Your message dated Thu, 28 Feb 2008 07:52:15 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#463589: fixed in phpbb2 2.0.13+1-6sarge4
has caused the Debian Bug report #463589,
regarding phpbb2: CVE-2008-0471 XSRF vulnerability exploitable via crafted
private message
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
463589: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463589
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Source: phpbb2
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for phpbb2.
CVE-2008-0471[0]:
| Cross-site request forgery (CSRF) vulnerability in privmsg.php in
| phpBB 2.0.22 allows remote attackers to delete private messages (PM)
| as arbitrary users via a deleteall action.
I tested this sucessfully in a local phpbb2 installation as
well as on phpbb.de using two test accounts.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0471
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgp2BMFhdHwzG.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: phpbb2
Source-Version: 2.0.13+1-6sarge4
We believe that the bug you reported is fixed in the latest version of
phpbb2, which is due to be installed in the Debian FTP archive:
phpbb2-conf-mysql_2.0.13-6sarge4_all.deb
to pool/main/p/phpbb2/phpbb2-conf-mysql_2.0.13-6sarge4_all.deb
phpbb2-languages_2.0.13-6sarge4_all.deb
to pool/main/p/phpbb2/phpbb2-languages_2.0.13-6sarge4_all.deb
phpbb2_2.0.13+1-6sarge4.diff.gz
to pool/main/p/phpbb2/phpbb2_2.0.13+1-6sarge4.diff.gz
phpbb2_2.0.13+1-6sarge4.dsc
to pool/main/p/phpbb2/phpbb2_2.0.13+1-6sarge4.dsc
phpbb2_2.0.13-6sarge4_all.deb
to pool/main/p/phpbb2/phpbb2_2.0.13-6sarge4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <[EMAIL PROTECTED]> (supplier of updated phpbb2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 9 Feb 2008 01:16:49 +0100
Source: phpbb2
Binary: phpbb2-languages phpbb2-conf-mysql phpbb2
Architecture: source all
Version: 2.0.13+1-6sarge4
Distribution: oldstable-security
Urgency: high
Maintainer: Jeroen van Wolffelaar <[EMAIL PROTECTED]>
Changed-By: Thijs Kinkhorst <[EMAIL PROTECTED]>
Description:
phpbb2 - A fully featured and skinneable flat (non-threaded) webforum
phpbb2-conf-mysql - Automatic configurator for phpbb2 on MySQL database
phpbb2-languages - phpBB2 additional languages
Closes: 388120 405980 463589
Changes:
phpbb2 (2.0.13+1-6sarge4) oldstable-security; urgency=high
.
* Upload to sarge to address security issues.
* CVE-2006-4758: authenticated admin may upload arbitrary files
(very minor issue, closes: 388120).
* CVE-2006-6839: update criteria for redirection targets.
* CVE-2006-6840: fix negative start parameter.
* CVE-2006-6508/CVE-2006-6841: fix csrf (closes: 405980).
* CVE-2008-0471: fix csrf (closes: 463589).
Files:
d5ca94a7a4c2b3468428a993a1dbc5cc 1011 web optional phpbb2_2.0.13+1-6sarge4.dsc
c403597d08f4c5af0f62b84c5ee72a7e 67912 web optional
phpbb2_2.0.13+1-6sarge4.diff.gz
944e55e056fc34d970e95b78201589fe 526154 web optional
phpbb2_2.0.13-6sarge4_all.deb
f0df2114bd60d9b84fbda1d241294fdd 37766 web extra
phpbb2-conf-mysql_2.0.13-6sarge4_all.deb
f10c4962035ede6e02417b8098efeda0 2868920 web optional
phpbb2-languages_2.0.13-6sarge4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR6zz/mz0hbPcukPfAQID8wgAkC1l66pYum5qTcJHfUszTCEWb6CIwrV0
a+mHcUFpa0grCwkWQEd1x4t7CH7rAIoRW7N19/v6avBkIKQiAC1MvjTR7qUc1/g0
R6Aus7ZDe2PKd2PShVoLT2A6EYJSkpieyoEnVbllumQpfgKD/VP5DvX6QOYoN3xh
uD4KlhkCq1uMOr3FCvY3xTf/V2F1vnEkJssn79//iP3qRCsrAzaAxM1MO2BzLkLB
ZLmUhFx7/UeUeGdhwXAS0gbRb09oPO1c1yKXIB/y2hqO2UXuQLtxOlajrQES+f8W
TQGWjzuXFgrW1PafmOvT24N0QDhCI+KWu8jRY122WdrDLLo9OUInYA==
=vhx+
-----END PGP SIGNATURE-----
--- End Message ---
