Your message dated Thu, 12 May 2005 17:17:23 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#308282: fixed in phpbb2 2.0.13+1-6
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 9 May 2005 06:14:28 +0000
>From [EMAIL PROTECTED] Sun May 08 23:14:28 2005
Return-path: <[EMAIL PROTECTED]>
Received: from inutil.org (vserver151.vserver151.serverflex.de)
[193.22.164.111]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DV1XA-0006WB-00; Sun, 08 May 2005 23:14:28 -0700
Received: from jmm by vserver151.vserver151.serverflex.de with local (Exim 4.50)
id 1DV1WU-00009d-95
for [EMAIL PROTECTED]; Mon, 09 May 2005 08:13:46 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: phpbb2: Security issue in url/bbcode
X-Mailer: reportbug 3.8
Date: Mon, 09 May 2005 08:13:46 +0200
Message-Id: <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond
expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: phpbb2
Severity: grave
Justification: user security hole
[Upstream's description is not overly verbose; they intent to release
full details in five days; please lower severity if you don't think
it's grave]
phpbb2 2.0.15 has been released and addresses a security issue, which
upstream describes as "serious". I'm not familiar with phpbb2, but it
looks like missing input sanitization in the bbcode code.
There's something, what seems to be a patch in the PHP world, in this
forum message:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=288194
Cheers,
Moritz
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (990, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.29-vs1.2.10
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
---------------------------------------
Received: (at 308282-close) by bugs.debian.org; 12 May 2005 21:24:06 +0000
>From [EMAIL PROTECTED] Thu May 12 14:24:06 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DWLA5-0008L1-00; Thu, 12 May 2005 14:24:05 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DWL3b-00062z-00; Thu, 12 May 2005 17:17:23 -0400
From: Thijs Kinkhorst <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#308282: fixed in phpbb2 2.0.13+1-6
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Thu, 12 May 2005 17:17:23 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: phpbb2
Source-Version: 2.0.13+1-6
We believe that the bug you reported is fixed in the latest version of
phpbb2, which is due to be installed in the Debian FTP archive:
phpbb2-conf-mysql_2.0.13-6_all.deb
to pool/main/p/phpbb2/phpbb2-conf-mysql_2.0.13-6_all.deb
phpbb2-languages_2.0.13-6_all.deb
to pool/main/p/phpbb2/phpbb2-languages_2.0.13-6_all.deb
phpbb2_2.0.13+1-6.diff.gz
to pool/main/p/phpbb2/phpbb2_2.0.13+1-6.diff.gz
phpbb2_2.0.13+1-6.dsc
to pool/main/p/phpbb2/phpbb2_2.0.13+1-6.dsc
phpbb2_2.0.13-6_all.deb
to pool/main/p/phpbb2/phpbb2_2.0.13-6_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <[EMAIL PROTECTED]> (supplier of updated phpbb2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 12 May 2005 21:46:15 +0200
Source: phpbb2
Binary: phpbb2-languages phpbb2-conf-mysql phpbb2
Architecture: source all
Version: 2.0.13+1-6
Distribution: unstable
Urgency: high
Maintainer: Jeroen van Wolffelaar <[EMAIL PROTECTED]>
Changed-By: Thijs Kinkhorst <[EMAIL PROTECTED]>
Description:
phpbb2 - A fully featured and skinneable flat (non-threaded) webforum
phpbb2-conf-mysql - Automatic configurator for phpbb2 on MySQL database
phpbb2-languages - phpBB2 additional languages
Closes: 308282
Changes:
phpbb2 (2.0.13+1-6) unstable; urgency=high
.
* Security: Fix cross site scripting in [url] and [img] bbcode
(Closes: #308282)
* Jeroen: Change dependencies to work correctly when only having
libapache-mod-php installed, while remaining to work correctly when only
having 'php4' installed (from woody, then)
Files:
2b6f921c6e99ae9bb5d01e10277f79df 771 web optional phpbb2_2.0.13+1-6.dsc
5558075833f5b5c83b03cb0bfa7ff4f9 59539 web optional phpbb2_2.0.13+1-6.diff.gz
9c04dce8271f1cff66308b6c5dce5f46 524860 web optional phpbb2_2.0.13-6_all.deb
6dde3f81e30a13e6fb72d64cccfbb1f5 36864 web extra
phpbb2-conf-mysql_2.0.13-6_all.deb
978686c1444bf4de7feb493869e5a20b 2872184 web optional
phpbb2-languages_2.0.13-6_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Signed by Jeroen van Wolffelaar <[EMAIL PROTECTED]>
iD8DBQFCg8Nfl2uISwgTVp8RAtrnAKChSrlfF3qOOFvOHVsypkQhzGat2QCgp6K0
z4fu0iPFjsg9iujA9hzumRA=
=YCen
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
