On Thu, May 26, 2005 at 11:15:07AM +0200, Martin Pitt wrote:
> Package: phpbb2
> Version: 2.0.13+1-6
> Severity: important
> Tags: security
>
> Hi!
>
> phpbb2's changelog does not make it clear whether the three issues
> mentioned in
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1290
(1) I can't see what the issue here is, the 'exploit' doesn't do
anything. On the upstream forum people talk about full path
disclosure, which is a non-issue in Debian (the full path is already
disclosed for anyone who cares, and that is not a vulnerability).
See also #298688
(2) Gives funny output, breaks display indeed. As we backported in
2.0.13-6 a fix for bbcode XSS, that at that time didn't have any
details disclosed, I think this is the same thingy, so solved then
(didn't really verify)
(3) is a non-vuln IMHO. It's for admins, they can set arbitrary HTML
there, I don't see that as a vulnerability.
So in summary, I think -6 fixes the 2 real issues ( (1) probably is the
same as (2), I think...), and (3) isn't an issue IMHO.
As this is claimed to be fixed in 2.0.15, and I did review the full
.14->.15 diff, this reinforces my feeling it's all fixed in Debian.
> are already fixed. Can you please check this? If they are still
> present, please upgrade the bug severity. If not, can you please add
> the CAN number to the changelog on next upload? (Please also add
> CAN-2005-1193, which already seems fixed).
Hm, I simply didn't get to know the CAN in time, or I'd have mentioned
it. Will do on next upload.
Thanks for reporting, obviously keeping open pending further research
and confirmations.
--Jeroen
--
Jeroen van Wolffelaar
[EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl
