Hi Sylvain, On Di 01 Okt 2019 13:32:25 CEST, Sylvain Beucler wrote:
Hi Gabriel, I see you reverted affectation for CVE-2019-13376. CVE-2019-13376 is an follow-up fix to CVE-2019-16993 (2016) which I registered just yesterday toclarify that we've been missing this earlier fix (AFAICS unsuccessfully ;)). CVE-2019-13376 applies to 3.2.7 which already has the fix that you thought was related (phpbb's SECURITY-231), which is a different "vulnerability" (with quotes, as it just disables a feature by default, which is expected to be re-enabled for CVE-2019-13376 to apply, as mentioned in the write-up: "in the ACP, go to General > Avatar settings and enable remote avatars"). Consequently DLA 1942-1 fixes CVE-2019-13376 and CVE-2019-16993. SECURITY-231 doesn't have a CVE assigned. Cheers! Sylvain
Are you 100% sure on this? Let me collect my todos for this, then:* Uploaded package is ok (3.0.12-5+deb8u4), even the debian/changelog entry(?) * security-tracker (data/DLA/list) needs to be adapted and CVE-2019-13376 needs
to be re-added to DLA-1942-1(?) * the dla-announcement needs to be re-done / replied to, and it needs to be declared that CVE-2019-13376 is in fact already fixed by +deb8u4 * furthermore, I referenced CVE-2019-13776 in the announcement, rather than CVE-2019-13376 (typo, grrrr...) Correct? Thanks for spotting this! Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment:
pgpjTVMVNKytl.pgp
Description: Digitale PGP-Signatur