Debian Bug report logs -
#612477
CVE-2011-0544: Execute javascript in [flash=] BBCode
Reported by: Paul Sohier <paul@paulscripts.nl>
Date: Tue, 8 Feb 2011 18:09:01 UTC
Severity: important
Tags: security
Merged with 616144
Found in version phpbb3/3.0.7-PL1-4
Fixed in version phpbb3/3.0.7-PL1-5
Done: David Prévot <taffit@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#612477; Package phpbb3.
(Tue, 08 Feb 2011 18:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Sohier <paul@paulscripts.nl>:
New Bug report received and forwarded. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>.
(Tue, 08 Feb 2011 18:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: phpbb3
Version: 3.0.7-PL1-4
Tags: security
Hi,
phpBB3 has been released at november 20 last year, and fixed a security
issue what doesnt seem to be fixed in phpBB3.0.8-pl1-4 from the debian repo.
See for more informatie this topic at phpBB.com:
http://www.phpbb.com/community/viewtopic.php?f=14&t=2111068
Paul.
Information forwarded
to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#612477; Package phpbb3.
(Tue, 08 Feb 2011 19:06:06 GMT) (full text, mbox, link).
Acknowledgement sent
to jm@roth.lu:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>.
(Tue, 08 Feb 2011 19:06:06 GMT) (full text, mbox, link).
Message #10 received at 612477@bugs.debian.org (full text, mbox, reply):
tag 612477 + pending
thanks
It's already in SVN (r599)...
On 08-Feb-11 18:59, Paul Sohier wrote:
> Package: phpbb3
> Version: 3.0.7-PL1-4
> Tags: security
>
> Hi,
>
> phpBB3 has been released at november 20 last year, and fixed a
> security issue what doesnt seem to be fixed in phpBB3.0.8-pl1-4 from
> the debian repo.
>
> See for more informatie this topic at phpBB.com:
> http://www.phpbb.com/community/viewtopic.php?f=14&t=2111068
>
> Paul.
>
>
>
Added tag(s) pending.
Request was from jm@roth.lu
to control@bugs.debian.org.
(Tue, 08 Feb 2011 19:06:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#612477; Package phpbb3.
(Tue, 08 Feb 2011 19:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Sohier <paul@paulscripts.nl>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>.
(Tue, 08 Feb 2011 19:09:04 GMT) (full text, mbox, link).
Message #17 received at 612477@bugs.debian.org (full text, mbox, reply):
Thanks, however I have 2 small comments. First of all, there should be
no newline at the end of that file (It can cause unwanted notice of
sending headers in certian cases), and secondly, there should or be a
mention of the requirement that the script for fixing existing posts
should be runned, or the script should just be runned at upgrade.
Otherwise only new posts will not be vulnrable, however old posts still are.
Paul.
On 08-02-11 20:01, jm@roth.lu wrote:
> Here:
> http://svn.wolffelaar.nl/wsvn/phpbb/trunk/phpbb3/patches/031_fix_cross_site_scripting_vulnerability_3.0.8
>
> On 08-Feb-11 19:58, Paul Sohier wrote:
>
>> Hi,
>>
>> Sorry, I was unable to find it in svn, where is it exactly located?
>>
>> Paul.
>> On 08-02-11 19:57, jm@roth.lu wrote:
>>
>>> tag 612477 + pending
>>> thanks
>>>
>>> It's already in SVN (r599)...
>>>
>>> On 08-Feb-11 18:59, Paul Sohier wrote:
>>>
>>>
>>>> Package: phpbb3
>>>> Version: 3.0.7-PL1-4
>>>> Tags: security
>>>>
>>>> Hi,
>>>>
>>>> phpBB3 has been released at november 20 last year, and fixed a
>>>> security issue what doesnt seem to be fixed in phpBB3.0.8-pl1-4 from
>>>> the debian repo.
>>>>
>>>> See for more informatie this topic at phpBB.com:
>>>> http://www.phpbb.com/community/viewtopic.php?f=14&t=2111068
>>>>
>>>> Paul.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>
Information forwarded
to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#612477; Package phpbb3.
(Tue, 08 Feb 2011 19:09:06 GMT) (full text, mbox, link).
Acknowledgement sent
to jm@roth.lu:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>.
(Tue, 08 Feb 2011 19:09:06 GMT) (full text, mbox, link).
Message #22 received at 612477@bugs.debian.org (full text, mbox, reply):
Here:
http://svn.wolffelaar.nl/wsvn/phpbb/trunk/phpbb3/patches/031_fix_cross_site_scripting_vulnerability_3.0.8
On 08-Feb-11 19:58, Paul Sohier wrote:
> Hi,
>
> Sorry, I was unable to find it in svn, where is it exactly located?
>
> Paul.
> On 08-02-11 19:57, jm@roth.lu wrote:
>> tag 612477 + pending
>> thanks
>>
>> It's already in SVN (r599)...
>>
>> On 08-Feb-11 18:59, Paul Sohier wrote:
>>
>>> Package: phpbb3
>>> Version: 3.0.7-PL1-4
>>> Tags: security
>>>
>>> Hi,
>>>
>>> phpBB3 has been released at november 20 last year, and fixed a
>>> security issue what doesnt seem to be fixed in phpBB3.0.8-pl1-4 from
>>> the debian repo.
>>>
>>> See for more informatie this topic at phpBB.com:
>>> http://www.phpbb.com/community/viewtopic.php?f=14&t=2111068
>>>
>>> Paul.
>>>
>>>
>>>
>>>
>>
>
Information forwarded
to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#612477; Package phpbb3.
(Tue, 08 Feb 2011 19:15:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Sohier <paul@paulscripts.nl>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>.
(Tue, 08 Feb 2011 19:15:08 GMT) (full text, mbox, link).
Message #27 received at 612477@bugs.debian.org (full text, mbox, reply):
Hi,
Sorry, I was unable to find it in svn, where is it exactly located?
Paul.
On 08-02-11 19:57, jm@roth.lu wrote:
> tag 612477 + pending
> thanks
>
> It's already in SVN (r599)...
>
> On 08-Feb-11 18:59, Paul Sohier wrote:
>
>> Package: phpbb3
>> Version: 3.0.7-PL1-4
>> Tags: security
>>
>> Hi,
>>
>> phpBB3 has been released at november 20 last year, and fixed a
>> security issue what doesnt seem to be fixed in phpBB3.0.8-pl1-4 from
>> the debian repo.
>>
>> See for more informatie this topic at phpBB.com:
>> http://www.phpbb.com/community/viewtopic.php?f=14&t=2111068
>>
>> Paul.
>>
>>
>>
>>
>
Changed Bug title to 'flash BBCode security patch required (+scanner?)' from 'phpBB3.0.8 has been released last november and fixed a security bug'
Request was from jm@roth.lu
to control@bugs.debian.org.
(Tue, 08 Feb 2011 19:27:06 GMT) (full text, mbox, link).
Removed tag(s) pending.
Request was from jm@roth.lu
to control@bugs.debian.org.
(Tue, 08 Feb 2011 19:27:07 GMT) (full text, mbox, link).
Severity set to 'important' from 'normal'
Request was from henri@nerv.fi
to control@bugs.debian.org.
(Wed, 02 Mar 2011 20:39:09 GMT) (full text, mbox, link).
Changed Bug title to 'CVE-2011-0544: Execute javascript in [flash=] BBCode' from 'flash BBCode security patch required (+scanner?)'
Request was from henri@nerv.fi
to control@bugs.debian.org.
(Wed, 02 Mar 2011 20:39:11 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#612477; Package phpbb3.
(Wed, 02 Mar 2011 21:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to henri@nerv.fi:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>.
(Wed, 02 Mar 2011 21:00:03 GMT) (full text, mbox, link).
Message #42 received at 612477@bugs.debian.org (full text, mbox, reply):
CVE-identifier CVE-2011-0544 has been assigned to this issue.
http://seclists.org/oss-sec/2011/q1/174
Best regards,
Henri Salo
Added tag(s) pending.
Request was from www-data <www-data@wolffelaar.nl>
to control@bugs.debian.org.
(Sun, 06 Mar 2011 23:03:09 GMT) (full text, mbox, link).
Message sent on
to Paul Sohier <paul@paulscripts.nl>:
Bug#612477.
(Sun, 06 Mar 2011 23:21:05 GMT) (full text, mbox, link).
Message #47 received at 612477-submitter@bugs.debian.org (full text, mbox, reply):
# Fixed in r604 by taffit
tag 612477 + pending
thanks
These bugs are fixed in revision 604 by taffit
Log message:
Reference for XSS: closes: #612477 [CVE-2011-0544]
Reply sent
to David Prévot <taffit@debian.org>:
You have taken responsibility.
(Mon, 23 May 2011 21:54:12 GMT) (full text, mbox, link).
Notification sent
to Paul Sohier <paul@paulscripts.nl>:
Bug acknowledged by developer.
(Mon, 23 May 2011 21:54:12 GMT) (full text, mbox, link).
Message #52 received at 612477-close@bugs.debian.org (full text, mbox, reply):
Source: phpbb3
Source-Version: 3.0.7-PL1-5
We believe that the bug you reported is fixed in the latest version of
phpbb3, which is due to be installed in the Debian FTP archive:
phpbb3-l10n_3.0.7-PL1-5_all.deb
to main/p/phpbb3/phpbb3-l10n_3.0.7-PL1-5_all.deb
phpbb3_3.0.7-PL1-5.debian.tar.gz
to main/p/phpbb3/phpbb3_3.0.7-PL1-5.debian.tar.gz
phpbb3_3.0.7-PL1-5.dsc
to main/p/phpbb3/phpbb3_3.0.7-PL1-5.dsc
phpbb3_3.0.7-PL1-5_all.deb
to main/p/phpbb3/phpbb3_3.0.7-PL1-5_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 612477@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <taffit@debian.org> (supplier of updated phpbb3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 23 May 2011 15:59:05 -0400
Source: phpbb3
Binary: phpbb3 phpbb3-l10n
Architecture: source all
Version: 3.0.7-PL1-5
Distribution: unstable
Urgency: low
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: David Prévot <taffit@debian.org>
Description:
phpbb3 - full-featured, skinnable non-threaded web forum
phpbb3-l10n - additional language files for phpBB
Closes: 595536 597373 599480 612441 612477 613060
Changes:
phpbb3 (3.0.7-PL1-5) unstable; urgency=low
.
[ David Prévot ]
* Fix broken cache, thanks to Nicolas Schodet (actually closes: #599480).
* Fix cross site scripting vulnerability (closes: #612477) [CVE-2011-0544].
* Enforce run_sql with "-h localhost" when $dbc_dbserver is empty
(closes: #613060).
* Don't use local lib on preinst (closes: #595536).
* Update to policy 3.9.2: no change needed.
* Update my email address.
.
[ Jean-Marc Roth ]
* Fix postgres failure when postgres server is remote (closes: #612441).
* Don't be too rude on trying to uninstall when unsupported webserver is
used (closes: #597373).
Checksums-Sha1:
d2082e4aa82227ed14fa8b20b70d672c66c77a2a 42559 phpbb3_3.0.7-PL1-5.dsc
06a2e4e4d679a3eac3fa67456255b5db53e1b033 130399 phpbb3_3.0.7-PL1-5.debian.tar.gz
52026965da6a4302cf98cd7f7d96745d2ec4287e 2302372 phpbb3_3.0.7-PL1-5_all.deb
dcc83480bb6303fcc4cf6fffddabc0dc40a74a68 8510504 phpbb3-l10n_3.0.7-PL1-5_all.deb
Checksums-Sha256:
8c5befdbd068f7a8f97bee2ab26cb809c93612e6c8aa137d8d7c2b3a8cb4a0f0 42559 phpbb3_3.0.7-PL1-5.dsc
ff21bedaf6401ab63e961fce97c01134d94bca5365976bf1576b3b9142e64957 130399 phpbb3_3.0.7-PL1-5.debian.tar.gz
9ae0e5019405421c29d88abc740fd1cdf2644e8f0faad472d9661441bd3ecbaf 2302372 phpbb3_3.0.7-PL1-5_all.deb
ab5b80c45d9bf274697e81cfdd06109c30673c21be7ac077628014464d51d0d7 8510504 phpbb3-l10n_3.0.7-PL1-5_all.deb
Files:
054b4f2a044b7fb51f8604e8915fb816 42559 web optional phpbb3_3.0.7-PL1-5.dsc
2398e3dfdcc30d47d006544a7f1319f8 130399 web optional phpbb3_3.0.7-PL1-5.debian.tar.gz
2b38a0060c5c3f7fc378125e68a0d612 2302372 web optional phpbb3_3.0.7-PL1-5_all.deb
9c4771bb16591214d5c0609a260d5203 8510504 localization optional phpbb3-l10n_3.0.7-PL1-5_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCAAGBQJN2r/KAAoJELgqIXr9/gnyxUAP/06T9NItYLfFFSUE/VKm8//V
24tAkWu2g+11gac/8f8RJyCmnO+fEueisCzyP4CM+paAtnzzhAJRRkPt9OnLRlda
NJOVUs2Lq9eFVrqzEsWChQ4/MAZaGJl47VHFZH7RckmbGc28P3wa2+/T3319Fu9N
bX1fEBIvmfAefKO/81+mxoVAzJHU6OJMKH0JdslklXZoX0TomOr4NBDfTHp4zmpZ
iGTe9tsQFH3ArXVByOyU0R+VMyeOeJ/zs7h6RGEzTMIoYjIDoftWmWaXNqQaB2dt
HcL5VEvA6jKVGpZP7ANMsekmqrU0xVLm5vaxR7nu97OUiXk2I45+Og0S+zBlTLCF
ciiF+faDzzqiywljodgV487h+ylKQx3aLGng7KrjZlwEb1Uwg9CTYFLa3SmGQd7/
2fQE2WXoEP614h4TIKHpCQxcOsaIIxhw4wwruQeu4M22/vuJRJOswDjEPQdx6Nac
mewgBsBEc+SwJQUhdqLXfu3L57bBWETkJ69uk47O2t3yKws1RjP8brc/DqiHoVAj
uQksQdI/L85zjBxutONyU5mrMBlx9HL597zb/rlku2yV7LNIzEAmE67NI7VCHiCy
dtqwGgC9zjyUMGWECJdbz5dMV2BfYzlX9FNdrJ3Lk3zSQYiMf1Kn0MZGvrqG7dXi
bv2I27QJABI5uBQivk0I
=fBCc
-----END PGP SIGNATURE-----
Reply sent
to David Prévot <taffit@debian.org>:
You have taken responsibility.
(Mon, 23 May 2011 21:54:13 GMT) (full text, mbox, link).
Notification sent
to henri@nerv.fi:
Bug acknowledged by developer.
(Mon, 23 May 2011 21:54:13 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 02 Jul 2011 07:37:34 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:21:15 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon