Your message dated Sun, 14 Jan 2007 18:17:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#402140: fixed in phpbb2 2.0.21-6
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: phpbb2
Version: 2.0.21-5
Severity: important
Tags: security
Some vulnerabilities have been discovered in phpBB, which can be exploited by
malicious people to conduct cross-site request forgery attacks and cross-site
scripting attacks.
1) The application allows users to send messages via HTTP requests without
performing any validity checks to verify the request. This can be exploited to
send
messages to arbitrary users by e.g. tricking a target user into visiting a
malicious website.
2) Input passed to the form field "Message body" in privmsg.php is not properly
sanitised before it is returned to the user when sending messages to a
non-existent user. This can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an affected site.
Successful exploitation of the vulnerabilities requires that the target user is
logged in.
The vulnerabilities are confirmed in version 2.0.21. Other versions may also be
affected.
http://secunia.com/advisories/23283/
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-486
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)
--- End Message ---
--- Begin Message ---
Source: phpbb2
Source-Version: 2.0.21-6
We believe that the bug you reported is fixed in the latest version of
phpbb2, which is due to be installed in the Debian FTP archive:
phpbb2-conf-mysql_2.0.21-6_all.deb
to pool/main/p/phpbb2/phpbb2-conf-mysql_2.0.21-6_all.deb
phpbb2-languages_2.0.21-6_all.deb
to pool/main/p/phpbb2/phpbb2-languages_2.0.21-6_all.deb
phpbb2_2.0.21-6.diff.gz
to pool/main/p/phpbb2/phpbb2_2.0.21-6.diff.gz
phpbb2_2.0.21-6.dsc
to pool/main/p/phpbb2/phpbb2_2.0.21-6.dsc
phpbb2_2.0.21-6_all.deb
to pool/main/p/phpbb2/phpbb2_2.0.21-6_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <[EMAIL PROTECTED]> (supplier of updated phpbb2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 14 Jan 2007 17:35:23 +0100
Source: phpbb2
Binary: phpbb2-languages phpbb2-conf-mysql phpbb2
Architecture: source all
Version: 2.0.21-6
Distribution: unstable
Urgency: high
Maintainer: Jeroen van Wolffelaar <[EMAIL PROTECTED]>
Changed-By: Thijs Kinkhorst <[EMAIL PROTECTED]>
Description:
phpbb2 - A fully featured and skinnable flat (non-threaded) webforum
phpbb2-conf-mysql - Automatic configurator for phpbb2 on MySQL database
phpbb2-languages - phpBB2 additional languages
Closes: 402140 402140 404160
Changes:
phpbb2 (2.0.21-6) unstable; urgency=high
.
* Selected patches from upstream 2.0.22 for security issues:
* CVE-2006-6421: Cross-site scripting (XSS) vulnerability in the private
message box implementation (Closes: #402140).
* CVE-2006-6841: Cross Site Request Forgery was possible with some forms.
* CVE-2006-6840: Prevent negative start parameter. Exploitability unknown,
but flagged by upstream as a security fix and a harmless change.
* CVE-2006-6839: Improve check for bad redirection targets, exploitability
unkown, but flagged by upstream as a security fix and a harmless change.
(Closes: #402140)
.
* Added German debconf translation by Matthias Julius (Closes: #404160).
Files:
b94900b3f585ed3320c60df4b3492ea6 759 web optional phpbb2_2.0.21-6.dsc
349ba9624634152409ecc322763fab44 89517 web optional phpbb2_2.0.21-6.diff.gz
3333c8da978798bd14a2bf31dfa0e66b 548038 web optional phpbb2_2.0.21-6_all.deb
be19e3a1481354ad2f44abf426d57fe4 53854 web extra
phpbb2-conf-mysql_2.0.21-6_all.deb
0a0cecc1becd98d759ee9aba16446c9f 2726338 web optional
phpbb2-languages_2.0.21-6_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFFql9VJdKMxZV9WM8RAkIpAJ0a1VER+VN9npy8aA40PBW+8pvGaQCfXAZ7
pf0SxZk33VqLOV8EgHbLdDA=
=EGMU
-----END PGP SIGNATURE-----
--- End Message ---
