Your message dated Tue, 22 Apr 2025 21:51:20 +0000
with message-id <e1u7lws-009rvy...@fasolo.debian.org>
and subject line Bug#1103881: fixed in php-laravel-framework 11.44.2+dfsg-1
has caused the Debian Bug report #1103881,
regarding php-laravel-framework: CVE-2025-27515
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1103881: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103881
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: php-laravel-framework
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for php-laravel-framework.
CVE-2025-27515[0]:
| Laravel is a web application framework. When using wildcard
| validation to validate a given file or image field (`files.*`), a
| user-crafted malicious request could potentially bypass the
| validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.
https://github.com/laravel/framework/security/advisories/GHSA-78fx-h6xr-vch4
https://github.com/laravel/framework/commit/2d133034fefddfb047838f4caca3687a3ba811a5
(v12.1.1)
There are also two other security issues affecting sid/trixie and
which are already fixed in experimental:
https://security-tracker.debian.org/tracker/CVE-2024-13918
https://security-tracker.debian.org/tracker/CVE-2024-13919
So possibly trixie should be moved to 11.44.1 unless it's a very
breaking change between 10 and 11?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-27515
https://www.cve.org/CVERecord?id=CVE-2025-27515
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: php-laravel-framework
Source-Version: 11.44.2+dfsg-1
Done: Robin Gustafsson <rg...@debian.org>
We believe that the bug you reported is fixed in the latest version of
php-laravel-framework, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1103...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Robin Gustafsson <rg...@debian.org> (supplier of updated php-laravel-framework
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 22 Apr 2025 23:13:13 +0200
Source: php-laravel-framework
Architecture: source
Version: 11.44.2+dfsg-1
Distribution: experimental
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-p...@lists.alioth.debian.org>
Changed-By: Robin Gustafsson <rg...@debian.org>
Closes: 1103881
Changes:
php-laravel-framework (11.44.2+dfsg-1) experimental; urgency=medium
.
* New upstream version 11.44.2+dfsg
- Fix security issue: validation bypass (CVE-2025-27515, Closes: #1103881)
* Configure gbp to use DEP-14 branch names
Checksums-Sha1:
c85e4b92547acfdc5cf269f46fcac9a67540d722 4812
php-laravel-framework_11.44.2+dfsg-1.dsc
fa86e71aea32771ccaa3d38ce25b4013dca9eaa8 1451308
php-laravel-framework_11.44.2+dfsg.orig.tar.xz
283420197b4c0a061a5ee118e6b69542ce7f2d5e 49792
php-laravel-framework_11.44.2+dfsg-1.debian.tar.xz
c6698c07d9778072684ea63c2a0790cd75ffb6b9 18047
php-laravel-framework_11.44.2+dfsg-1_amd64.buildinfo
Checksums-Sha256:
42daf95591e9342aaeefbf789d82b8f056a305734ff65bf68ac3e346c11e2984 4812
php-laravel-framework_11.44.2+dfsg-1.dsc
f16af6e1b9c8d882eb09636720370b3cf2a0a93ab8d8935949e1d1a7dfb94f32 1451308
php-laravel-framework_11.44.2+dfsg.orig.tar.xz
1e3abdf099ad0cf1286ffe2363aee475ffe2e40c5906fe29456c02150255d5ad 49792
php-laravel-framework_11.44.2+dfsg-1.debian.tar.xz
070cfc215d9812bbd659bbeec6b0d59e037b7ba732739d160deb55a4acdf41ff 18047
php-laravel-framework_11.44.2+dfsg-1_amd64.buildinfo
Files:
e3a30401c382dfdac106337b88f90830 4812 php optional
php-laravel-framework_11.44.2+dfsg-1.dsc
195a7e1b2ddb8096c018591586c5fed8 1451308 php optional
php-laravel-framework_11.44.2+dfsg.orig.tar.xz
3eefd29b7249e66237eb1984d621666f 49792 php optional
php-laravel-framework_11.44.2+dfsg-1.debian.tar.xz
b5be0527b4482ab33a1facf618fb9f11 18047 php optional
php-laravel-framework_11.44.2+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEESLC/dKNbQnm0zJBRnS1ied5zQWEFAmgIClMACgkQnS1ied5z
QWFw+A/9Hr4S0rv3RElOQH/W0bYtl1OXh7KQdRprx6EgLaK35nG2zAGZUQaAqpbw
8vYdoWX31RcQ7e4wgeGGcbstjlFc8ijsfqXmAc0RuMRUI3qbTuQPFdquu/tkRpjM
Wtq8GOHNQ1J/c8h+u66IB55TTkzrNlKPajbvj7xogYxk1/yC0xmiU9oNye0Pt2Uk
G26+qt8qJ1Ud/Jt8GtLXMZimOUxCxDU8nfgtPIM1fbMLn4Sc/TSDklplFFIZL+b2
Afwxg5WcR1itNLvKp1zL0FeJ1x2BJ+WHM4RkBMP24GNw4EypWnskHYidJ0apLCQF
BIyc+Lcx0jmmpFA8ffkFrWF3yNLlcEgv4Bhsg4Yfbb2zkNE4aEqY39lgy9Q0gzQ6
myhI7M8E7ulHV4fvvYmVmPgVSZI46N0Alr4RlWd6IMyvMaqywn6arx8EOG9cmMuW
T6zY+lXXtGuk4p+kPEc+VUEBjs5BXuAysrV+N/4WIghekHXv/VKLbhlEyJWMGuNI
br4vUUsnar1RzJyOOt1OVOuNJUr/PIAApvP/MEiZmZLRjwKTLwwJaT1QiVezU3ff
nLl4/DZ6gkN6fT5GNWQlQpgO5h+qHleFIt/t0nsz27LYhWqvD+J2lAsvpfc9XgWK
xz1+6K5amzjvxdzyxdGe7VELJ8zRlzNLOny6c5QNZmoTJivUmr0=
=3/Xv
-----END PGP SIGNATURE-----
pgpIcPBQG_7N4.pgp
Description: PGP signature
--- End Message ---
