Re: [SECURITY] [DLA 1942-1] phpbb3 security update
Hi Mike,
On Wed, Oct 02, 2019 at 02:01:25PM +0000, Mike Gabriel wrote:
> On Di 01 Okt 2019 13:32:25 CEST, Sylvain Beucler wrote:
> > I see you reverted affectation for CVE-2019-13376.
> >
> > CVE-2019-13376 is an follow-up fix to CVE-2019-16993 (2016) which I
> > registered just yesterday toclarify that we've been missing this earlier
> > fix (AFAICS unsuccessfully ;)).
> >
> > CVE-2019-13376 applies to 3.2.7 which already has the fix that you
> > thought was related (phpbb's SECURITY-231), which is a different
> > "vulnerability" (with quotes, as it just disables a feature by default,
> > which is expected to be re-enabled for CVE-2019-13376 to apply, as
> > mentioned in the write-up: "in the ACP, go to General > Avatar settings
> > and enable remote avatars").
> >
> > Consequently DLA 1942-1 fixes CVE-2019-13376 and CVE-2019-16993.
> > SECURITY-231 doesn't have a CVE assigned.
>
> Are you 100% sure on this?
That's what I conclude by reading the write-up and the code (and
requesting the new CVE). I didn't exploit the vulnerability.
If you wish to fix SECURITY-231 though you could request a CVE and fix
it independently.
> Let me collect my todos for this, then:
>
> * Uploaded package is ok (3.0.12-5+deb8u4), even the debian/changelog
> entry(?)
The changelog entry looks OK.
> * security-tracker (data/DLA/list) needs to be adapted and CVE-2019-13376
> needs to be re-added to DLA-1942-1(?)
I did so yesterday.
> * the dla-announcement needs to be re-done / replied to, and it needs to be
> declared that CVE-2019-13376 is in fact already fixed by +deb8u4
> * furthermore, I referenced CVE-2019-13776 in the announcement,
> rather than CVE-2019-13376 (typo, grrrr...)
>
> Correct?
That sounds right.
> Thanks for spotting this!
NP, I was just doing FrontDesk :)
Cheers!
Sylvain
Reply to: