Hi Mike, On Wed, Oct 02, 2019 at 02:01:25PM +0000, Mike Gabriel wrote: > On Di 01 Okt 2019 13:32:25 CEST, Sylvain Beucler wrote: > > I see you reverted affectation for CVE-2019-13376. > > > > CVE-2019-13376 is an follow-up fix to CVE-2019-16993 (2016) which I > > registered just yesterday toclarify that we've been missing this earlier > > fix (AFAICS unsuccessfully ;)). > > > > CVE-2019-13376 applies to 3.2.7 which already has the fix that you > > thought was related (phpbb's SECURITY-231), which is a different > > "vulnerability" (with quotes, as it just disables a feature by default, > > which is expected to be re-enabled for CVE-2019-13376 to apply, as > > mentioned in the write-up: "in the ACP, go to General > Avatar settings > > and enable remote avatars"). > > > > Consequently DLA 1942-1 fixes CVE-2019-13376 and CVE-2019-16993. > > SECURITY-231 doesn't have a CVE assigned. > > Are you 100% sure on this?
That's what I conclude by reading the write-up and the code (and requesting the new CVE). I didn't exploit the vulnerability. If you wish to fix SECURITY-231 though you could request a CVE and fix it independently. > Let me collect my todos for this, then: > > * Uploaded package is ok (3.0.12-5+deb8u4), even the debian/changelog > entry(?) The changelog entry looks OK. > * security-tracker (data/DLA/list) needs to be adapted and CVE-2019-13376 > needs to be re-added to DLA-1942-1(?) I did so yesterday. > * the dla-announcement needs to be re-done / replied to, and it needs to be > declared that CVE-2019-13376 is in fact already fixed by +deb8u4 > * furthermore, I referenced CVE-2019-13776 in the announcement, > rather than CVE-2019-13376 (typo, grrrr...) > > Correct? That sounds right. > Thanks for spotting this! NP, I was just doing FrontDesk :) Cheers! Sylvain