control: tags -1 +moreinfo +unreproducible Hi,
As far a I know all the old vulnerabilities reported on debian bugtracker has been fixed in the package made available on mentors.debian.org page. Anyway, to be sure I have tried to reproduce this bug mentioned on new installation version to no avail. CSRF countermeasures implemented long time ago in response also to CVE cited seems to work as expected, so exploit code available (e.g. here: https://securitywarrior9.blogspot.fr/2018/02/cross-site-request-forgery-front.html) does not work, returning 'Request from outside of this page is forbidden.' in the json payload returned, with no changes in application data. Saying that, maybe still there are some additional conditions, which allow attacker to omit csrf token checks, not stated in the vulnerabilities reports, so I decied just to add moreinfo tag. I'm eager to fix the issue as soon as I can reproduce it. Janusz On 16.02.2018 17:22, Antoine Beaupre wrote: > Hi, > > I haven't reveiewed the package in details, but before this is accepted > into Debian, care should be taken to review the existing security > vulnerabilities that affect this package. > > For example, CVE-2018-7176 (bug #890604) currently affects the package > you are proposing to upload (2.4.3). It the package is uploaded as such, > you should clarify what the way forward is to fix that package. Either > it will be fixed in a subsequent release, or the package will have to be > marked as unsupported in Debian. > > https://security-tracker.debian.org/tracker/CVE-2018-7176 > > Thank you for your attention. > > A.