Your message dated Mon, 02 May 2016 01:32:00 +0000
with message-id <[email protected]>
and subject line Bug#816655: Removed package(s) from unstable
has caused the Debian Bug report #778530,
regarding phpbb3: Q&A Captcha allows bots when new language packs are installed
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
778530: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778530
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: phpbb3
Version: 3.0.10-4+deb7u2
Severity: normal
Tags: upstream
The Q&A captcha plugin normally does not allow an empty question set
as per the manual, section "How to configure Q&A CAPTCHA". However, if
you install a language pack after you have configured the Q&A, the
enabled Q&A for the new languages will have an empty question set,
allowing bots to register without *any* security checks.
The result that installing language packs impacts security seems as a
non-obvious effect. Either a warning, a safer failure of the Q&A
CAPTCHA, or having empty language sets falling back to other languages
would be a large improvement to the current situation.
/Björn Påhlsson
-- System Information:
Debian Release: 7.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500,
'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-0.bpo.4-amd64 (SMP w/16 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages phpbb3 depends on:
ii apache2 2.2.22-13+deb7u4
ii apache2-mpm-itk [httpd] 2.2.22-13+deb7u4
ii boa [httpd] 0.94.14rc21-3.1
ii dbconfig-common 1.8.47+nmu1
ii debconf [debconf-2.0] 1.5.49
ii libapache2-mod-php5 5.4.36-0+deb7u3
ii mysql-client 5.5.41-0+wheezy1
ii mysql-client-5.5 [mysql-client] 5.5.41-0+wheezy1
ii php5 5.4.36-0+deb7u3
ii php5-cgi 5.4.36-0+deb7u3
ii php5-cli 5.4.36-0+deb7u3
ii php5-gd 5.4.36-0+deb7u3
ii php5-mysql 5.4.36-0+deb7u3
ii php5-pgsql 5.4.36-0+deb7u3
ii php5-sqlite 5.4.36-0+deb7u3
ii postgresql-client 9.1+134wheezy4
ii postgresql-client-9.1 [postgresql-client] 9.1.15-0+deb7u1
ii ucf 3.0025+nmu3
Versions of packages phpbb3 recommends:
ii php5-imagick 3.1.0~rc1-1+b2
ii postfix [mail-transport-agent] 2.9.6-2
Versions of packages phpbb3 suggests:
ii mysql-server 5.5.41-0+wheezy1
ii phpbb3-l10n 3.0.10-4+deb7u2
ii postgresql 9.1+134wheezy4
-- debconf information excluded
-- debsums errors found:
debsums: changed file
/usr/share/phpbb3/www/includes/functions_profile_fields.php (from phpbb3
package)
--- End Message ---
--- Begin Message ---
Version: 3.0.14-1+rm
Dear submitter,
as the package phpbb3 has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/816655
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
[email protected].
Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
--- End Message ---
