Re: [SECURITY] [DLA 1942-1] phpbb3 security update
Hi Mike, On Mon, Oct 07, 2019 at 04:11:37PM +, mike.gabr...@das-netzwerkteam.de wrote: > > enjoy your VAC and please rememeber to update DLA-1942-2 for webwml.git > > when you're back. > I had already done that and Carsten already merged my MR. cool, thank you! -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: [SECURITY] [DLA 1942-1] phpbb3 security update
Hi Holger, Am Montag, 7. Oktober 2019 schrieb Holger Levsen: > Hi Mike, > > On Sun, Oct 06, 2019 at 10:14:23PM +, Mike Gabriel wrote: > > I tried another time, like described by Ben (a new DLA-1942-2), but the mail > > still has not arrived on the list. > > I've now send it for you. (mutt -H $file is what I've used for that.) Thanks! > > I will be afk for the next couple of days, so I will not be able to look > > into this again after my VAC (I am sorry)! > > enjoy your VAC and please rememeber to update DLA-1942-2 for webwml.git > when you're back. I had already done that and Carsten already merged my MR. Thanks, Mike -- Gesendet von meinem Fairphone2 (powered by Sailfish OS).
Re: [SECURITY] [DLA 1942-1] phpbb3 security update
Hi Mike, On Sun, Oct 06, 2019 at 10:14:23PM +, Mike Gabriel wrote: > I tried another time, like described by Ben (a new DLA-1942-2), but the mail > still has not arrived on the list. I've now send it for you. (mutt -H $file is what I've used for that.) > I will be afk for the next couple of days, so I will not be able to look > into this again after my VAC (I am sorry)! enjoy your VAC and please rememeber to update DLA-1942-2 for webwml.git when you're back. -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: [SECURITY] [DLA 1942-1] phpbb3 security update
HI Holger, On So 06 Okt 2019 19:12:22 CEST, Holger Levsen wrote: Hi Mike, On Sun, Oct 06, 2019 at 02:43:01PM +, Mike Gabriel wrote: This is a follow-up to DLA-1942-1. this mail didnt make it to lts-announce... I tried another time, like described by Ben (a new DLA-1942-2), but the mail still has not arrived on the list. I will be afk for the next couple of days, so I will not be able to look into this again after my VAC (I am sorry)! Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpTZ61d9C0D4.pgp Description: Digitale PGP-Signatur
Re: [SECURITY] [DLA 1942-1] phpbb3 security update
On Sun, 2019-10-06 at 17:12 +, Holger Levsen wrote: > Hi Mike, > > On Sun, Oct 06, 2019 at 02:43:01PM +, Mike Gabriel wrote: > > This is a follow-up to DLA-1942-1. > > this mail didnt make it to lts-announce... I believe that debian-lts-announce, like other Debian announce lists, is configured to redirect replies to a discussion list. Mike, you should issue a DLA-1942-2 as a new non-reply message. Ben. -- Ben Hutchings One of the nice things about standards is that there are so many of them. signature.asc Description: This is a digitally signed message part
Re: [SECURITY] [DLA 1942-1] phpbb3 security update
Hi Mike, On Sun, Oct 06, 2019 at 02:43:01PM +, Mike Gabriel wrote: > This is a follow-up to DLA-1942-1. this mail didnt make it to lts-announce... -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: [SECURITY] [DLA 1942-1] phpbb3 security update
On Di 01 Okt 2019 01:44:30 CEST, Mike Gabriel wrote: Package: phpbb3 Version: 3.0.12-5+deb8u4 CVE ID : CVE-2019-16993 In phpBB, includes/acp/acp_bbcodes.php had improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack was possible if an attacker also managed to retrieve the session id of a reauthenticated administrator prior to targeting them. The description in this DLA does not match what has been documented in the changelog.Debian.gz of this package version. After the upload of phpbb3 3.0.12-5+deb8u4, it became evident that CVE-2019-13776 has not yet been fixed. The correct fix for CVE-2019-13776 has been identified and will be shipped in a soon-to-come follow-up security release of phpbb3. This is a follow-up to DLA-1942-1. There was some confusion about the correct fix for CVE-2019-13776. The correct announcement for this DLA should have been: Package: phpbb3 Version: 3.0.12-5+deb8u4 CVE ID : CVE-2019-13776 CVE-2019-16993 CVE-2019-16993 In phpBB, includes/acp/acp_bbcodes.php had improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack was possible if an attacker also managed to retrieve the session id of a reauthenticated administrator prior to targeting them. CVE-2019-13776 phpBB allowed the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking lead to stored XSS. For Debian 8 "Jessie", these problems have been fixed in version 3.0.12-5+deb8u4. We recommend that you upgrade your phpbb3 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpjtHw9i_ywO.pgp Description: Digitale PGP-Signatur
Re: [SECURITY] [DLA 1942-1] phpbb3 security update
Hi Mike, On Wed, Oct 02, 2019 at 02:01:25PM +, Mike Gabriel wrote: > On Di 01 Okt 2019 13:32:25 CEST, Sylvain Beucler wrote: > > I see you reverted affectation for CVE-2019-13376. > > > > CVE-2019-13376 is an follow-up fix to CVE-2019-16993 (2016) which I > > registered just yesterday toclarify that we've been missing this earlier > > fix (AFAICS unsuccessfully ;)). > > > > CVE-2019-13376 applies to 3.2.7 which already has the fix that you > > thought was related (phpbb's SECURITY-231), which is a different > > "vulnerability" (with quotes, as it just disables a feature by default, > > which is expected to be re-enabled for CVE-2019-13376 to apply, as > > mentioned in the write-up: "in the ACP, go to General > Avatar settings > > and enable remote avatars"). > > > > Consequently DLA 1942-1 fixes CVE-2019-13376 and CVE-2019-16993. > > SECURITY-231 doesn't have a CVE assigned. > > Are you 100% sure on this? That's what I conclude by reading the write-up and the code (and requesting the new CVE). I didn't exploit the vulnerability. If you wish to fix SECURITY-231 though you could request a CVE and fix it independently. > Let me collect my todos for this, then: > > * Uploaded package is ok (3.0.12-5+deb8u4), even the debian/changelog > entry(?) The changelog entry looks OK. > * security-tracker (data/DLA/list) needs to be adapted and CVE-2019-13376 > needs to be re-added to DLA-1942-1(?) I did so yesterday. > * the dla-announcement needs to be re-done / replied to, and it needs to be > declared that CVE-2019-13376 is in fact already fixed by +deb8u4 > * furthermore, I referenced CVE-2019-13776 in the announcement, > rather than CVE-2019-13376 (typo, g...) > > Correct? That sounds right. > Thanks for spotting this! NP, I was just doing FrontDesk :) Cheers! Sylvain
Re: [SECURITY] [DLA 1942-1] phpbb3 security update
Hi Sylvain, On Di 01 Okt 2019 13:32:25 CEST, Sylvain Beucler wrote: Hi Gabriel, I see you reverted affectation for CVE-2019-13376. CVE-2019-13376 is an follow-up fix to CVE-2019-16993 (2016) which I registered just yesterday toclarify that we've been missing this earlier fix (AFAICS unsuccessfully ;)). CVE-2019-13376 applies to 3.2.7 which already has the fix that you thought was related (phpbb's SECURITY-231), which is a different "vulnerability" (with quotes, as it just disables a feature by default, which is expected to be re-enabled for CVE-2019-13376 to apply, as mentioned in the write-up: "in the ACP, go to General > Avatar settings and enable remote avatars"). Consequently DLA 1942-1 fixes CVE-2019-13376 and CVE-2019-16993. SECURITY-231 doesn't have a CVE assigned. Cheers! Sylvain Are you 100% sure on this? Let me collect my todos for this, then: * Uploaded package is ok (3.0.12-5+deb8u4), even the debian/changelog entry(?) * security-tracker (data/DLA/list) needs to be adapted and CVE-2019-13376 needs to be re-added to DLA-1942-1(?) * the dla-announcement needs to be re-done / replied to, and it needs to be declared that CVE-2019-13376 is in fact already fixed by +deb8u4 * furthermore, I referenced CVE-2019-13776 in the announcement, rather than CVE-2019-13376 (typo, g...) Correct? Thanks for spotting this! Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpbjrtbFHy2c.pgp Description: Digitale PGP-Signatur
Re: [SECURITY] [DLA 1942-1] phpbb3 security update
Hi Gabriel, I see you reverted affectation for CVE-2019-13376. CVE-2019-13376 is an follow-up fix to CVE-2019-16993 (2016) which I registered just yesterday toclarify that we've been missing this earlier fix (AFAICS unsuccessfully ;)). CVE-2019-13376 applies to 3.2.7 which already has the fix that you thought was related (phpbb's SECURITY-231), which is a different "vulnerability" (with quotes, as it just disables a feature by default, which is expected to be re-enabled for CVE-2019-13376 to apply, as mentioned in the write-up: "in the ACP, go to General > Avatar settings and enable remote avatars"). Consequently DLA 1942-1 fixes CVE-2019-13376 and CVE-2019-16993. SECURITY-231 doesn't have a CVE assigned. Cheers! Sylvain On 01/10/2019 01:44, Mike Gabriel wrote: > Package: phpbb3 > Version: 3.0.12-5+deb8u4 > CVE ID : CVE-2019-16993 > > > In phpBB, includes/acp/acp_bbcodes.php had improper verification of a > CSRF token on the BBCode page in the Administration Control Panel. An > actual CSRF attack was possible if an attacker also managed to retrieve > the session id of a reauthenticated administrator prior to targeting > them. > > The description in this DLA does not match what has been documented in > the changelog.Debian.gz of this package version. After the upload of > phpbb3 3.0.12-5+deb8u4, it became evident that CVE-2019-13776 has not yet > been fixed. The correct fix for CVE-2019-13776 has been identified and > will be shipped in a soon-to-come follow-up security release of phpbb3. > > For Debian 8 "Jessie", these problems have been fixed in version > 3.0.12-5+deb8u4. > > We recommend that you upgrade your phpbb3 packages. > > Further information about Debian LTS security advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://wiki.debian.org/LTS >
[SECURITY] [DLA 1942-1] phpbb3 security update
Package: phpbb3 Version: 3.0.12-5+deb8u4 CVE ID : CVE-2019-16993 In phpBB, includes/acp/acp_bbcodes.php had improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack was possible if an attacker also managed to retrieve the session id of a reauthenticated administrator prior to targeting them. The description in this DLA does not match what has been documented in the changelog.Debian.gz of this package version. After the upload of phpbb3 3.0.12-5+deb8u4, it became evident that CVE-2019-13776 has not yet been fixed. The correct fix for CVE-2019-13776 has been identified and will be shipped in a soon-to-come follow-up security release of phpbb3. For Debian 8 "Jessie", these problems have been fixed in version 3.0.12-5+deb8u4. We recommend that you upgrade your phpbb3 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature