[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DLA 1942-1] phpbb3 security update

Hi Sylvain,

On  Di 01 Okt 2019 13:32:25 CEST, Sylvain Beucler wrote:

Hi Gabriel,

I see you reverted affectation for CVE-2019-13376.

CVE-2019-13376 is an follow-up fix to CVE-2019-16993 (2016) which I
registered just yesterday toclarify that we've been missing this earlier
fix (AFAICS unsuccessfully ;)).

CVE-2019-13376 applies to 3.2.7 which already has the fix that you
thought was related (phpbb's SECURITY-231), which is a different
"vulnerability" (with quotes, as it just disables a feature by default,
which is expected to be re-enabled for CVE-2019-13376 to apply, as
mentioned in the write-up: "in the ACP, go to General > Avatar settings
and enable remote avatars").

Consequently DLA 1942-1 fixes CVE-2019-13376 and CVE-2019-16993.
SECURITY-231 doesn't have a CVE assigned.


Are you 100% sure on this?

Let me collect my todos for this, then:

* Uploaded package is ok (3.0.12-5+deb8u4), even the debian/changelog entry(?) * security-tracker (data/DLA/list) needs to be adapted and CVE-2019-13376 needs
    to be re-added to DLA-1942-1(?)
  * the dla-announcement needs to be re-done / replied to, and it needs to be
    declared that CVE-2019-13376 is in fact already fixed by +deb8u4
  * furthermore, I referenced  CVE-2019-13776 in the announcement,
    rather than CVE-2019-13376 (typo, grrrr...)


Thanks for spotting this!


c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgpjTVMVNKytl.pgp
Description: Digitale PGP-Signatur

Reply to: