Your message dated Fri, 15 Feb 2008 19:52:37 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#463589: fixed in phpbb2 2.0.21-7
has caused the Debian Bug report #463589,
regarding phpbb2: CVE-2008-0471 XSRF vulnerability exploitable via crafted
private message
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
463589: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463589
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Source: phpbb2
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for phpbb2.
CVE-2008-0471[0]:
| Cross-site request forgery (CSRF) vulnerability in privmsg.php in
| phpBB 2.0.22 allows remote attackers to delete private messages (PM)
| as arbitrary users via a deleteall action.
I tested this sucessfully in a local phpbb2 installation as
well as on phpbb.de using two test accounts.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0471
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpyjn2KHU0fW.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: phpbb2
Source-Version: 2.0.21-7
We believe that the bug you reported is fixed in the latest version of
phpbb2, which is due to be installed in the Debian FTP archive:
phpbb2-conf-mysql_2.0.21-7_all.deb
to pool/main/p/phpbb2/phpbb2-conf-mysql_2.0.21-7_all.deb
phpbb2-languages_2.0.21-7_all.deb
to pool/main/p/phpbb2/phpbb2-languages_2.0.21-7_all.deb
phpbb2_2.0.21-7.diff.gz
to pool/main/p/phpbb2/phpbb2_2.0.21-7.diff.gz
phpbb2_2.0.21-7.dsc
to pool/main/p/phpbb2/phpbb2_2.0.21-7.dsc
phpbb2_2.0.21-7_all.deb
to pool/main/p/phpbb2/phpbb2_2.0.21-7_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <[EMAIL PROTECTED]> (supplier of updated phpbb2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 9 Feb 2008 00:27:23 +0100
Source: phpbb2
Binary: phpbb2-languages phpbb2-conf-mysql phpbb2
Architecture: source all
Version: 2.0.21-7
Distribution: stable-security
Urgency: high
Maintainer: Jeroen van Wolffelaar <[EMAIL PROTECTED]>
Changed-By: Thijs Kinkhorst <[EMAIL PROTECTED]>
Description:
phpbb2 - A fully featured and skinnable flat (non-threaded) webforum
phpbb2-conf-mysql - Automatic configurator for phpbb2 on MySQL database
phpbb2-languages - phpBB2 additional languages
Closes: 463589
Changes:
phpbb2 (2.0.21-7) stable-security; urgency=high
.
* Upload to stable to fix cross site request forgery in
private messaging (CVE-2008-0471, closes: #463589).
Files:
88ad3a4f2ee714cce779873b53ebd323 1051 web optional phpbb2_2.0.21-7.dsc
30383a9bf6c5d21736e4bdf9ec7852d5 3203456 web optional phpbb2_2.0.21.orig.tar.gz
896f80500e90867741c516e57fc8bfcc 90580 web optional phpbb2_2.0.21-7.diff.gz
e8825ef3431bfe7ccf72f9f59f13a119 554842 web optional phpbb2_2.0.21-7_all.deb
49baf96bcc1c273a93e8bb5169dca722 53706 web extra
phpbb2-conf-mysql_2.0.21-7_all.deb
afd8a0fe8138c8a5cf00a3e4ac10ac59 2791410 web optional
phpbb2-languages_2.0.21-7_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR6z0YGz0hbPcukPfAQK92gf/Yp71BGmPqZdqrNlRdcLUIcWM2u1Tz/am
zttJsmSCHolwbW8OCtXHVfm2jZpNGwnn2WV6iiYhrXVP61FGbciqHiqL88sqw3aT
6jcUlC3POIIH5P9gwS8MyO5+fxn+6P8sneVhAJSZWR/2xq9LlorOMdpEBfI0o82I
6CESjBDX9+9EFckCZVW8dqqVk7H32jwDyFFpZbgqDbhmkax/mBDa+IJRanj7SSdf
CkHN7oxTgWFzJCC0CdsqAFVN5VKyH6CYEybuz0nUaOjUB0CfpI5XRGu5KVjuHhDq
ZRd/cE9R8QdW2ooY+Ee2GbEWCxv1WsGuQJm1zgJywlXC8AtYhtB4mQ==
=TJeW
-----END PGP SIGNATURE-----
--- End Message ---
