[SECURITY] [DLA 1593-1] phpbb3 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1593-1] phpbb3 security update
From: Markus Koschany <apo@debian.org>
Date: Sat, 24 Nov 2018 18:31:09 +0100
Message-id: <[🔎] a9599df4-e645-3612-fabe-bf3bac595a86@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : phpbb3
Version        : 3.0.12-5+deb8u2
CVE ID         : CVE-2018-19274

Simon Scannell and Robin Peraglie of RIPS Technologies discovered that
passing an absolute path to a file_exists check in phpBB, a full
featured web forum, allows remote code execution through Object
Injection by employing Phar deserialization when an attacker has access
to the Admin Control Panel with founder permissions.

The fix for this issue resulted in the removal of setting the
ImageMagick path. The GD image library can be used as a replacement
and a new event to generate thumbnails was added, so it is possible to
write an extension that uses a different image library to generate
thumbnails.

For Debian 8 "Jessie", this problem has been fixed in version
3.0.12-5+deb8u2.

We recommend that you upgrade your phpbb3 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlv5itxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeSLzg/8CxinfXC/z2yEFuKpuhvIGx9+cid4Q57F/x6cG7+x8lZ4Bm32zvkwxNSO
SrPInIF6RR/VzpPJTnPPkR2ToFRF1RH/BjSYE6T/f0cq0LjLw9SLTNplDhf6FmbM
oabx06tLvOQsN2+Uy/O18iWTKnhK33ij+OnCQ/CxVxWg/Puwn0x9AqPzE+Gn1sKh
8qdhcXWRhVXObI/0nKAHJ/FlZzc5iYH6GtD+cKgjAUp8FaV0gXbDrrqszzbOUpPm
b/9hYtjcUAVMLnuX4gynW68033rDtzmKuUmfkxA/ae8+lQ++ePG4TOwHGAKQvZib
B/ufHBClv6rNLWm2JW8MTc3IHhMMmRE0XNj9zAz7KWR7aGRSypSXClNOcxDAoPTY
J/5yWqXgOVA/tko4ZebExUCBG8qGiVetKAKqEZJ52szk6j/FBFpuQOJzu84Y7gUh
rf8IgYDknqraNKEGjB06F8v77qmxMcHOgK8+f/M0OXZfVTSvcZXBAj7LU6NLfk7f
M3cxhmeLybooFe/XfncfF7XgXtYZ75E1C/dwkPWnOPmEWHuUTp408gbYg7dFNTmz
YIXH+sQ0oe2ffBfK2SkO/URyqQfJRIO7gERm/pC744oMxuV8jo4HzUEiVtwrsS1c
GcbV4jLiKjF2xbUxDwMs3qEYiGOhnAaT+kNKxo1NfcC1QQM1MuQ=
=xaLH
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1592-1] otrs2 security update
Next by Date: [SECURITY] [DLA 1594-1] xml-security-c security update
Previous by thread: [SECURITY] [DLA 1592-1] otrs2 security update
Next by thread: [SECURITY] [DLA 1594-1] xml-security-c security update
Index(es):
- Date
- Thread