Debian Bug report logs -
#1040265
CVE-2023-36813: Multiple Authenticated SQL Injections
Reported by: Joseph Nahmias <joe@nahmias.net>
Date: Tue, 4 Jul 2023 00:36:01 UTC
Severity: important
Tags: security, upstream
Found in version kanboard/1.2.30+ds-1
Fixed in version kanboard/1.2.31+ds-1
Done: Joseph Nahmias <jello@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, joe@nahmias.net, team@security.debian.org, Joseph Nahmias <jello@debian.org>:
Bug#1040265; Package kanboard.
(Tue, 04 Jul 2023 00:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Joseph Nahmias <joe@nahmias.net>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, joe@nahmias.net, team@security.debian.org, Joseph Nahmias <jello@debian.org>.
(Tue, 04 Jul 2023 00:36:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: kanboard
Severity: important
Tags: security upstream
X-Debbugs-Cc: team@security.debian.org, joe@nahmias.net, Debian Security Team <team@security.debian.org>
https://github.com/kanboard/kanboard/security/advisories/GHSA-9gvq-78jp-jxcx
Summary
During a review of this project, I found multiple SQL Injections. It appears
that in some insert and update operations, the code improperly uses the PicoDB
library to update/insert new information.
Reply sent
to Joseph Nahmias <jello@debian.org>:
You have taken responsibility.
(Tue, 04 Jul 2023 03:21:03 GMT) (full text, mbox, link).
Notification sent
to Joseph Nahmias <joe@nahmias.net>:
Bug acknowledged by developer.
(Tue, 04 Jul 2023 03:21:03 GMT) (full text, mbox, link).
Message #10 received at 1040265-close@bugs.debian.org (full text, mbox, reply):
Source: kanboard
Source-Version: 1.2.31+ds-1
Done: Joseph Nahmias <jello@debian.org>
We believe that the bug you reported is fixed in the latest version of
kanboard, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1040265@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Joseph Nahmias <jello@debian.org> (supplier of updated kanboard package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 03 Jul 2023 20:54:54 -0400
Source: kanboard
Architecture: source
Version: 1.2.31+ds-1
Distribution: unstable
Urgency: medium
Maintainer: Joseph Nahmias <jello@debian.org>
Changed-By: Joseph Nahmias <jello@debian.org>
Closes: 1040265
Changes:
kanboard (1.2.31+ds-1) unstable; urgency=medium
.
* New upstream version 1.2.31+ds
- CVE-2023-36813: Avoid potential SQL injections without breaking
compatibility with plugins
https://github.com/kanboard/kanboard/security/advisories/GHSA-9gvq-78jp-jxcx
(Closes: #1040265)
* drop patches merged upstream; refresh others
Checksums-Sha1:
b5dbd76148dcfa26809e5dda9dab320ab6616dc4 2765 kanboard_1.2.31+ds-1.dsc
12aa9e6ede555b2cbd63ce3a4a35a88ff468dd94 984604 kanboard_1.2.31+ds.orig.tar.xz
04a0e77dfb8ae9d91f9e45cef42d39222a54907a 11700 kanboard_1.2.31+ds-1.debian.tar.xz
9873e0de7b9139eb345cd299e29458e13ad3e4af 11512 kanboard_1.2.31+ds-1_amd64.buildinfo
Checksums-Sha256:
d5f9983a7630220ee6e5a0533a9ffeb14a6e9ad5780cd80fe871bb3bc96f2b21 2765 kanboard_1.2.31+ds-1.dsc
b9309871dcfa5979f05918d4a159656a5cac5ebf4f15a23919638cfbb4b2f1fe 984604 kanboard_1.2.31+ds.orig.tar.xz
b40da455baa52474fdc28946bf3ff81b52b0bf5718e0456f731d6752b7a1aac7 11700 kanboard_1.2.31+ds-1.debian.tar.xz
290d8f66d34fac15e33e80f3b979bcb1fd92b2ab29e8d72db4fef4adbc182755 11512 kanboard_1.2.31+ds-1_amd64.buildinfo
Files:
7d47be2183b60adb51bcff1a4cb95832 2765 web optional kanboard_1.2.31+ds-1.dsc
3f02465416b9a7485f3bb5d09c48fea9 984604 web optional kanboard_1.2.31+ds.orig.tar.xz
d03b11fa4388ccc29d58c0b31749d0e9 11700 web optional kanboard_1.2.31+ds-1.debian.tar.xz
4e6c0fc8db1c1231b1d69ed39fb97e38 11512 web optional kanboard_1.2.31+ds-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEcxc7CTsDz7hRCK0UsRvZGQeaO5gFAmSji7gACgkQsRvZGQea
O5jPqhAAhf/qDfagP/5ep52EVjjJSm3/4UAYwEFZKa/nXkbX9In+TwVffBmi3AnF
WGEE+0vyZdqJfMb9EIXFNvqoIW2a6xzRm3A4CSRMfXTtKl5tYFXwDvyGbqJaESJq
ugnVuiHY1ev6IJz/jVUWgj3RUDW+GMIuSzEjtoswM+ZSy7dZYL319AvEsruxUexC
pVw/ygoHBgc8j2WWbFZUtAwRUpTeEZm3v9A20nFGTyY8jbxd4wE2At68AuJbtFvU
VCshz+LBvlcTdsfRmV0rigJ1wE2BZwu3ltXgFRXUrvHuRXQ/pd9tIOKmBwT5Sru9
NOSQfwpxbNEnEXx8Wa3idt2X3cblrcKPBdMzM5O6uFgtQC4zzPz/JEhsGud/pt5T
GwJnkPJZxe7F+H+nBYy3JmdCziDtU3uPTzyjPP0U+/9uE46L9DpktqgQoMrRWBPG
Cw3ZtBVsr7BFVKe3CWwHfOJAcCxNdVTh4VCA2DOEcfKImhM22xEQ/h6ThTRTcct7
3UfnSPRScvMF9NQ8FaehCGLx57DIXekj7rclQNCH4P61tutxysSPhThVzNFhUxRU
MG9MccMvZzD4rg8XwdXQCGi36xlVi2Ww0/nVDpzlnTbVESkrMjsh0kTkMIriiGhJ
YrWnU11clhjct54Z0/HtOFQK72t71GeeBnjfAFioaHURyHir/pE=
=xmkZ
-----END PGP SIGNATURE-----
Marked as found in versions kanboard/1.2.30+ds-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 04 Jul 2023 04:09:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Jul 4 18:36:13 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon