Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 98058

Summary: www-apps/phpBB Unpatched phpBB XSS
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: lcars, mvolaski, web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0093.html
Whiteboard: ~4 [masked] jaervosz
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-07-05 14:51:16 UTC 
Seems like masking was a good idea. Filing this to keep track of it and inform infra.
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2005-07-08 04:23:21 UTC 
any reason this bug is restricted?
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2005-07-09 12:23:37 UTC 
opening bug, checked with jaervosz

(masked package)

web-apps, pls verify/advise, since there is no new upstream version available yet
Comment 3 JG 2005-07-09 14:28:02 UTC 
there's a "workaround" (disables [url] feature) on the same thread on fd: 
http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0110.html  
  
exploit is also public on milw0rm 
  
JG
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2005-07-10 09:16:08 UTC 
Since phpBB is masked, I guess we can wait for this to be fixed upstream.
Objections?

Btw... I think the ebuilds <=2.0.15 could be removed.
Comment 5 David Bosso 2005-07-19 16:06:48 UTC 
Version 2.0.17 has been released with a fix:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=308490
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-07-19 22:05:10 UTC 
web-apps please bump.
Comment 7 Renat Lumpau (RETIRED) gentoo-dev 2005-07-20 05:10:38 UTC 
bumped
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-07-20 05:25:10 UTC 
Then we are done.
Comment 9 Jeroen Geilman 2005-08-23 12:40:42 UTC 
I don't understand - it is hard masked because of upstream problems, yet there
is now NO stable version in portage ?
How are we "done", then ?
Comment 10 Renat Lumpau (RETIRED) gentoo-dev 2005-08-23 12:43:29 UTC 
We are done in that phpBB is security-challenged, shall we say, so it's
p.masked. As such, there is no stable version in the tree.
Comment 11 Maurice Volaski 2005-08-31 13:01:33 UTC 
I'm a bit confused. The GLSA http://www.gentoo.org/security/en/glsa/glsa-200507-03.xml says that 
phpBB won't be included in the portage repository, but this new version has been added to the tree, 
masked as it may be.

Also, every program is continually facing vulnerabilities. That's why GLSA exists. So what does it mean 
it's security-challenged? Seems like that could apply only to programs that suffer from vulnerabilities 
that are not actively being addressed.
Comment 12 Renat Lumpau (RETIRED) gentoo-dev 2005-08-31 15:47:23 UTC 
Eh, security folks, that GLSA is incorrect. It's still in the tree, just p.mask'ed.
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-31 22:05:25 UTC 
Reopening to fix GLSA.
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-09-03 02:13:22 UTC 
Replaced "removed" by "masked" in the GLSA.