCE5yyYS3hbnEXoCBZ8Qg
A2XdNssX0XHCy26lQkrm6VglUwghXx7xzGY8MZwDD2kEjTUXZgi+tRmxMhxDZzhB
KUuDOdpFDfitWryB5Fr9nIEGGWz18Bp1CT390SI7o5Ng3aiEEiW5qv9I6F+rCvBW
Y8Getc5ujsQzs1LHUji+AqDA0Z0cgE7rlUhFbpRatgeGJFeXrYA=
=zsMB
-----END PGP SIGNATURE-----
pgpxmMjHPUzwu.pgp
Description: PGP signature
--- End Message ---
