Seems like masking was a good idea. Filing this to keep track of it and inform infra.
any reason this bug is restricted?
opening bug, checked with jaervosz (masked package) web-apps, pls verify/advise, since there is no new upstream version available yet
there's a "workaround" (disables [url] feature) on the same thread on fd: http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0110.html exploit is also public on milw0rm JG
Since phpBB is masked, I guess we can wait for this to be fixed upstream. Objections? Btw... I think the ebuilds <=2.0.15 could be removed.
Version 2.0.17 has been released with a fix: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=308490
web-apps please bump.
bumped
Then we are done.
I don't understand - it is hard masked because of upstream problems, yet there is now NO stable version in portage ? How are we "done", then ?
We are done in that phpBB is security-challenged, shall we say, so it's p.masked. As such, there is no stable version in the tree.
I'm a bit confused. The GLSA http://www.gentoo.org/security/en/glsa/glsa-200507-03.xml says that phpBB won't be included in the portage repository, but this new version has been added to the tree, masked as it may be. Also, every program is continually facing vulnerabilities. That's why GLSA exists. So what does it mean it's security-challenged? Seems like that could apply only to programs that suffer from vulnerabilities that are not actively being addressed.
Eh, security folks, that GLSA is incorrect. It's still in the tree, just p.mask'ed.
Reopening to fix GLSA.
Replaced "removed" by "masked" in the GLSA.