Your message dated Thu, 19 Feb 2015 20:29:26 +0100 with message-id <20150219192926.GG23417@dogguy.org> and subject line Re: Bug#778782: unblock: phpbb3/3.0.12-5 has caused the Debian Bug report #778782, regarding unblock: phpbb3/3.0.12-5 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 778782: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778782 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: phpbb3/3.0.12-5
- From: David Prévot <taffit@debian.org>
- Date: Thu, 19 Feb 2015 14:16:16 -0400
- Message-id: <[🔎] 20150219181616.GA20723@mikado.tilapin.org>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Hi, Please unblock package phpbb3 It fixes a compatibility issue with PHP 5.6 (if php5-ldap is installed) forbidding the administrator to setup an alternative authentication scheme (#778553). This trivial fix is cherry-picked from upstream and was already part of 3.0.13 as available in experimental. It also fixes two annoying Debian-specific images issues. Even if not critical, the fixes are really low risk. Here is the new changelog entry, the full debdiff is attached. phpbb3 (3.0.12-5) unstable; urgency=medium * Fix authentication setup: another PHP 5.6 compatibility issue, the internal ldap_escape() function was recently added into PHP 5.6 as provided by php5-ldap, and thus need to be renamed. (Closes: #778553) * Fix avatar upload permissions * Fix image display in Apache (Closes: #778457) -- David Prévot <taffit@debian.org> Mon, 16 Feb 2015 13:51:53 -0400 unblock phpbb3/3.0.12-5 Thanks in advance for considering. Regards Daviddiff -Nru phpbb3-3.0.12/debian/changelog phpbb3-3.0.12/debian/changelog --- phpbb3-3.0.12/debian/changelog 2015-02-02 20:38:36.000000000 -0400 +++ phpbb3-3.0.12/debian/changelog 2015-02-16 13:53:14.000000000 -0400 @@ -1,3 +1,14 @@ +phpbb3 (3.0.12-5) unstable; urgency=medium + + * Fix authentication setup: another PHP 5.6 compatibility issue, the + internal ldap_escape() function was recently added into PHP 5.6 as + provided by php5-ldap, and thus need to be renamed. + (Closes: #778553) + * Fix avatar upload permissions + * Fix image display in Apache (Closes: #778457) + + -- David Prévot <taffit@debian.org> Mon, 16 Feb 2015 13:51:53 -0400 + phpbb3 (3.0.12-4) unstable; urgency=medium * Fix CSRF vulnerability [CVE-2015-1432] and CSS injection [CVE-2015-1431] diff -Nru phpbb3-3.0.12/debian/examples/apache2.conf phpbb3-3.0.12/debian/examples/apache2.conf --- phpbb3-3.0.12/debian/examples/apache2.conf 2013-09-28 12:22:30.000000000 -0400 +++ phpbb3-3.0.12/debian/examples/apache2.conf 2015-02-16 13:51:49.000000000 -0400 @@ -20,6 +20,16 @@ allow from all </IfVersion> </Directory> +<Directory /var/lib/phpbb3/images> + <IfVersion >= 2.3> + Require all granted + </IfVersion> + <IfVersion < 2.3> + AllowOverride None + order allow,deny + allow from all + </IfVersion> +</Directory> ### Multisite examples (see README.multiboard for details) diff -Nru phpbb3-3.0.12/debian/patches/add_phpbb_prefix_to_ldap_escape.patch phpbb3-3.0.12/debian/patches/add_phpbb_prefix_to_ldap_escape.patch --- phpbb3-3.0.12/debian/patches/add_phpbb_prefix_to_ldap_escape.patch 1969-12-31 20:00:00.000000000 -0400 +++ phpbb3-3.0.12/debian/patches/add_phpbb_prefix_to_ldap_escape.patch 2015-02-16 12:33:38.000000000 -0400 @@ -0,0 +1,31 @@ +Description: Add phpbb_ prefix to ldap_escape() + Since ldap_escape() has been added to PHP 5.6.0+, it’s internal + declaration throws a fatal error: + Cannot redeclare ldap_escape() at line 300 in /includes/auth/auth_ldap.php +Author: Jakub Senko <jakubsenko@gmail.com> +Origin: upstream +Bug: https://tracker.phpbb.com/browse/PHPBB3-12468 https://tracker.phpbb.com/browse/PHPBB3-13168 +Bug-Debian: https://bugs.debian.org/778553 +Applied-Upstream: commit, https://github.com/phpbb/phpbb/commit/ba464ec93a2707b602d212e364905a920b3b9460 +Reviewed-by: Andreas Fischer <bantu@phpbb.com> +Last-Update: 2015-02-16 +--- a/includes/auth/auth_ldap.php ++++ b/includes/auth/auth_ldap.php +@@ -282,7 +282,7 @@ + { + global $config; + +- $filter = '(' . $config['ldap_uid'] . '=' . ldap_escape(htmlspecialchars_decode($username)) . ')'; ++ $filter = '(' . $config['ldap_uid'] . '=' . phpbb_ldap_escape(htmlspecialchars_decode($username)) . ')'; + if ($config['ldap_user_filter']) + { + $_filter = ($config['ldap_user_filter'][0] == '(' && substr($config['ldap_user_filter'], -1) == ')') ? $config['ldap_user_filter'] : "({$config['ldap_user_filter']})"; +@@ -294,7 +294,7 @@ + /** + * Escapes an LDAP AttributeValue + */ +-function ldap_escape($string) ++function phpbb_ldap_escape($string) + { + return str_replace(array('*', '\\', '(', ')'), array('\\*', '\\\\', '\\(', '\\)'), $string); + } diff -Nru phpbb3-3.0.12/debian/patches/series phpbb3-3.0.12/debian/patches/series --- phpbb3-3.0.12/debian/patches/series 2015-02-02 20:27:08.000000000 -0400 +++ phpbb3-3.0.12/debian/patches/series 2015-02-16 12:26:45.000000000 -0400 @@ -8,3 +8,4 @@ fix_CVE-2015-1431.patch fix_CVE-2015-1432.patch improve_php_5.6_compatibility.patch +add_phpbb_prefix_to_ldap_escape.patch diff -Nru phpbb3-3.0.12/debian/phpbb3.postinst phpbb3-3.0.12/debian/phpbb3.postinst --- phpbb3-3.0.12/debian/phpbb3.postinst 2014-01-03 00:38:17.000000000 -0400 +++ phpbb3-3.0.12/debian/phpbb3.postinst 2015-02-16 13:51:49.000000000 -0400 @@ -159,7 +159,7 @@ fi # set permissions that are appropriate for multisite too - chgrp www-data /var/lib/phpbb3/images/avatars + chgrp www-data /var/lib/phpbb3/images/avatars/upload chmod g=wx,o= /var/lib/phpbb3/images/avatars/upload chmod 0755 /var/lib/phpbb3/images/ranks chgrp -R www-data /var/cache/phpbb3/cacheAttachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: David Prévot <taffit@debian.org>, 778782-done@bugs.debian.org
- Subject: Re: Bug#778782: unblock: phpbb3/3.0.12-5
- From: Mehdi Dogguy <mehdi@dogguy.org>
- Date: Thu, 19 Feb 2015 20:29:26 +0100
- Message-id: <20150219192926.GG23417@dogguy.org>
- In-reply-to: <[🔎] 20150219181616.GA20723@mikado.tilapin.org>
- References: <[🔎] 20150219181616.GA20723@mikado.tilapin.org>
On Thu, Feb 19, 2015 at 02:16:16PM -0400, David Prévot <taffit@debian.org> wrote: > Please unblock package phpbb3 > > It fixes a compatibility issue with PHP 5.6 (if php5-ldap is installed) > forbidding the administrator to setup an alternative authentication > scheme (#778553). This trivial fix is cherry-picked from upstream and > was already part of 3.0.13 as available in experimental. > > It also fixes two annoying Debian-specific images issues. Even if not > critical, the fixes are really low risk. > Unblocked. Please talk to us next time though. Regards, -- Mehdi Dogguy
--- End Message ---