Debian
phpbb2 package

[phpbb2] several remote vulnerabilities

Bug #191201 reported by disabled.user
258
Affects Status Importance Assigned to Milestone
phpbb2 (Debian)
Fix Released
Unknown
phpbb2 (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Won't Fix
Undecided
Unassigned
Edgy
Won't Fix
Undecided
Unassigned
Feisty
Won't Fix
Undecided
Unassigned
Gutsy
Won't Fix
Undecided
Unassigned

Bug Description

Binary package hint: phpbb2

References:
DSA-1488-1 (http://www.debian.org/security/2008/dsa-1488)

Quoting:
"Several remote vulnerabilities have been discovered in phpBB, a web
based bulletin board.

The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2008-0471

        Private messaging allowed cross site request forgery, making
        it possible to delete all private messages of a user by sending
        them to a crafted web page.

CVE-2006-6841 / CVE-2006-6508

        Cross site request forgery enabled an attacker to perform various
        actions on behalf of a logged in user. (Applies to sarge only)

CVE-2006-6840

        A negative start parameter could allow an attacker to create
        invalid output. (Applies to sarge only)

CVE-2006-6839

        Redirection targets were not fully checked, leaving room for
        unauthorised external redirections via a phpBB forum.
        (Applies to sarge only)

CVE-2006-4758

        An authenticated forum administrator may upload files of any
        type by using specially crafted filenames. (Applies to sarge only)

For the stable distribution (etch), these problems have been fixed
in version 2.0.21-7.

For the old stable distribution (sarge), these problems have been
fixed in version 2.0.13+1-6sarge4.

For the unstable distribution (sid) these problems have been fixed
in version 2.0.22-3."

Revision history for this message
disabled.user (disabled.user-deactivatedaccount) wrote :

See also the following Debian Bugs:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=388120
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=405980
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463589

Revision history for this message
Christophe Sauthier (christophe.sauthier) wrote :

The current version in hardy (2.0.22-3) fixes that.

Changed in phpbb2:
status: New → Fix Released
Revision history for this message
Stephan Rügamer (sruegamer) wrote :

The older CVEs from 2006 are not fixed for gutsy down to dapper.

Changed in phpbb2:
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in phpbb2:
status: Unknown → Fix Released
Revision history for this message
Hew (hew) wrote :

Ubuntu Edgy Eft is no longer supported, so a SRU will not be issued for this release. Marking Edgy as Won't Fix.

Changed in phpbb2:
status: Confirmed → Won't Fix
Revision history for this message
LumpyCustard (orangelumpycustard) wrote :

Please close for Feisty as Won't Fix? This goes for all the other Feisty bugs.

Revision history for this message
Hew (hew) wrote :

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in phpbb2:
status: Confirmed → Won't Fix
Revision history for this message
Sergio Zanchetta (primes2h) wrote :

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in phpbb2 (Ubuntu Gutsy):
status: Confirmed → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in phpbb2 (Ubuntu Dapper):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.