Summary: | <www-apps/phpBB-3.1.10: two vulnerabilities (CVE-2015-{1431,1432}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | chewi, gentoo-bugzilla, kripton, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://wiki.phpbb.com/Release_Highlights/3.0.13 | ||
Whiteboard: | B4 [glsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2015-01-31 16:02:02 UTC
CVE-2015-1432 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1432): The message_options function in includes/ucp/ucp_pm_options.php in phpBB before 3.0.13 does not properly validate the form key, which allows remote attackers to conduct CSRF attacks and change the full folder setting via unspecified vectors. CVE-2015-1431 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1431): Cross-site scripting (XSS) vulnerability in includes/startup.php in phpBB before 3.0.13 allows remote attackers to inject arbitrary web script or HTML via vectors related to "Relative Path Overwrite." web-apps: Can we get an updated ebuild please? Latest release upstream: 3.1.10 (2016-10-12) Latest release currently in tree: 3.0.12 Seems the package is no longer maintained and hasn't been touched since Git migration. I've just seen the p.mask mail about this one. I think removing this would be very unfortunate. 3.1.10 is the latest but the 3.0 series is still maintained upstream, the latest being 3.0.14, which isn't far off 3.0.12. The three ebuilds currently in the tree are practically identical because 3.0 only sees security fixes now. A simple rename bump would almost certainly be sufficient. It's worth noting that although the 3.1 series obviously hasn't been addressed, it's a bit late in the day to add it now. 3.2.0 is at RC1 so any renewed Gentoo effort may as well start there. I still use 3.0 myself but unlike the other two web-apps I manage through Portage, this is one I handle manually. It's for a forum that sees less than one post a month now and I only keep it going for nostalgia. I'm therefore not looking to take this package on and I'm already swamped. I just thought I should speak up. Personally, I don't think web-apps people will oppose to you taking it and updating the version :/ There's a PR which adds https://github.com/gentoo/gentoo/pull/2969 v3.1.10. I talked with the user and he isn't really interested in proxy-maintaining this package (he doesn't even use it). So I am suggesting to reject the PR and continue with the scheduled removal. BTW: v3.0.x will be EOL from 2017-01-01, see https://www.phpbb.com/community/viewtopic.php?f=14&t=2373956 ... so our scheduled removal date will match. (In reply to Thomas Deutschmann from comment #6) > There's a PR which adds https://github.com/gentoo/gentoo/pull/2969 v3.1.10. > I talked with the user and he isn't really interested in proxy-maintaining > this package (he doesn't even use it). So I am suggesting to reject the PR > and continue with the scheduled removal. I'm going to have a look at that. If I can setup a test environment, I'll push a new version and take over maintenance. any updates on this? (In reply to Pacho Ramos from comment #8) > any updates on this? I spent 10 minutes just now installing 3.1.10 from the PR, configuring with PostgreSQL, and making a post. It all worked fine. Is that enough to keep it? It's evidently a very low maintenance package if it required literally no changes (aside from EAPI) between 3.0 and 3.1. Simply go ahead, push the PR to the main tree to get this bug solved and that will be more than enough for keeping it ;) (In reply to Pacho Ramos from comment #10) > Simply go ahead, push the PR to the main tree to get this bug solved and > that will be more than enough for keeping it ;) NO! Please see my comment #6. This bug is taking already 2y and nobody fixed it. The user who submitted the PR has no interests in proxy-maintaining the package. We should stop giving potential users the wrong feeling that this package is somehow maintained in Gentoo. So please only take action if you are really going to care. Otherwise please continue with tree cleaning... I'll take it on if I have to. But you'll need to wait a few days, I'm away right now. 3.1.10 is now in the tree and 3.0.x is now removed. Security team, please do your thing. New GLSA request to inform users about dropping package to ~ARCH created. This issue was resolved and addressed in GLSA 201701-25 at https://security.gentoo.org/glsa/201701-25 by GLSA coordinator Aaron Bauman (b-man). |