Control: tags -1 -moreinfo -unreproducible Could you please followup on the security issue in the actual bug report (#890604)? This is the RFS, and I doubt you meant to mark the sponsorship request as "unreproducible". :)
That said, I'm just a messenger: I wanted to make sure you were aware of the security issues and considered it seriously. You might want to send the same message to the bug report, and CC secur...@debian.org to make sure the security issue is filed properly. Thanks! A. On 2018-02-17 11:59:51, Janusz Dobrowolski wrote: > control: tags -1 +moreinfo +unreproducible > > Hi, > > As far a I know all the old vulnerabilities reported on debian > bugtracker has been fixed in the package made available on > mentors.debian.org page. Anyway, to be sure I have tried to reproduce > the bug mentioned on new installation version to no avail. CSRF > countermeasures implemented long time ago in response also to CVE cited > seems to work as expected, so exploit code available (e.g. here: > https://securitywarrior9.blogspot.fr/2018/02/cross-site-request-forgery-front.html) > does not work, returning 'Request from outside of this page is > forbidden.' in the json payload returned, with no changes in application > data. > > Saying that, maybe still there are some additional conditions, which > allow attacker to omit csrf token checks, not stated in the > vulnerabilities reports, so moreinfo tag added. > > Janusz > > > > On 16.02.2018 17:22, Antoine Beaupre wrote: >> Hi, >> >> I haven't reveiewed the package in details, but before this is accepted >> into Debian, care should be taken to review the existing security >> vulnerabilities that affect this package. >> >> For example, CVE-2018-7176 (bug #890604) currently affects the package >> you are proposing to upload (2.4.3). It the package is uploaded as such, >> you should clarify what the way forward is to fix that package. Either >> it will be fixed in a subsequent release, or the package will have to be >> marked as unsupported in Debian. >> >> https://security-tracker.debian.org/tracker/CVE-2018-7176 >> >> Thank you for your attention. >> >> A. -- Drowning people Sometimes die Fighting their rescuers. - Octavia Butler