On Thu, May 26, 2005 at 11:15:07AM +0200, Martin Pitt wrote: > Package: phpbb2 > Version: 2.0.13+1-6 > Severity: important > Tags: security > > Hi! > > phpbb2's changelog does not make it clear whether the three issues > mentioned in > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1290
(1) I can't see what the issue here is, the 'exploit' doesn't do anything. On the upstream forum people talk about full path disclosure, which is a non-issue in Debian (the full path is already disclosed for anyone who cares, and that is not a vulnerability). See also #298688 (2) Gives funny output, breaks display indeed. As we backported in 2.0.13-6 a fix for bbcode XSS, that at that time didn't have any details disclosed, I think this is the same thingy, so solved then (didn't really verify) (3) is a non-vuln IMHO. It's for admins, they can set arbitrary HTML there, I don't see that as a vulnerability. So in summary, I think -6 fixes the 2 real issues ( (1) probably is the same as (2), I think...), and (3) isn't an issue IMHO. As this is claimed to be fixed in 2.0.15, and I did review the full .14->.15 diff, this reinforces my feeling it's all fixed in Debian. > are already fixed. Can you please check this? If they are still > present, please upgrade the bug severity. If not, can you please add > the CAN number to the changelog on next upload? (Please also add > CAN-2005-1193, which already seems fixed). Hm, I simply didn't get to know the CAN in time, or I'd have mentioned it. Will do on next upload. Thanks for reporting, obviously keeping open pending further research and confirmations. --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl