Your message dated Thu, 22 Dec 2005 00:32:07 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#336587: fixed in phpbb2 2.0.13+1-6sarge2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 31 Oct 2005 11:26:01 +0000
>From [EMAIL PROTECTED] Mon Oct 31 03:26:01 2005
Return-path: <[EMAIL PROTECTED]>
Received: from h2404.serverkompetenz.net [81.169.151.30]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EWXnd-0005b7-00; Mon, 31 Oct 2005 03:26:01 -0800
Received: from carsten by h2404.serverkompetenz.net with local (Exim 4.50)
id 1EWXnR-0004rY-UH
for [EMAIL PROTECTED]; Mon, 31 Oct 2005 12:25:49 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Carsten Wolff <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: phpbb2: phpbb 2.0.18 released with lots of security fixes
X-Mailer: reportbug 3.8
Date: Mon, 31 Oct 2005 12:25:49 +0100
Message-Id: <[EMAIL PROTECTED]>
X-h2404-MailScanner: Found to be clean
X-h2404-MailScanner-SpamCheck: not spam, SpamAssassin (score=-5.899,
required 4, autolearn=not spam, ALL_TRUSTED -3.30, BAYES_00 -2.60)
X-h2404-MailScanner-From: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Package: phpbb2
Version: 2.0.13-6sarge1
Severity: grave
Tags: security
Justification: user security hole
The phpbb project has relased version 2.0.18 of it's software, including
lots of security fixes.
See http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=336756 for details.
The security related changes should be backported to sarge.
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.11.7
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages phpbb2 depends on:
ii apache [httpd] 1.3.33-6sarge1 versatile, high-performance HTTP s
ii apache-ssl [httpd] 1.3.33-6sarge1 versatile, high-performance HTTP s
ii debconf 1.4.30.13 Debian configuration management sy
ii libapache-mod-php4 4:4.3.10-16 server-side, HTML-embedded scripti
ii php4 4:4.3.10-16 server-side, HTML-embedded scripti
ii php4-cgi 4:4.3.10-16 server-side, HTML-embedded scripti
ii php4-pgsql 3:4.3.10-4 PostgreSQL module for php4
-- debconf information:
* phpbb2/httpd: apache
---------------------------------------
Received: (at 336587-close) by bugs.debian.org; 22 Dec 2005 08:41:03 +0000
>From [EMAIL PROTECTED] Thu Dec 22 00:41:03 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 4.50)
id 1EpLrr-0004LK-Ox; Thu, 22 Dec 2005 00:32:07 -0800
From: Thijs Kinkhorst <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.65 $
Subject: Bug#336587: fixed in phpbb2 2.0.13+1-6sarge2
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Thu, 22 Dec 2005 00:32:07 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 3
Source: phpbb2
Source-Version: 2.0.13+1-6sarge2
We believe that the bug you reported is fixed in the latest version of
phpbb2, which is due to be installed in the Debian FTP archive:
phpbb2-conf-mysql_2.0.13-6sarge2_all.deb
to pool/main/p/phpbb2/phpbb2-conf-mysql_2.0.13-6sarge2_all.deb
phpbb2-languages_2.0.13-6sarge2_all.deb
to pool/main/p/phpbb2/phpbb2-languages_2.0.13-6sarge2_all.deb
phpbb2_2.0.13+1-6sarge2.diff.gz
to pool/main/p/phpbb2/phpbb2_2.0.13+1-6sarge2.diff.gz
phpbb2_2.0.13+1-6sarge2.dsc
to pool/main/p/phpbb2/phpbb2_2.0.13+1-6sarge2.dsc
phpbb2_2.0.13-6sarge2_all.deb
to pool/main/p/phpbb2/phpbb2_2.0.13-6sarge2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <[EMAIL PROTECTED]> (supplier of updated phpbb2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 30 Nov 2005 11:52:53 +0100
Source: phpbb2
Binary: phpbb2-languages phpbb2-conf-mysql phpbb2
Architecture: source all
Version: 2.0.13+1-6sarge2
Distribution: stable-security
Urgency: high
Maintainer: Jeroen van Wolffelaar <[EMAIL PROTECTED]>
Changed-By: Thijs Kinkhorst <[EMAIL PROTECTED]>
Description:
phpbb2 - A fully featured and skinneable flat (non-threaded) webforum
phpbb2-conf-mysql - Automatic configurator for phpbb2 on MySQL database
phpbb2-languages - phpBB2 additional languages
Closes: 335662 336582 336587
Changes:
phpbb2 (2.0.13+1-6sarge2) stable-security; urgency=high
.
* Security update by phpBB maintainers
* Backport fixes for the following issues announced by upstream and
independent researchers (Closes: #336582, #336587, #335662):
- fixed validation of topic type when posting.
- fixed potential to select images outside the specified path as avatars
or smilies.
- fixed ability to edit PM's you did not send.
- CVE-2005-3419, CVE-2005-3420: fixed inadquate signature field input
sanitising, which allowed for arbitrary code execution
- CVE-2005-3310: compare imagetype on avatar uploading to match the file
extension from uploaded file.
.
Additionally, the following three issues are fixed, though they are only a
threat when running with the heavily discouraged register_globals = off
setting:
- CVE-2005-3415: bypass protection mechanisms that deregister global
variables by setting both a GPC variable and a GLOBALS[] variable.
- CVE-2005-3416: bypass security checks by setting the $_SESSION and
$HTTP_SESSION_VARS variables to strings instead of arrays.
- CVE-2005-3418: Multiple cross-site scripting (XSS) vulnerabilities.
Files:
84a0dab5af965cf6ff418c2b2383a9ee 783 web optional phpbb2_2.0.13+1-6sarge2.dsc
e644237009e5eff92b86f21a5f6f4cbe 64580 web optional
phpbb2_2.0.13+1-6sarge2.diff.gz
f88101af29bf00db9a8fdb264e35d891 525514 web optional
phpbb2_2.0.13-6sarge2_all.deb
4cbfd2fe1e336214a3defddeff55ce65 37474 web extra
phpbb2-conf-mysql_2.0.13-6sarge2_all.deb
f71e21b77d9f5bffa076a25d6687b4c2 2873096 web optional
phpbb2-languages_2.0.13-6sarge2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Signed by Jeroen van Wolffelaar <[EMAIL PROTECTED]>
iD8DBQFDpgbUl2uISwgTVp8RAgcyAJ93wvWZCBowQ74CtZRAIOXZ1ZQw3QCgrYEu
iBIbdbFUbbhEctbUEWdfu0I=
=R/22
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
