Your message dated Sun, 31 Aug 2025 03:04:35 +0000
with message-id <[email protected]>
and subject line Bug#1112361: fixed in kanboard 1.2.47+ds-1
has caused the Debian Bug report #1112361,
regarding kanboard: CVE-2025-52560
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1112361: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112361
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: kanboard
Version: 1.2.44+ds-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for kanboard.
CVE-2025-52560[0]:
| Kanboard is project management software that focuses on the Kanban
| methodology. Prior to version 1.2.46, Kanboard allows password reset
| emails to be sent with URLs derived from the unvalidated Host header
| when the application_url configuration is unset (default behavior).
| This allows an attacker to craft a malicious password reset link
| that leaks the token to an attacker-controlled domain. If a victim
| (including an administrator) clicks the poisoned link, their account
| can be taken over. This affects all users who initiate a password
| reset while application_url is not set. This issue has been patched
| in version 1.2.46.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-52560
https://www.cve.org/CVERecord?id=CVE-2025-52560
[1] https://github.com/kanboard/kanboard/security/advisories/GHSA-2ch5-gqjm-8p92
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: kanboard
Source-Version: 1.2.47+ds-1
Done: Joseph Nahmias <[email protected]>
We believe that the bug you reported is fixed in the latest version of
kanboard, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Joseph Nahmias <[email protected]> (supplier of updated kanboard package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 30 Aug 2025 22:32:02 -0400
Source: kanboard
Architecture: source
Version: 1.2.47+ds-1
Distribution: unstable
Urgency: medium
Maintainer: Joseph Nahmias <[email protected]>
Changed-By: Joseph Nahmias <[email protected]>
Closes: 1112360 1112361 1112362 1112363 1112364
Changes:
kanboard (1.2.47+ds-1) unstable; urgency=medium
.
* New upstream version 1.2.47+ds
+ Password Reset Poisoning via Host Header Injection:
GHSA-2ch5-gqjm-8p92 aka CVE-2025-52560. Closes: #1112361.
+ Authenticated Admin Remote Code Execution via Unsafe Deserialization
of Events: GHSA-359x-c69j-q64r aka CVE-2025-55010. Closes: #1112363.
+ Stored XSS in project name: GHSA-5wj3-c9v4-pj9v aka CVE-2025-46825.
Closes: #1112360.
+ Username Enumeration via Login Behavior and Bruteforce Protection Bypass:
GHSA-qw57-7cx6-wvp7 aka CVE-2025-52576. Closes: #1112362.
+ Path Traversal in File Write via Task File Upload Api:
GHSA-26f4-rx96-xc55 aka CVE-2025-55011. Closes: #1112364.
* drop/refresh patches, as needed
* enable build profiles in salsa ci
* build package twice in salsa ci
* enable salsa ci stats reporting
* run wrap-and-sort -asbkt; enable job in salsa ci
Checksums-Sha1:
236268b07ac301b2b26c7075274105637db70810 2768 kanboard_1.2.47+ds-1.dsc
56b9567bc38ad87610186bc2f29b800cebba639e 1073704 kanboard_1.2.47+ds.orig.tar.xz
7f110f991d4a812e6d7c2a9d84c827837ad36315 15920
kanboard_1.2.47+ds-1.debian.tar.xz
55fabd4fc8d490566d22015ae90087c76e34711b 11323
kanboard_1.2.47+ds-1_amd64.buildinfo
Checksums-Sha256:
d28af6c3ae7f338ad2cefc6fac3f2b87be006837396331937db574b19190a112 2768
kanboard_1.2.47+ds-1.dsc
aae0f769cef6a99308082691a1d481d71014cf5b57f48084d46e88e9907ad96e 1073704
kanboard_1.2.47+ds.orig.tar.xz
7d027ea8b9bc2608708447b405f7af629037431847b50fe5a0b4f79ca00cccbe 15920
kanboard_1.2.47+ds-1.debian.tar.xz
8abfbebd8e695cb4dd563e5cac2740ebc2267f3fd94716c726d1443a669150f3 11323
kanboard_1.2.47+ds-1_amd64.buildinfo
Files:
99bdcb7f0af94cd25933400cceaa6e8a 2768 web optional kanboard_1.2.47+ds-1.dsc
6cca187546cefae07dd3786bc8c6c2fb 1073704 web optional
kanboard_1.2.47+ds.orig.tar.xz
3ca9279f6b888ace5003da929604601c 15920 web optional
kanboard_1.2.47+ds-1.debian.tar.xz
7bb2a0305da0f7be48c1efd8368ecad8 11323 web optional
kanboard_1.2.47+ds-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEcxc7CTsDz7hRCK0UsRvZGQeaO5gFAmizuIUACgkQsRvZGQea
O5h+Rw/9Gsw5fGtWJms5pPViNIq+qZoVn32j2XjY6NsPJV7FoVSdJzhb2SnDAvUW
JWgsCWEJOT2nKnHK9Bxcn+ukDmtO1A70T086uVjKyT/QQXIV6mJSDM8Menahu2J6
PGE2T9+wGCYybMfMavfQbOtBNH103/TSeSVWYQM81EhVht3qi+WGel6zlYsMfmKm
FaDBd3Eb+RWGM0YWmNbbCbehNoDWxNE8qNb+i0p1pPuEtK2ad9Gzo/pKQtfTzlCz
jO4pFlhMK1ClOG3I+Qij+MeyHZS4Mbrn1Hi5D7kuxFRMZWkE16srKX7dAZ77b1jx
A2ySf2mPkheOW6luHJrSngke+Dk/vsQXiZu9JCl3o2VeglEYJhbq6rHI+5zOR1MN
cjEW/QVvZA/Wxlu6kvUtO6lskfV1oNCZiXumdmc4zt8y4i4Y/1WT7IPOnFR2tDuP
GZyv9C/XY5nfzimJmcyWKNtLutCRNRGdX5U6yn8cOcAutPGXGn2M8DDDS5uYepeH
b/OilG1sg/U61v+whfbDDwC7qgf5OLyE+Vupo3OJcdl+AWiAjlUyS88VVLf/CKbm
nKFj59do4isfcUSPS+YoP0/1Bf8NQAXjbGu1/V08d5+z87M4ORJGgiy8d6s4TaEg
QPe18ZuFWFGWu9FHcy6NGqSUi5frdpJ4QvhHvJdNsNWQjDYoAZ4=
=fL4A
-----END PGP SIGNATURE-----
pgpmIGqmQ_BJs.pgp
Description: PGP signature
--- End Message ---
