Bug#884816: Bug#890604: Can't reproduce vulnerability on latest packaged FA version
control: tags -1 +moreinfo +unreproducible
Hi,
As far a I know all the old vulnerabilities reported on debian
bugtracker has been fixed in the package made available on
mentors.debian.org page. Anyway, to be sure I have tried to reproduce
this bug mentioned on new installation version to no avail. CSRF
countermeasures implemented long time ago in response also to CVE cited
seems to work as expected, so exploit code available (e.g. here:
https://securitywarrior9.blogspot.fr/2018/02/cross-site-request-forgery-front.html)
does not work, returning 'Request from outside of this page is
forbidden.' in the json payload returned, with no changes in application
data.
Saying that, maybe still there are some additional conditions, which
allow attacker to omit csrf token checks, not stated in the
vulnerabilities reports, so I decied just to add moreinfo tag. I'm eager
to fix the issue as soon as I can reproduce it.
Janusz
On 16.02.2018 17:22, Antoine Beaupre wrote:
> Hi,
>
> I haven't reveiewed the package in details, but before this is accepted
> into Debian, care should be taken to review the existing security
> vulnerabilities that affect this package.
>
> For example, CVE-2018-7176 (bug #890604) currently affects the package
> you are proposing to upload (2.4.3). It the package is uploaded as such,
> you should clarify what the way forward is to fix that package. Either
> it will be fixed in a subsequent release, or the package will have to be
> marked as unsupported in Debian.
>
> https://security-tracker.debian.org/tracker/CVE-2018-7176
>
> Thank you for your attention.
>
> A.
Reply to: