Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 320977 (CVE-2010-1627)

Summary: <www-apps/phpBB-3.0.7_p1: Multiple vulnerabilites (CVE-2010-{1627,1630})
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: steffen, web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.phpbb.com/community/viewtopic.php?f=14&t=2014195
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2010-05-21 22:44:49 UTC 
CVE-2010-1627 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1627):
  feed.php in phpBB 3.0.7 before 3.0.7-PL1 does not properly check
  permissions for feeds, which allows remote attackers to bypass
  intended access restrictions via unspecified attack vectors related
  to permission settings on a private forum.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-05-21 22:55:23 UTC 
CVE-2010-1630 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1630):
  Unspecified vulnerability in posting.php in phpBB before 3.0.5 has
  unknown impact and attack vectors related to the use of a "forum id"
  in circumstances related to a "global announcement."
Comment 2 Steffen Schaumburg 2010-08-20 14:05:15 UTC 
You can find updated ebuilds in bug #272311
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-08-21 10:51:09 UTC 
+*phpBB-3.0.7_p1 (21 Aug 2010)
+
+  21 Aug 2010; Alex Legler <a3li@gentoo.org> -phpBB-3.0.4.ebuild,
+  +phpBB-3.0.7_p1.ebuild:
+  Non-maintainer commit: Version bump for security bug 320977. Also closes
+  bump request 272311, thanks to all the people there who submitted ebuilds.
+  Removing vulnerable ebuild.
+

Closing noglsa.