Your message dated Fri, 09 Jan 2026 02:20:53 +0000
with message-id <[email protected]>
and subject line Bug#1125061: fixed in kanboard 1.2.49+ds-1
has caused the Debian Bug report #1125061,
regarding kanboard: CVE-2026-21879 CVE-2026-21880 CVE-2026-21881
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1125061: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125061
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: kanboard
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for kanboard.
CVE-2026-21879[0]:
| Kanboard is project management software focused on Kanban
| methodology. Versions 1.2.48 and below are vulnerable to an Open
| Redirect attack that allows malicious actors to redirect
| authenticated users to attacker-controlled websites. By crafting
| URLs such as //evil.com, attackers can bypass the filter_var($url,
| FILTER_VALIDATE_URL) validation check. This vulnerability could be
| exploited to conduct phishing attacks, steal user credentials, or
| distribute malware. The issue is fixed in version 1.2.49.
https://github.com/kanboard/kanboard/security/advisories/GHSA-mhv9-7m9w-7hcq
https://github.com/kanboard/kanboard/commit/93bcae03301a6d34185a8dba977417e6b3de519f
(v1.2.49)
CVE-2026-21880[1]:
| Kanboard is project management software focused on Kanban
| methodology. Versions 1.2.48 and below have an LDAP Injection
| vulnerability in the LDAP authentication mechanism. User-supplied
| input is directly substituted into LDAP search filters without
| proper sanitization, allowing attackers to enumerate all LDAP users,
| discover sensitive user attributes, and perform targeted attacks
| against specific accounts. This issue is fixed in version 1.2.49.
https://github.com/kanboard/kanboard/security/advisories/GHSA-v66r-m28r-wmq7
https://github.com/kanboard/kanboard/commit/dd374079f7c2d1dab74c1680960e684ff8668586
(v1.2.49)
CVE-2026-21881[2]:
| Kanboard is project management software focused on Kanban
| methodology. Versions 1.2.48 and below is vulnerable to a critical
| authentication bypass when REVERSE_PROXY_AUTH is enabled. The
| application blindly trusts HTTP headers for user authentication
| without verifying the request originated from a trusted reverse
| proxy. An attacker can impersonate any user, including
| administrators, by simply sending a spoofed HTTP header. This issue
| is fixed in version 1.2.49.
https://github.com/kanboard/kanboard/security/advisories/GHSA-wwpf-3j4p-739w
https://github.com/kanboard/kanboard/commit/7af6143e2ad25b5c15549cca8af4341c7ac4e2fc
(v1.2.49)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-21879
https://www.cve.org/CVERecord?id=CVE-2026-21879
[1] https://security-tracker.debian.org/tracker/CVE-2026-21880
https://www.cve.org/CVERecord?id=CVE-2026-21880
[2] https://security-tracker.debian.org/tracker/CVE-2026-21881
https://www.cve.org/CVERecord?id=CVE-2026-21881
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: kanboard
Source-Version: 1.2.49+ds-1
Done: Joseph Nahmias <[email protected]>
We believe that the bug you reported is fixed in the latest version of
kanboard, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Joseph Nahmias <[email protected]> (supplier of updated kanboard package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 08 Jan 2026 20:38:04 -0500
Source: kanboard
Architecture: source
Version: 1.2.49+ds-1
Distribution: unstable
Urgency: medium
Maintainer: Joseph Nahmias <[email protected]>
Changed-By: Joseph Nahmias <[email protected]>
Closes: 1125061
Changes:
kanboard (1.2.49+ds-1) unstable; urgency=medium
.
* New upstream version 1.2.49+ds
+ fixes CVE-2026-21880 aka GHSA-v66r-m28r-wmq7
Kanboard LDAP Injection Vulnerability
+ fixes CVE-2026-21881 aka GHSA-wwpf-3j4p-739w
Kanboard Reverse Proxy Authentication Bypass
+ fixes CVE-2026-21879 aka GHSA-mhv9-7m9w-7hcq
Kanboard Open Redirect Vulnerability
Closes: #1125061
* refresh patches
Checksums-Sha1:
abfcc063e3f6ba57b81e45c7d47779c97a0911ee 2680 kanboard_1.2.49+ds-1.dsc
bcbf918cb6793bbf5d5b4607b729162972585ac0 1093656 kanboard_1.2.49+ds.orig.tar.xz
98015e17d45b127b55220554f7f4c83e7a22c401 21172
kanboard_1.2.49+ds-1.debian.tar.xz
e09eb5f5bcb9abedf109fd10cf4afe11c7a06d77 11068
kanboard_1.2.49+ds-1_amd64.buildinfo
Checksums-Sha256:
1efbf39218c10e3762ec3167ecaadbb4a72a336baafed8e638dd2e4b41ed273f 2680
kanboard_1.2.49+ds-1.dsc
e55cb752ef69e9df08c1e327bb85b43056451714722632a484a7cc24d1f50218 1093656
kanboard_1.2.49+ds.orig.tar.xz
ee917e64612dfe37cbaa320a22b48e625442b011354807dd377522870ee5204b 21172
kanboard_1.2.49+ds-1.debian.tar.xz
7d0961ad1354fc2f73d5c2468de26c48ad1ae758b792d1595a5388ad06347830 11068
kanboard_1.2.49+ds-1_amd64.buildinfo
Files:
6f5dfce48c4455c63179bdbe20f40b2d 2680 web optional kanboard_1.2.49+ds-1.dsc
01d3c39df869cca919de19e2af69c601 1093656 web optional
kanboard_1.2.49+ds.orig.tar.xz
a1d74c3f1d0c8ab6f00615defd0051ae 21172 web optional
kanboard_1.2.49+ds-1.debian.tar.xz
b49b9c45983370228e143f9212366731 11068 web optional
kanboard_1.2.49+ds-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEcxc7CTsDz7hRCK0UsRvZGQeaO5gFAmlgYZYACgkQsRvZGQea
O5ho+g/+IVqd2Ppk5/10z9cxoZ/cO0diGOCZVdkOHSe0g1coDmaB727RNsnTiD+U
WOdNa5p86z3jII1ogqrfrMz/Kh6YnlVlnI+lRZ4zj37ZTR0jGZ12sfKRt7B97PfS
ne7uXriQg1OpNdbUi4HNBk7lCZraeVnkuBVXBdyHo10vGJT0joBrABuSEa4qNU/i
khYloWm03Yw3injScLAVCClGyXJnGBwHaX6rH/Hg11JwbMeilwKv1hlv6wVVQRhH
IIJ1uOMRDelVi81IfgxlYHzAAlEJT1b3ZT4ESLOIsdTw/xt8FwICi9VdKB7E8eyk
WPNHtH2bXgT7UsI6cxGX1sbIFGe2R6plgoHK1K08S7Xb9dsUUn8ZRVGhPDmFml5C
EtVzD1sO2aR0GZ2AVtYYv/okVg7mA0Rh5vTCkSMCiO2i2b0OYs2qRS+djycqZzcW
fByfxlQb8JvAAJ6voB0x+VC1ztnKHZkVAcaI6MFdfPOSAsJpKoFQdhs//7d1xZMm
bQf4ZL+Pw9+YS/jiFZiCr+6poPty22eOefAu3nidvqut8mMoKaOCZuyIwGj7JMpG
F1X5hYr8TtlrbfaYDwpLGtGdApC9eBmHu0tg1/f6Y9cIb6AOB5CicTzTjcNuMT5b
KG6rBJNTtSMpepwLq0KoAE4Cvnw/ASHdvL5YiU0hG5LYFLAaKYM=
=H01U
-----END PGP SIGNATURE-----
pgpfBXmhh3mWO.pgp
Description: PGP signature
--- End Message ---
