Bug#832283: marked as done (cakephp: XML class SSRF vulnerability)

Sun, 24 Jul 2016 01:28:15 -0700 

Your message dated Sun, 24 Jul 2016 18:24:33 +1000
with message-id <2232233.DcDZP83kxQ@deblab>
and subject line Done: cakephp: XML class SSRF vulnerability
has caused the Debian Bug report #832283,
regarding cakephp: XML class SSRF vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
832283: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832283
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: cakephp
Version: 2.8.3-1
Severity: serious

Dear Maintainers,

CakePHP is affected by the following security issues listed at
https://security-tracker.debian.org/tracker/source-package/cakephp:

TEMP-0000000-698CF7: cakephp: XML class SSRF vulnerability
CVE-2015-8379: CakePHP 2.x and 3.x before 3.1.5 might allow remote
attackers to bypass the CSRF protection mechanism via the _method
parameter.

The former has been addressed by upstream in the 3.0.6 release:
https://github.com/cakephp/cakephp/releases/tag/3.0.6

The latter has been partially fixed in the 3.1.5 then in the 3.2.0 releases:
https://packetstormsecurity.com/files/135301/CakePHP-3.2.0-CSRF-Bypass.html
https://github.com/cakephp/cakephp/pull/7938

Cheers,
Balint

--- End Message ---
--- Begin Message --- 
Source: cakephp
Version: 2.6.7-1

As far as I understand upstream fixed this problem in 2.6.6:

    https://github.com/cakephp/cakephp/releases/tag/2.6.6

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 832...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

-- 
Cheers,
 Dmitry Smirnov
 GPG key : 4096R/52B6BBD953968D1B

---

Good luck happens when preparedness meets opportunity.

Attachment: signature.asc
Description: This is a digitally signed message part.


--- End Message ---

Reply via email to