Your message dated Sun, 24 Jul 2016 09:53:34 +0000 with message-id <e1brg6i-0002wm...@franck.debian.org> and subject line Bug#832316: fixed in cakephp 2.8.5-1 has caused the Debian Bug report #832316, regarding cakephp: CVE-2015-8379 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 832316: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832316 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: cakephp Version: 2.8.3-1 Severity: serious Dear Maintainers, CakePHP is affected by the following security issues listed at https://security-tracker.debian.org/tracker/source-package/cakephp: TEMP-0000000-698CF7: cakephp: XML class SSRF vulnerability CVE-2015-8379: CakePHP 2.x and 3.x before 3.1.5 might allow remote attackers to bypass the CSRF protection mechanism via the _method parameter. The former has been addressed by upstream in the 3.0.6 release: https://github.com/cakephp/cakephp/releases/tag/3.0.6 The latter has been partially fixed in the 3.1.5 then in the 3.2.0 releases: https://packetstormsecurity.com/files/135301/CakePHP-3.2.0-CSRF-Bypass.html https://github.com/cakephp/cakephp/pull/7938 Cheers, Balint
--- End Message ---
--- Begin Message ---Source: cakephp Source-Version: 2.8.5-1 We believe that the bug you reported is fixed in the latest version of cakephp, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 832...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dmitry Smirnov <only...@debian.org> (supplier of updated cakephp package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 24 Jul 2016 18:29:17 +1000 Source: cakephp Binary: cakephp cakephp-scripts Architecture: source all Version: 2.8.5-1 Distribution: unstable Urgency: medium Maintainer: Dmitry Smirnov <only...@debian.org> Changed-By: Dmitry Smirnov <only...@debian.org> Description: cakephp - rapid application development framework for PHP cakephp-scripts - rapid application development framework for PHP (scripts) Closes: 832316 Changes: cakephp (2.8.5-1) unstable; urgency=medium . * New upstream release [June 2016]. + Fixed CVE-2015-8379 (Closes: #832316). * Corrected Vcs-Git URL. * Standards-Version: 3.9.8. Checksums-Sha1: 55f4f1f49dc062799157d6c93e23721b4a26cfa0 1940 cakephp_2.8.5-1.dsc a65cc6b403c798ccce21dc5694f46bb8a83d2a5c 1509582 cakephp_2.8.5.orig.tar.gz 21cf8d161ac320cb5d08d88fbaa732b70db61f8e 8196 cakephp_2.8.5-1.debian.tar.xz fb81d1b6465bfdacf404a015f14ea698b99bf7fd 38024 cakephp-scripts_2.8.5-1_all.deb fb45be7293452c269f0a9b74932c3f2f61a19c12 1115506 cakephp_2.8.5-1_all.deb Checksums-Sha256: 24bb38d2eb5cb6013715d7e22a3e5de135022bcf2a80df6539fa7e98c3b191db 1940 cakephp_2.8.5-1.dsc cb9a7c15504eaee0d85d60595e8ef163d3e9640a02474069107f44a25c6bde40 1509582 cakephp_2.8.5.orig.tar.gz 30f7d46bd5bc790022d0d400ba087fdcf631cc696252b23d8117c15c0a83e59c 8196 cakephp_2.8.5-1.debian.tar.xz e181511b4ab1905b3a36793d411900a3f2d0c60ceee48db31b977db18bfe258a 38024 cakephp-scripts_2.8.5-1_all.deb afd4b7e19e05eeef29130e243b4b23fcf4eea01d249225ba1b46824e82cc4b78 1115506 cakephp_2.8.5-1_all.deb Files: 223b0248f69ede1b4dcb66afdb8c631e 1940 web optional cakephp_2.8.5-1.dsc 6e731d0712280e2fb00c6a6a8e3f3ffc 1509582 web optional cakephp_2.8.5.orig.tar.gz 030cd2e8b022c32a78f4dd2757841e6d 8196 web optional cakephp_2.8.5-1.debian.tar.xz 83d87942424959a65124c701edfaacb9 38024 web optional cakephp-scripts_2.8.5-1_all.deb 2d0770ee970adf545d231d3c01493253 1115506 web optional cakephp_2.8.5-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXlH6kAAoJEFK2u9lTlo0bKtQP/3WbyJx05uuzAmtsLlENlism NMkp4PXz6XukESPi2QgSQvB5D1NJXMVdx8D1Ch2eSDYymilXRoZNBX0yyolA4cut pse26wzcYd1jDSaPDvECTZ54nnlBwG1s3DXMyDuS8P1ELhWQU8XkIZCnJoSY/BQt 79+X/1s4PCZraO2J2Z8eJkxWU16bDSTtw6sRVZvMBaldv00yG8k6el9eoAjqgk6i wh594uTa9bCIWIgv4zuwZfoiHySzrGRlKaZsojJKGkJHpB5ab/+0h4dzc7SRl4OM hgASeI+Vlx+dA3BRv7oUSXGVpqStq7DRSvbl6id8pBLOxGOCSZr6gSNblW9tyWhs uxZUS+zjjGusvP9RbWF8UZy86yJa9kA2gorF1wK3Ya2aU+8KMhZnKpILLydPbu39 Zpba1TYaqwYjVrE+tgJ0Q2/aJr7YPM/W2ZwGFaUkrOm3BPHKIs45RWUV1cFx7Rq3 y7mL4PjyrXPGPpMSlaiqlBZ54uNvkqpSOeuZm3fA/lmeaH1kX2z/bBqNTaps14ny nFx6q7wNGxGx1MuqOWSebNetspsD8BujJE+CCPU2A7xOsAwOwuK8mhjSF6Vcd+aN DAlA8aaK61qT1Z0I8kz+r20xSRzEIi98hpg35pVrXGPwLuNkGe2GpSZppzMYzXti 4/Jzye3vhO/MXHIbh6pi =WrBW -----END PGP SIGNATURE-----
--- End Message ---
