[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DLA 1942-1] phpbb3 security update

Hi Mike,

On Wed, Oct 02, 2019 at 02:01:25PM +0000, Mike Gabriel wrote:
> On  Di 01 Okt 2019 13:32:25 CEST, Sylvain Beucler wrote:
> > I see you reverted affectation for CVE-2019-13376.
> > 
> > CVE-2019-13376 is an follow-up fix to CVE-2019-16993 (2016) which I
> > registered just yesterday toclarify that we've been missing this earlier
> > fix (AFAICS unsuccessfully ;)).
> > 
> > CVE-2019-13376 applies to 3.2.7 which already has the fix that you
> > thought was related (phpbb's SECURITY-231), which is a different
> > "vulnerability" (with quotes, as it just disables a feature by default,
> > which is expected to be re-enabled for CVE-2019-13376 to apply, as
> > mentioned in the write-up: "in the ACP, go to General > Avatar settings
> > and enable remote avatars").
> > 
> > Consequently DLA 1942-1 fixes CVE-2019-13376 and CVE-2019-16993.
> > SECURITY-231 doesn't have a CVE assigned.
> Are you 100% sure on this?

That's what I conclude by reading the write-up and the code (and
requesting the new CVE).  I didn't exploit the vulnerability.

If you wish to fix SECURITY-231 though you could request a CVE and fix
it independently.

> Let me collect my todos for this, then:
>   * Uploaded package is ok (3.0.12-5+deb8u4), even the debian/changelog
> entry(?)

The changelog entry looks OK.

>   * security-tracker (data/DLA/list) needs to be adapted and CVE-2019-13376
> needs to be re-added to DLA-1942-1(?)

I did so yesterday.

>   * the dla-announcement needs to be re-done / replied to, and it needs to be
>     declared that CVE-2019-13376 is in fact already fixed by +deb8u4
>   * furthermore, I referenced  CVE-2019-13776 in the announcement,
>     rather than CVE-2019-13376 (typo, grrrr...)
> Correct?

That sounds right.

> Thanks for spotting this!

NP, I was just doing FrontDesk :)


Reply to: