Your message dated Sat, 27 Sep 2008 09:02:22 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#500086: fixed in phpbb2 2.0.23+repack-3
has caused the Debian Bug report #500086,
regarding CVE-2008-4125: phpbb2 leaks state of php random number generator
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
500086: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500086
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: phpbb2
Version: 2.0.21-7
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for phpbb2.
CVE-2008-4125[0]:
| The search function in phpBB 2.x provides a search_id value that
| leaks the state of PHP's PRNG, which allows remote attackers to
| obtain potentially sensitive information, as demonstrated by a
| cross-application attack against WordPress, a different
| vulnerability than CVE-2006-0632.
This can create security issues in other web applications that run on
the same server.
This issue could also be fixed by modifying php. According to the
announcement, this will be done in the next release of suhosin, but I
am not sure that this will be in time for lenny.
Please also check phpbb3.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4125
http://security-tracker.debian.net/tracker/CVE-2008-4125
http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/
--- End Message ---
--- Begin Message ---
Source: phpbb2
Source-Version: 2.0.23+repack-3
We believe that the bug you reported is fixed in the latest version of
phpbb2, which is due to be installed in the Debian FTP archive:
phpbb2-conf-mysql_2.0.23+repack-3_all.deb
to pool/main/p/phpbb2/phpbb2-conf-mysql_2.0.23+repack-3_all.deb
phpbb2-languages_2.0.23+repack-3_all.deb
to pool/main/p/phpbb2/phpbb2-languages_2.0.23+repack-3_all.deb
phpbb2_2.0.23+repack-3.diff.gz
to pool/main/p/phpbb2/phpbb2_2.0.23+repack-3.diff.gz
phpbb2_2.0.23+repack-3.dsc
to pool/main/p/phpbb2/phpbb2_2.0.23+repack-3.dsc
phpbb2_2.0.23+repack-3_all.deb
to pool/main/p/phpbb2/phpbb2_2.0.23+repack-3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <[EMAIL PROTECTED]> (supplier of updated phpbb2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 27 Sep 2008 10:35:33 +0200
Source: phpbb2
Binary: phpbb2 phpbb2-conf-mysql phpbb2-languages
Architecture: source all
Version: 2.0.23+repack-3
Distribution: unstable
Urgency: high
Maintainer: Jeroen van Wolffelaar <[EMAIL PROTECTED]>
Changed-By: Thijs Kinkhorst <[EMAIL PROTECTED]>
Description:
phpbb2 - A fully featured and skinnable flat (non-threaded) webforum
phpbb2-conf-mysql - Automatic configurator for phpbb2 on MySQL database
phpbb2-languages - phpBB2 additional languages
Closes: 500086 500108
Changes:
phpbb2 (2.0.23+repack-3) unstable; urgency=high
.
* Prevent leaking of the PRNG state in search_id. This is more of a
bug in PHP itself but we'll fix it here anyway to be sure.
[CVE-2008-4125, closes: #500086]
* Fix two typos in French debconf translation, thanks
Filipus Klutiero (closes: #500108).
Checksums-Sha1:
ae54a043032ae84b02c71baa382d286a7a10573d 1577 phpbb2_2.0.23+repack-3.dsc
87b668af5943971e564e218dba5f6209a6c539ca 94969 phpbb2_2.0.23+repack-3.diff.gz
3f6c9f339a6a0a3e8181ae06a245b4b8b3202363 546096 phpbb2_2.0.23+repack-3_all.deb
2b20467ca7a0cbb5b8c4444b12ef0c68310451d7 61914
phpbb2-conf-mysql_2.0.23+repack-3_all.deb
e58c8e23cbbeb4bcfd522076890f050f622ab4e7 3209054
phpbb2-languages_2.0.23+repack-3_all.deb
Checksums-Sha256:
b391edbedbfe1c6687c57aafc723556fc9db2473169e793f15809694f6b90695 1577
phpbb2_2.0.23+repack-3.dsc
d650e7f66704a615005716e19c6be88e4dd22fc218ea582fb828fcd798f5678c 94969
phpbb2_2.0.23+repack-3.diff.gz
5cb77914aa141e9500d5df07a7c73631c0b25f6083046703ec274f00d9e02328 546096
phpbb2_2.0.23+repack-3_all.deb
674ff8cad6342826caf4fe7fd6ba9663b5d9ca595d90501605f72d480f322dd6 61914
phpbb2-conf-mysql_2.0.23+repack-3_all.deb
2cf5b08d53fd683b4b6d1f74101f668d6c91de543d545987e4dec636f13b38c7 3209054
phpbb2-languages_2.0.23+repack-3_all.deb
Files:
ee948141b997a48887f6d270634d1e8b 1577 web optional phpbb2_2.0.23+repack-3.dsc
f38b6d5b34683bc4afb727da7b016484 94969 web optional
phpbb2_2.0.23+repack-3.diff.gz
8dedc20a3303a79e77c86d4833beb0e1 546096 web optional
phpbb2_2.0.23+repack-3_all.deb
098364864dd60108c70ff59d281dfdc1 61914 web extra
phpbb2-conf-mysql_2.0.23+repack-3_all.deb
2447da0bc679b53b3908ace35ec2edab 3209054 web optional
phpbb2-languages_2.0.23+repack-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJI3fD0AAoJEGz0hbPcukPfaP0IAJSsJcGITG9noOfg1FGOuOHo
HmbH453rjkpfllabo4sGuO1CR3mTlOOq8DKmsk00m2Xt06uo9teq2q1JNM6i1BYe
u2Bw72EhRdwavMFYE40Rxduy7y1aK7qLHAWxIcRf5xhkBQrwqO5AwkucqsVfmwIr
sfyjelFSt2iCnhZGzGgP8p9O8OUlLntzeQceuS76MfFQ/sQlwx84ULiSL2pSv0GN
vaes0OLYE+BVgvbPAUD+u/W57OUfuSOzG7DtfHYk0a5MpXO4GBD5QRCYlhCXaefQ
mEWSAB0OVswcDLL/Tvs+0JVepQvlnTeQRG8nQjqflG9aYJibC+BIeQkyQSf4xsI=
=93a3
-----END PGP SIGNATURE-----
--- End Message ---
