Hi Gabriel, I see you reverted affectation for CVE-2019-13376.
CVE-2019-13376 is an follow-up fix to CVE-2019-16993 (2016) which I registered just yesterday toclarify that we've been missing this earlier fix (AFAICS unsuccessfully ;)). CVE-2019-13376 applies to 3.2.7 which already has the fix that you thought was related (phpbb's SECURITY-231), which is a different "vulnerability" (with quotes, as it just disables a feature by default, which is expected to be re-enabled for CVE-2019-13376 to apply, as mentioned in the write-up: "in the ACP, go to General > Avatar settings and enable remote avatars"). Consequently DLA 1942-1 fixes CVE-2019-13376 and CVE-2019-16993. SECURITY-231 doesn't have a CVE assigned. Cheers! Sylvain On 01/10/2019 01:44, Mike Gabriel wrote: > Package : phpbb3 > Version : 3.0.12-5+deb8u4 > CVE ID : CVE-2019-16993 > > > In phpBB, includes/acp/acp_bbcodes.php had improper verification of a > CSRF token on the BBCode page in the Administration Control Panel. An > actual CSRF attack was possible if an attacker also managed to retrieve > the session id of a reauthenticated administrator prior to targeting > them. > > The description in this DLA does not match what has been documented in > the changelog.Debian.gz of this package version. After the upload of > phpbb3 3.0.12-5+deb8u4, it became evident that CVE-2019-13776 has not yet > been fixed. The correct fix for CVE-2019-13776 has been identified and > will be shipped in a soon-to-come follow-up security release of phpbb3. > > For Debian 8 "Jessie", these problems have been fixed in version > 3.0.12-5+deb8u4. > > We recommend that you upgrade your phpbb3 packages. > > Further information about Debian LTS security advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://wiki.debian.org/LTS >