Your message dated Fri, 08 Feb 2008 21:47:08 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#463589: fixed in phpbb2 2.0.22-3
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Source: phpbb2
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for phpbb2.
CVE-2008-0471[0]:
| Cross-site request forgery (CSRF) vulnerability in privmsg.php in
| phpBB 2.0.22 allows remote attackers to delete private messages (PM)
| as arbitrary users via a deleteall action.
I tested this sucessfully in a local phpbb2 installation as
well as on phpbb.de using two test accounts.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0471
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpTZqOL9wVyp.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: phpbb2
Source-Version: 2.0.22-3
We believe that the bug you reported is fixed in the latest version of
phpbb2, which is due to be installed in the Debian FTP archive:
phpbb2-conf-mysql_2.0.22-3_all.deb
to pool/main/p/phpbb2/phpbb2-conf-mysql_2.0.22-3_all.deb
phpbb2-languages_2.0.22-3_all.deb
to pool/main/p/phpbb2/phpbb2-languages_2.0.22-3_all.deb
phpbb2_2.0.22-3.diff.gz
to pool/main/p/phpbb2/phpbb2_2.0.22-3.diff.gz
phpbb2_2.0.22-3.dsc
to pool/main/p/phpbb2/phpbb2_2.0.22-3.dsc
phpbb2_2.0.22-3_all.deb
to pool/main/p/phpbb2/phpbb2_2.0.22-3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <[EMAIL PROTECTED]> (supplier of updated phpbb2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 08 Feb 2008 21:59:08 +0100
Source: phpbb2
Binary: phpbb2 phpbb2-conf-mysql phpbb2-languages
Architecture: source all
Version: 2.0.22-3
Distribution: unstable
Urgency: high
Maintainer: Jeroen van Wolffelaar <[EMAIL PROTECTED]>
Changed-By: Thijs Kinkhorst <[EMAIL PROTECTED]>
Description:
phpbb2 - A fully featured and skinnable flat (non-threaded) webforum
phpbb2-conf-mysql - Automatic configurator for phpbb2 on MySQL database
phpbb2-languages - phpBB2 additional languages
Closes: 346349 441752 450252 463589
Changes:
phpbb2 (2.0.22-3) unstable; urgency=high
.
* Fix Cross Site Request Forgery in private messages
(CVE-2008-0471, closes: #463589). High urgency.
* Added Slovak debconf translation by Ivan Masár (Closes: #441752).
* Fix watch file (Closes: #450252).
* Fix name of nodbpurge template in postrm (Closes: #346349),
thanks Cameron Dale.
* Checked for policy 3.7.3, no changes.
Files:
e34824a43856e9f5ce71db987fc9d940 1142 web optional phpbb2_2.0.22-3.dsc
6335268155f608a63d698bc96bbecece 91949 web optional phpbb2_2.0.22-3.diff.gz
d6e5f12f5455ba61045000a758165755 553996 web optional phpbb2_2.0.22-3_all.deb
b82d42727fd9f8561eb3a79efbf95de1 57192 web extra
phpbb2-conf-mysql_2.0.22-3_all.deb
5ef74d61e4f9de1386474b821e18e0a9 2767590 web optional
phpbb2-languages_2.0.22-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR6zIcWz0hbPcukPfAQKnVAgAkUDg4m54qTFY2DvVwhc/1ac6SmhwTlqu
RpL21kPRONCc5u1ESEnvD6SPqvmkdGJ5w86P7PPcmZzKQHdrY2oUgVwAd89ViqNX
TeKxkIupxqt3xeH+kVtwkuxFwzJQlgd8UmSNF15Xdbx77PZBA9VQCoEhMwn3qkUO
8Vcoj4kmQodmwzSU0IqwrjSXlKYYQ7tw9qOSsTDC0IuMRogZkZx+TqF2XEvoGm/Q
wQQpbjIduVXaHo/9qXBCFdOInPW46wLaiYH2WUJmZwR2sGLFjoE7BYCGluoSN2HO
3WtxFcAGnn0zCuu1db65L5290KGQjPlWlzRJtmO5lxxYRrJuIzU8qA==
=m7uQ
-----END PGP SIGNATURE-----
--- End Message ---
