Debian Bug report logs - #463589
phpbb2: CVE-2008-0471 XSRF vulnerability exploitable via crafted private message

version graph

Package: phpbb2; Maintainer for phpbb2 is (unknown);

Reported by: Nico Golde <nion@debian.org>

Date: Fri, 1 Feb 2008 17:09:01 UTC

Severity: grave

Tags: security

Fixed in versions phpbb2/2.0.22-3, phpbb2/2.0.21-7, phpbb2/2.0.13+1-6sarge4

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#463589; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: phpbb2: CVE-2008-0471 XSRF vulnerability exploitable via crafted private message
Date: Fri, 1 Feb 2008 18:08:05 +0100
[Message part 1 (text/plain, inline)]
Source: phpbb2
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for phpbb2.

CVE-2008-0471[0]:
| Cross-site request forgery (CSRF) vulnerability in privmsg.php in
| phpBB 2.0.22 allows remote attackers to delete private messages (PM)
| as arbitrary users via a deleteall action.

I tested this sucessfully in a local phpbb2 installation as 
well as on phpbb.de using two test accounts.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0471

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#463589; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #10 received at 463589@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: Nico Golde <nion@debian.org>, 463589@bugs.debian.org
Subject: Re: Bug#463589: phpbb2: CVE-2008-0471 XSRF vulnerability exploitable via crafted private message
Date: Sat, 2 Feb 2008 12:14:25 +0100
[Message part 1 (text/plain, inline)]
On Friday 1 February 2008 18:08, Nico Golde wrote:
> I tested this sucessfully in a local phpbb2 installation as
> well as on phpbb.de using two test accounts.
>
> If you fix this vulnerability please also include the CVE id
> in your changelog entry.

Thanks Nico, I'll take care of it.


Thijs
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#463589; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@kinkhorst.com>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #15 received at 463589@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@kinkhorst.com>
To: 463589@bugs.debian.org
Subject: Re: Bug#463589: phpbb2: CVE-2008-0471 XSRF vulnerability exploitable via crafted private message
Date: Tue, 5 Feb 2008 09:03:41 +0100
[Message part 1 (text/plain, inline)]
On Saturday 2 February 2008 12:14, Thijs Kinkhorst wrote:
> On Friday 1 February 2008 18:08, Nico Golde wrote:
> > I tested this sucessfully in a local phpbb2 installation as
> > well as on phpbb.de using two test accounts.
> >
> > If you fix this vulnerability please also include the CVE id
> > in your changelog entry.
>
> Thanks Nico, I'll take care of it.

Found the patch in upstream repo, will take care of this tonight.


Thijs
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#463589; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #20 received at 463589@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 463589@bugs.debian.org
Subject: Re: Bug#463589: phpbb2: CVE-2008-0471 XSRF vulnerability exploitable via crafted private message
Date: Tue, 5 Feb 2008 10:55:19 +0100
[Message part 1 (text/plain, inline)]
Hi Thijs,
* Thijs Kinkhorst <thijs@kinkhorst.com> [2008-02-05 09:20]:
> On Saturday 2 February 2008 12:14, Thijs Kinkhorst wrote:
> > On Friday 1 February 2008 18:08, Nico Golde wrote:
> > > I tested this sucessfully in a local phpbb2 installation as
> > > well as on phpbb.de using two test accounts.
> > >
> > > If you fix this vulnerability please also include the CVE id
> > > in your changelog entry.
> >
> > Thanks Nico, I'll take care of it.
> 
> Found the patch in upstream repo, will take care of this tonight.

Thanks!
Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#463589; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #25 received at 463589@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 463589@bugs.debian.org
Subject: Re: Bug#463589: phpbb2: CVE-2008-0471 XSRF vulnerability exploitable via crafted private message
Date: Fri, 8 Feb 2008 14:26:33 +0100
[Message part 1 (text/plain, inline)]
Thijs,
ping? :)

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#463589; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #30 received at 463589@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: "Nico Golde" <nion@debian.org>, 463589@bugs.debian.org
Subject: Re: Bug#463589: phpbb2: CVE-2008-0471 XSRF vulnerability exploitable via crafted private message
Date: Fri, 8 Feb 2008 17:10:04 +0100 (CET)
On Fri, February 8, 2008 14:26, Nico Golde wrote:
> Thijs,
> ping? :)

Working on it; expect results later today.


Thijs





Tags added: pending Request was from www-data <www-data@wolffelaar.nl> to control@bugs.debian.org. (Fri, 08 Feb 2008 20:57:05 GMT) Full text and rfc822 format available.

Message sent on to Nico Golde <nion@debian.org>:
Bug#463589. Full text and rfc822 format available.

Message #35 received at 463589-submitter@bugs.debian.org (full text, mbox):

From: www-data <www-data@wolffelaar.nl>
To: control@bugs.debian.org, 463589-submitter@bugs.debian.org
Subject: phpBB bugs fixed in revision r411
Date: Fri, 08 Feb 2008 21:54:31 +0100
# Fixed in r411 by kink
tag 463589 + pending
thanks

These bugs are fixed in revision 411 by kink
Log message:
* Fix Cross Site Request Forgery in private messages
  (CVE-2008-0471, closes: #463589). High urgency.






Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #40 received at 463589-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 463589-close@bugs.debian.org
Subject: Bug#463589: fixed in phpbb2 2.0.22-3
Date: Fri, 08 Feb 2008 21:47:08 +0000
Source: phpbb2
Source-Version: 2.0.22-3

We believe that the bug you reported is fixed in the latest version of
phpbb2, which is due to be installed in the Debian FTP archive:

phpbb2-conf-mysql_2.0.22-3_all.deb
  to pool/main/p/phpbb2/phpbb2-conf-mysql_2.0.22-3_all.deb
phpbb2-languages_2.0.22-3_all.deb
  to pool/main/p/phpbb2/phpbb2-languages_2.0.22-3_all.deb
phpbb2_2.0.22-3.diff.gz
  to pool/main/p/phpbb2/phpbb2_2.0.22-3.diff.gz
phpbb2_2.0.22-3.dsc
  to pool/main/p/phpbb2/phpbb2_2.0.22-3.dsc
phpbb2_2.0.22-3_all.deb
  to pool/main/p/phpbb2/phpbb2_2.0.22-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 463589@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated phpbb2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 08 Feb 2008 21:59:08 +0100
Source: phpbb2
Binary: phpbb2 phpbb2-conf-mysql phpbb2-languages
Architecture: source all
Version: 2.0.22-3
Distribution: unstable
Urgency: high
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 phpbb2     - A fully featured and skinnable flat (non-threaded) webforum
 phpbb2-conf-mysql - Automatic configurator for phpbb2 on MySQL database
 phpbb2-languages - phpBB2 additional languages
Closes: 346349 441752 450252 463589
Changes: 
 phpbb2 (2.0.22-3) unstable; urgency=high
 .
   * Fix Cross Site Request Forgery in private messages
     (CVE-2008-0471, closes: #463589). High urgency.
   * Added Slovak debconf translation by Ivan Masár (Closes: #441752).
   * Fix watch file (Closes: #450252).
   * Fix name of nodbpurge template in postrm (Closes: #346349),
     thanks Cameron Dale.
   * Checked for policy 3.7.3, no changes.
Files: 
 e34824a43856e9f5ce71db987fc9d940 1142 web optional phpbb2_2.0.22-3.dsc
 6335268155f608a63d698bc96bbecece 91949 web optional phpbb2_2.0.22-3.diff.gz
 d6e5f12f5455ba61045000a758165755 553996 web optional phpbb2_2.0.22-3_all.deb
 b82d42727fd9f8561eb3a79efbf95de1 57192 web extra phpbb2-conf-mysql_2.0.22-3_all.deb
 5ef74d61e4f9de1386474b821e18e0a9 2767590 web optional phpbb2-languages_2.0.22-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR6zIcWz0hbPcukPfAQKnVAgAkUDg4m54qTFY2DvVwhc/1ac6SmhwTlqu
RpL21kPRONCc5u1ESEnvD6SPqvmkdGJ5w86P7PPcmZzKQHdrY2oUgVwAd89ViqNX
TeKxkIupxqt3xeH+kVtwkuxFwzJQlgd8UmSNF15Xdbx77PZBA9VQCoEhMwn3qkUO
8Vcoj4kmQodmwzSU0IqwrjSXlKYYQ7tw9qOSsTDC0IuMRogZkZx+TqF2XEvoGm/Q
wQQpbjIduVXaHo/9qXBCFdOInPW46wLaiYH2WUJmZwR2sGLFjoE7BYCGluoSN2HO
3WtxFcAGnn0zCuu1db65L5290KGQjPlWlzRJtmO5lxxYRrJuIzU8qA==
=m7uQ
-----END PGP SIGNATURE-----





Tags added: pending Request was from www-data <www-data@wolffelaar.nl> to control@bugs.debian.org. (Fri, 08 Feb 2008 23:45:01 GMT) Full text and rfc822 format available.

Message sent on to Nico Golde <nion@debian.org>:
Bug#463589. Full text and rfc822 format available.

Message #45 received at 463589-submitter@bugs.debian.org (full text, mbox):

From: www-data <www-data@wolffelaar.nl>
To: control@bugs.debian.org, 463589-submitter@bugs.debian.org
Subject: phpBB bugs fixed in revision r414
Date: Sat, 09 Feb 2008 00:42:25 +0100
# Fixed in r414 by kink
tag 463589 + pending
thanks

These bugs are fixed in revision 414 by kink
Log message:
* Upload to stable to fix cross site request forgery in
  private messaging (CVE-2008-0471, closes: #463589).







Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #50 received at 463589-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 463589-close@bugs.debian.org
Subject: Bug#463589: fixed in phpbb2 2.0.21-7
Date: Fri, 15 Feb 2008 19:52:37 +0000
Source: phpbb2
Source-Version: 2.0.21-7

We believe that the bug you reported is fixed in the latest version of
phpbb2, which is due to be installed in the Debian FTP archive:

phpbb2-conf-mysql_2.0.21-7_all.deb
  to pool/main/p/phpbb2/phpbb2-conf-mysql_2.0.21-7_all.deb
phpbb2-languages_2.0.21-7_all.deb
  to pool/main/p/phpbb2/phpbb2-languages_2.0.21-7_all.deb
phpbb2_2.0.21-7.diff.gz
  to pool/main/p/phpbb2/phpbb2_2.0.21-7.diff.gz
phpbb2_2.0.21-7.dsc
  to pool/main/p/phpbb2/phpbb2_2.0.21-7.dsc
phpbb2_2.0.21-7_all.deb
  to pool/main/p/phpbb2/phpbb2_2.0.21-7_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 463589@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated phpbb2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat,  9 Feb 2008 00:27:23 +0100
Source: phpbb2
Binary: phpbb2-languages phpbb2-conf-mysql phpbb2
Architecture: source all
Version: 2.0.21-7
Distribution: stable-security
Urgency: high
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 phpbb2     - A fully featured and skinnable flat (non-threaded) webforum
 phpbb2-conf-mysql - Automatic configurator for phpbb2 on MySQL database
 phpbb2-languages - phpBB2 additional languages
Closes: 463589
Changes: 
 phpbb2 (2.0.21-7) stable-security; urgency=high
 .
   * Upload to stable to fix cross site request forgery in
     private messaging (CVE-2008-0471, closes: #463589).
Files: 
 88ad3a4f2ee714cce779873b53ebd323 1051 web optional phpbb2_2.0.21-7.dsc
 30383a9bf6c5d21736e4bdf9ec7852d5 3203456 web optional phpbb2_2.0.21.orig.tar.gz
 896f80500e90867741c516e57fc8bfcc 90580 web optional phpbb2_2.0.21-7.diff.gz
 e8825ef3431bfe7ccf72f9f59f13a119 554842 web optional phpbb2_2.0.21-7_all.deb
 49baf96bcc1c273a93e8bb5169dca722 53706 web extra phpbb2-conf-mysql_2.0.21-7_all.deb
 afd8a0fe8138c8a5cf00a3e4ac10ac59 2791410 web optional phpbb2-languages_2.0.21-7_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR6z0YGz0hbPcukPfAQK92gf/Yp71BGmPqZdqrNlRdcLUIcWM2u1Tz/am
zttJsmSCHolwbW8OCtXHVfm2jZpNGwnn2WV6iiYhrXVP61FGbciqHiqL88sqw3aT
6jcUlC3POIIH5P9gwS8MyO5+fxn+6P8sneVhAJSZWR/2xq9LlorOMdpEBfI0o82I
6CESjBDX9+9EFckCZVW8dqqVk7H32jwDyFFpZbgqDbhmkax/mBDa+IJRanj7SSdf
CkHN7oxTgWFzJCC0CdsqAFVN5VKyH6CYEybuz0nUaOjUB0CfpI5XRGu5KVjuHhDq
ZRd/cE9R8QdW2ooY+Ee2GbEWCxv1WsGuQJm1zgJywlXC8AtYhtB4mQ==
=TJeW
-----END PGP SIGNATURE-----





Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #55 received at 463589-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 463589-close@bugs.debian.org
Subject: Bug#463589: fixed in phpbb2 2.0.21-7
Date: Sat, 16 Feb 2008 12:17:25 +0000
Source: phpbb2
Source-Version: 2.0.21-7

We believe that the bug you reported is fixed in the latest version of
phpbb2, which is due to be installed in the Debian FTP archive:

phpbb2-conf-mysql_2.0.21-7_all.deb
  to pool/main/p/phpbb2/phpbb2-conf-mysql_2.0.21-7_all.deb
phpbb2-languages_2.0.21-7_all.deb
  to pool/main/p/phpbb2/phpbb2-languages_2.0.21-7_all.deb
phpbb2_2.0.21-7.diff.gz
  to pool/main/p/phpbb2/phpbb2_2.0.21-7.diff.gz
phpbb2_2.0.21-7.dsc
  to pool/main/p/phpbb2/phpbb2_2.0.21-7.dsc
phpbb2_2.0.21-7_all.deb
  to pool/main/p/phpbb2/phpbb2_2.0.21-7_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 463589@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated phpbb2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat,  9 Feb 2008 00:27:23 +0100
Source: phpbb2
Binary: phpbb2-languages phpbb2-conf-mysql phpbb2
Architecture: source all
Version: 2.0.21-7
Distribution: stable-security
Urgency: high
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 phpbb2     - A fully featured and skinnable flat (non-threaded) webforum
 phpbb2-conf-mysql - Automatic configurator for phpbb2 on MySQL database
 phpbb2-languages - phpBB2 additional languages
Closes: 463589
Changes: 
 phpbb2 (2.0.21-7) stable-security; urgency=high
 .
   * Upload to stable to fix cross site request forgery in
     private messaging (CVE-2008-0471, closes: #463589).
Files: 
 88ad3a4f2ee714cce779873b53ebd323 1051 web optional phpbb2_2.0.21-7.dsc
 30383a9bf6c5d21736e4bdf9ec7852d5 3203456 web optional phpbb2_2.0.21.orig.tar.gz
 896f80500e90867741c516e57fc8bfcc 90580 web optional phpbb2_2.0.21-7.diff.gz
 e8825ef3431bfe7ccf72f9f59f13a119 554842 web optional phpbb2_2.0.21-7_all.deb
 49baf96bcc1c273a93e8bb5169dca722 53706 web extra phpbb2-conf-mysql_2.0.21-7_all.deb
 afd8a0fe8138c8a5cf00a3e4ac10ac59 2791410 web optional phpbb2-languages_2.0.21-7_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR6z0YGz0hbPcukPfAQK92gf/Yp71BGmPqZdqrNlRdcLUIcWM2u1Tz/am
zttJsmSCHolwbW8OCtXHVfm2jZpNGwnn2WV6iiYhrXVP61FGbciqHiqL88sqw3aT
6jcUlC3POIIH5P9gwS8MyO5+fxn+6P8sneVhAJSZWR/2xq9LlorOMdpEBfI0o82I
6CESjBDX9+9EFckCZVW8dqqVk7H32jwDyFFpZbgqDbhmkax/mBDa+IJRanj7SSdf
CkHN7oxTgWFzJCC0CdsqAFVN5VKyH6CYEybuz0nUaOjUB0CfpI5XRGu5KVjuHhDq
ZRd/cE9R8QdW2ooY+Ee2GbEWCxv1WsGuQJm1zgJywlXC8AtYhtB4mQ==
=TJeW
-----END PGP SIGNATURE-----





Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #60 received at 463589-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 463589-close@bugs.debian.org
Subject: Bug#463589: fixed in phpbb2 2.0.13+1-6sarge4
Date: Thu, 28 Feb 2008 07:52:15 +0000
Source: phpbb2
Source-Version: 2.0.13+1-6sarge4

We believe that the bug you reported is fixed in the latest version of
phpbb2, which is due to be installed in the Debian FTP archive:

phpbb2-conf-mysql_2.0.13-6sarge4_all.deb
  to pool/main/p/phpbb2/phpbb2-conf-mysql_2.0.13-6sarge4_all.deb
phpbb2-languages_2.0.13-6sarge4_all.deb
  to pool/main/p/phpbb2/phpbb2-languages_2.0.13-6sarge4_all.deb
phpbb2_2.0.13+1-6sarge4.diff.gz
  to pool/main/p/phpbb2/phpbb2_2.0.13+1-6sarge4.diff.gz
phpbb2_2.0.13+1-6sarge4.dsc
  to pool/main/p/phpbb2/phpbb2_2.0.13+1-6sarge4.dsc
phpbb2_2.0.13-6sarge4_all.deb
  to pool/main/p/phpbb2/phpbb2_2.0.13-6sarge4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 463589@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated phpbb2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat,  9 Feb 2008 01:16:49 +0100
Source: phpbb2
Binary: phpbb2-languages phpbb2-conf-mysql phpbb2
Architecture: source all
Version: 2.0.13+1-6sarge4
Distribution: oldstable-security
Urgency: high
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 phpbb2     - A fully featured and skinneable flat (non-threaded) webforum
 phpbb2-conf-mysql - Automatic configurator for phpbb2 on MySQL database
 phpbb2-languages - phpBB2 additional languages
Closes: 388120 405980 463589
Changes: 
 phpbb2 (2.0.13+1-6sarge4) oldstable-security; urgency=high
 .
   * Upload to sarge to address security issues.
   * CVE-2006-4758: authenticated admin may upload arbitrary files
     (very minor issue, closes: 388120).
   * CVE-2006-6839: update criteria for redirection targets.
   * CVE-2006-6840: fix negative start parameter.
   * CVE-2006-6508/CVE-2006-6841: fix csrf (closes: 405980).
   * CVE-2008-0471: fix csrf (closes: 463589).
Files: 
 d5ca94a7a4c2b3468428a993a1dbc5cc 1011 web optional phpbb2_2.0.13+1-6sarge4.dsc
 c403597d08f4c5af0f62b84c5ee72a7e 67912 web optional phpbb2_2.0.13+1-6sarge4.diff.gz
 944e55e056fc34d970e95b78201589fe 526154 web optional phpbb2_2.0.13-6sarge4_all.deb
 f0df2114bd60d9b84fbda1d241294fdd 37766 web extra phpbb2-conf-mysql_2.0.13-6sarge4_all.deb
 f10c4962035ede6e02417b8098efeda0 2868920 web optional phpbb2-languages_2.0.13-6sarge4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR6zz/mz0hbPcukPfAQID8wgAkC1l66pYum5qTcJHfUszTCEWb6CIwrV0
a+mHcUFpa0grCwkWQEd1x4t7CH7rAIoRW7N19/v6avBkIKQiAC1MvjTR7qUc1/g0
R6Aus7ZDe2PKd2PShVoLT2A6EYJSkpieyoEnVbllumQpfgKD/VP5DvX6QOYoN3xh
uD4KlhkCq1uMOr3FCvY3xTf/V2F1vnEkJssn79//iP3qRCsrAzaAxM1MO2BzLkLB
ZLmUhFx7/UeUeGdhwXAS0gbRb09oPO1c1yKXIB/y2hqO2UXuQLtxOlajrQES+f8W
TQGWjzuXFgrW1PafmOvT24N0QDhCI+KWu8jRY122WdrDLLo9OUInYA==
=vhx+
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 28 Mar 2008 07:43:13 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 05:56:32 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.