[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DLA 1942-1] phpbb3 security update

Hi Gabriel,

I see you reverted affectation for CVE-2019-13376.

CVE-2019-13376 is an follow-up fix to CVE-2019-16993 (2016) which I
registered just yesterday toclarify that we've been missing this earlier
fix (AFAICS unsuccessfully ;)).

CVE-2019-13376 applies to 3.2.7 which already has the fix that you
thought was related (phpbb's SECURITY-231), which is a different
"vulnerability" (with quotes, as it just disables a feature by default,
which is expected to be re-enabled for CVE-2019-13376 to apply, as
mentioned in the write-up: "in the ACP, go to General > Avatar settings
and enable remote avatars").

Consequently DLA 1942-1 fixes CVE-2019-13376 and CVE-2019-16993.
SECURITY-231 doesn't have a CVE assigned.


On 01/10/2019 01:44, Mike Gabriel wrote:
> Package        : phpbb3
> Version        : 3.0.12-5+deb8u4
> CVE ID         : CVE-2019-16993
> In phpBB, includes/acp/acp_bbcodes.php had improper verification of a
> CSRF token on the BBCode page in the Administration Control Panel. An
> actual CSRF attack was possible if an attacker also managed to retrieve
> the session id of a reauthenticated administrator prior to targeting
> them.
> The description in this DLA does not match what has been documented in
> the changelog.Debian.gz of this package version. After the upload of
> phpbb3 3.0.12-5+deb8u4, it became evident that CVE-2019-13776 has not yet
> been fixed. The correct fix for CVE-2019-13776 has been identified and
> will be shipped in a soon-to-come follow-up security release of phpbb3.
> For Debian 8 "Jessie", these problems have been fixed in version
> 3.0.12-5+deb8u4.
> We recommend that you upgrade your phpbb3 packages.
> Further information about Debian LTS security advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://wiki.debian.org/LTS

Reply to: