Debian Bug report logs -
#1002728
php-illuminate-validation: CVE-2021-43617: Failure to block the upload of executable PHP content
Reported by: Robin Gustafsson <robin@rgson.se>
Date: Tue, 28 Dec 2021 12:18:02 UTC
Severity: important
Tags: security, upstream
Found in version php-laravel-framework/6.20.14+dfsg-2
Fixed in version php-laravel-framework/6.20.14+dfsg-3
Done: Robin Gustafsson <robin@rgson.se>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>:
Bug#1002728; Package php-illuminate-validation.
(Tue, 28 Dec 2021 12:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Robin Gustafsson <robin@rgson.se>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>.
(Tue, 28 Dec 2021 12:18:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: php-illuminate-validation
Version: 6.20.14+dfsg-2
Severity: important
Tags: upstream security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
A security issue (CVE-2021-43617) has been published regarding the
failure to block uploads containing exectuable PHP content in the form
of .phar files.
The issue has been fixed upstream in versions 6.20.41 and 8.73.0.
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43617
[2] https://security-tracker.debian.org/tracker/CVE-2021-43617
Reply sent
to Robin Gustafsson <robin@rgson.se>:
You have taken responsibility.
(Tue, 28 Dec 2021 16:54:05 GMT) (full text, mbox, link).
Notification sent
to Robin Gustafsson <robin@rgson.se>:
Bug acknowledged by developer.
(Tue, 28 Dec 2021 16:54:05 GMT) (full text, mbox, link).
Message #10 received at 1002728-close@bugs.debian.org (full text, mbox, reply):
Source: php-laravel-framework
Source-Version: 6.20.14+dfsg-3
Done: Robin Gustafsson <robin@rgson.se>
We believe that the bug you reported is fixed in the latest version of
php-laravel-framework, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1002728@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Robin Gustafsson <robin@rgson.se> (supplier of updated php-laravel-framework package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 28 Dec 2021 16:18:01 +0100
Source: php-laravel-framework
Binary: php-illuminate-auth php-illuminate-broadcasting php-illuminate-bus php-illuminate-cache php-illuminate-config php-illuminate-console php-illuminate-container php-illuminate-contracts php-illuminate-cookie php-illuminate-database php-illuminate-encryption php-illuminate-events php-illuminate-filesystem php-illuminate-hashing php-illuminate-http php-illuminate-log php-illuminate-mail php-illuminate-notifications php-illuminate-pagination php-illuminate-pipeline php-illuminate-queue php-illuminate-redis php-illuminate-routing php-illuminate-session php-illuminate-support php-illuminate-translation php-illuminate-validation php-illuminate-view php-laravel-framework
Architecture: source all
Version: 6.20.14+dfsg-3
Distribution: unstable
Urgency: high
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: Robin Gustafsson <robin@rgson.se>
Description:
php-illuminate-auth - Illuminate Auth library component for PHP
php-illuminate-broadcasting - Illuminate Broadcasting library component for PHP
php-illuminate-bus - Illuminate Bus library component for PHP
php-illuminate-cache - Illuminate Cache library component for PHP
php-illuminate-config - Illuminate Config library component for PHP
php-illuminate-console - Illuminate Console library component for PHP
php-illuminate-container - Illuminate Container library component for PHP
php-illuminate-contracts - Illuminate Contracts library component for PHP
php-illuminate-cookie - Illuminate Cookie library component for PHP
php-illuminate-database - Illuminate Database library component for PHP
php-illuminate-encryption - Illuminate Encryption library component for PHP
php-illuminate-events - Illuminate Events library component for PHP
php-illuminate-filesystem - Illuminate Filesystem library component for PHP
php-illuminate-hashing - Illuminate Hashing library component for PHP
php-illuminate-http - Illuminate Http library component for PHP
php-illuminate-log - Illuminate Log library component for PHP
php-illuminate-mail - Illuminate Mail library component for PHP
php-illuminate-notifications - Illuminate Notifications library component for PHP
php-illuminate-pagination - Illuminate Pagination library component for PHP
php-illuminate-pipeline - Illuminate Pipeline library component for PHP
php-illuminate-queue - Illuminate Queue library component for PHP
php-illuminate-redis - Illuminate Redis library component for PHP
php-illuminate-routing - Illuminate Routing library component for PHP
php-illuminate-session - Illuminate Session library component for PHP
php-illuminate-support - Illuminate Support library component for PHP
php-illuminate-translation - Illuminate Translation library component for PHP
php-illuminate-validation - Illuminate Validation library component for PHP
php-illuminate-view - Illuminate View library component for PHP
php-laravel-framework - web application framework for PHP
Closes: 1001333 1002728
Changes:
php-laravel-framework (6.20.14+dfsg-3) unstable; urgency=high
.
* Fix security issue: XSS vulnerability in the Blade templating engine
(CVE-2021-43808, Closes: #1001333)
* Fix security issue: Failure to block the upload of executable PHP content
(CVE-2021-43617, Closes: #1002728)
* Rename main branch to debian/latest (DEP-14)
* Update lintian override to php-markdown
* Bump Standards-Version
Checksums-Sha1:
7fa0287ea6ff7c0fcd5f028a05d0bd0126d0a8a3 4222 php-laravel-framework_6.20.14+dfsg-3.dsc
48956bbcf72d9ee45045f3fbb33448dc730c0b5a 9884 php-laravel-framework_6.20.14+dfsg-3.debian.tar.xz
a38b8afb844dd947cfed7a7ae77fbfc6c3c666ef 25564 php-illuminate-auth_6.20.14+dfsg-3_all.deb
69dfea4738206c74d085b9b27585bf56d79a5f53 10908 php-illuminate-broadcasting_6.20.14+dfsg-3_all.deb
f87ce61f35b6b0a2632226d7bcb25f2aeaf83bec 5964 php-illuminate-bus_6.20.14+dfsg-3_all.deb
13819e67b287539adde2ec0d05a3baa33633bed2 20436 php-illuminate-cache_6.20.14+dfsg-3_all.deb
150b0a169f6e97c8c1b87455f85389399514eda9 4600 php-illuminate-config_6.20.14+dfsg-3_all.deb
652ce4e893b8ba717f1a344f196a8e85c01ea4ce 20184 php-illuminate-console_6.20.14+dfsg-3_all.deb
d4a79579acc2532c3276f936d83b5e2caec5dff4 12084 php-illuminate-container_6.20.14+dfsg-3_all.deb
d7a3fc8d394edf729444b63d19148fff590892cb 21816 php-illuminate-contracts_6.20.14+dfsg-3_all.deb
4ba8cd0c0bcb3f53bd7a0ffd085c66965cef2655 6712 php-illuminate-cookie_6.20.14+dfsg-3_all.deb
b8ffe805a83c984e063e150440aa4fbeb1303b28 118820 php-illuminate-database_6.20.14+dfsg-3_all.deb
abc127b834b6cdbbc1d97eb51a237b5053adda59 6060 php-illuminate-encryption_6.20.14+dfsg-3_all.deb
db11d0c67611e3c089737eb9f89e08de3a2be1ab 8020 php-illuminate-events_6.20.14+dfsg-3_all.deb
906342bc411671195ef5018a3e073bf9dc972957 12008 php-illuminate-filesystem_6.20.14+dfsg-3_all.deb
bcbcd5141516f425ca144eab063ec85ae0dab283 5712 php-illuminate-hashing_6.20.14+dfsg-3_all.deb
8140dc81b0c500278cec8289dae3f02ed1641ef0 26328 php-illuminate-http_6.20.14+dfsg-3_all.deb
2752e625a7f7fa48a507756ce7c427a96d958a4c 8540 php-illuminate-log_6.20.14+dfsg-3_all.deb
b68678e9c90214a9d406dc0f3ed968dad4a6c2cf 19932 php-illuminate-mail_6.20.14+dfsg-3_all.deb
68bc9c5642a806ef8a4e583f250f97add3de7d03 14056 php-illuminate-notifications_6.20.14+dfsg-3_all.deb
58e481d2bdedbfa6b3a2f0cb0f0fea8cf74ba073 9808 php-illuminate-pagination_6.20.14+dfsg-3_all.deb
9f005f027b6c08f18767de720be69495e34ac886 5924 php-illuminate-pipeline_6.20.14+dfsg-3_all.deb
564c8dc447ccb23447a74202b438e70d31d6bc3a 30596 php-illuminate-queue_6.20.14+dfsg-3_all.deb
80ffd969c3527e71de7c7e043e804e79db2b2a38 12376 php-illuminate-redis_6.20.14+dfsg-3_all.deb
ff1396f961af6d896f4f575ed23dc83072489e3d 36228 php-illuminate-routing_6.20.14+dfsg-3_all.deb
a52c37bab6253cd77f177a1b4efed2b28383e16f 12552 php-illuminate-session_6.20.14+dfsg-3_all.deb
47832450b34dab5201a956e80be7215e72d2579f 52092 php-illuminate-support_6.20.14+dfsg-3_all.deb
65a43bd7d584c34e409923e3e36aaf032dbb40fd 9480 php-illuminate-translation_6.20.14+dfsg-3_all.deb
9f4ac54a23e2b3a7c26a2e044544a6aa6cb75817 28152 php-illuminate-validation_6.20.14+dfsg-3_all.deb
271779b836a4fb147b10e87b5b56c1c730f9c496 21936 php-illuminate-view_6.20.14+dfsg-3_all.deb
e478f787a2dfe277dd5dde77b286c79524c470db 78996 php-laravel-framework_6.20.14+dfsg-3_all.deb
e5c6ad2b2aedfd9237e46e190463655932a377d4 15805 php-laravel-framework_6.20.14+dfsg-3_amd64.buildinfo
Checksums-Sha256:
e1431b7ff2ebdff4abf1c72e495c3c111721f610d16a3602b986939dee840773 4222 php-laravel-framework_6.20.14+dfsg-3.dsc
fd40b4a21418e84eb5d9f2432ac8c96db22ff9385f665fa9f9b75de09f6c51e2 9884 php-laravel-framework_6.20.14+dfsg-3.debian.tar.xz
dcbc5b9914650784d579fb5c4a094623a43d61a38d828d5023e3b6ec411429a5 25564 php-illuminate-auth_6.20.14+dfsg-3_all.deb
ad2e00bf127927a39271939d54d1e76509117ca86bea17eb271a6a903b645a58 10908 php-illuminate-broadcasting_6.20.14+dfsg-3_all.deb
706d1611548176df1c29391cca177eb0d604bd907a51993ddacd02fd38c061b4 5964 php-illuminate-bus_6.20.14+dfsg-3_all.deb
ad6b810504a957bd343aeeb454832baa78f0f32f227e394e177d794549081355 20436 php-illuminate-cache_6.20.14+dfsg-3_all.deb
e2e4e0dcea715e936ada262c923966cb67a89b9b0437a87a2bcd0120c8c6e9d5 4600 php-illuminate-config_6.20.14+dfsg-3_all.deb
7f275cc15b83e064dad38fcdc7cea35d801d01ba550587c0d0208f2babf12714 20184 php-illuminate-console_6.20.14+dfsg-3_all.deb
04d0b57ffee81ea91e8583e68133395ad3718f034a57154c24d58e5c7036b0cf 12084 php-illuminate-container_6.20.14+dfsg-3_all.deb
2f02c93dc3da9ecbaf294b801433bfd8c40629445c14f66983a01f211720fe71 21816 php-illuminate-contracts_6.20.14+dfsg-3_all.deb
c52dde7da51ed3b0f176267258a46c97815d1051157beb491a6834bab8fe4e75 6712 php-illuminate-cookie_6.20.14+dfsg-3_all.deb
3cdb62bac7b18e2caf4de4ca12a27c5ec97bf5858ef3a03d3f8007f32558c403 118820 php-illuminate-database_6.20.14+dfsg-3_all.deb
2320f1a5ce890a8f9de8e322e257444601a273024673b2cfcdefa4c0c24b105f 6060 php-illuminate-encryption_6.20.14+dfsg-3_all.deb
7f2fd8ca560721bfd85f3b7c916a9d435a172f01da4f12093f98fe59cecde0d6 8020 php-illuminate-events_6.20.14+dfsg-3_all.deb
e8713dfa273d04dbc40edf11bcb2333e848d026b6c85ca07cbc1f382f2ef1eda 12008 php-illuminate-filesystem_6.20.14+dfsg-3_all.deb
5ed129471e645ef51e8254386992542057f07748cdf92d4033085afd1ad48400 5712 php-illuminate-hashing_6.20.14+dfsg-3_all.deb
f6d96079363f1c32f97be36158b1439d9793165b80d5c73b6bf845ee1453a50f 26328 php-illuminate-http_6.20.14+dfsg-3_all.deb
0e2eab4bf468c0daa9d4c9410be79fc36206c60340d65831004d869d3c086023 8540 php-illuminate-log_6.20.14+dfsg-3_all.deb
d90fb6aa493d865a02a9c38ef623250afbe9ad1b37e91f6b88ef947a39293b15 19932 php-illuminate-mail_6.20.14+dfsg-3_all.deb
2aa19fbbefb0d605a7f2a6e0ba1830c153147f151ca1505dba2a84a861c05491 14056 php-illuminate-notifications_6.20.14+dfsg-3_all.deb
8af698e1d692c91f91a9714fccb08a67dd8b939550dbec4b2f0d5036b3218739 9808 php-illuminate-pagination_6.20.14+dfsg-3_all.deb
80a766dc0c0bdab4f3dcd23458e4fbd75cba3f13713aac423e2961182e6e7e63 5924 php-illuminate-pipeline_6.20.14+dfsg-3_all.deb
619ceccf07ec93425299d5884a0834a993e3d2eae8d8f6f488b72634f5cf4e99 30596 php-illuminate-queue_6.20.14+dfsg-3_all.deb
76e58fb118f2f98140969c7888d15a573607e676bb10d444cb788e6d97d25b56 12376 php-illuminate-redis_6.20.14+dfsg-3_all.deb
d1dc3e79d09b38ea9a0f4880639fa302c4822d202c7a7849a94fa3ad38a8530a 36228 php-illuminate-routing_6.20.14+dfsg-3_all.deb
fd0825201bba572656ca1d2f6331f572f7a9e03dff194d7eb922f2a4ea7c4b84 12552 php-illuminate-session_6.20.14+dfsg-3_all.deb
2d028089411673f7be12eae890b017fc36581604026d777add9e9379663f4075 52092 php-illuminate-support_6.20.14+dfsg-3_all.deb
6d889fa454664074b17539232520b7cc4471d0eaf48135b0769a81ca8359bd58 9480 php-illuminate-translation_6.20.14+dfsg-3_all.deb
8251620d5664189297f65f3b961c7c45c5cc1d484e45e40c84f2d7f744267f4a 28152 php-illuminate-validation_6.20.14+dfsg-3_all.deb
91eeae24fc05627caefa85319f892b01b89c7c75e3a3c8c5d433c87c68b440a3 21936 php-illuminate-view_6.20.14+dfsg-3_all.deb
64a58bb2701809560a1d4dc7066aa0964067bfc1033d70d695775ec9c2c4813c 78996 php-laravel-framework_6.20.14+dfsg-3_all.deb
3a000e85f5b4d70968139c5ace2cf55b4459887816d3c6db0585b7c3789d86fd 15805 php-laravel-framework_6.20.14+dfsg-3_amd64.buildinfo
Files:
f65d3717d4b9a8e84cab946882fe4603 4222 php optional php-laravel-framework_6.20.14+dfsg-3.dsc
073ab9fd0d9160b5825cae6243a6c79e 9884 php optional php-laravel-framework_6.20.14+dfsg-3.debian.tar.xz
ed427edc56afbea50662564e0a4f46b9 25564 php optional php-illuminate-auth_6.20.14+dfsg-3_all.deb
e8ee9319eb8f2739f430decbe5e8b67f 10908 php optional php-illuminate-broadcasting_6.20.14+dfsg-3_all.deb
2b5a4197ab802492adcf00edabe1d852 5964 php optional php-illuminate-bus_6.20.14+dfsg-3_all.deb
5f90d535f9296c3d39a6b87c6a15d648 20436 php optional php-illuminate-cache_6.20.14+dfsg-3_all.deb
9f2efcd43a99a61dae9f995db7574a4d 4600 php optional php-illuminate-config_6.20.14+dfsg-3_all.deb
7308fb5b0e031893f6dfb36c3ba22be1 20184 php optional php-illuminate-console_6.20.14+dfsg-3_all.deb
4965abb314316cdef9cfaa224cc19e4b 12084 php optional php-illuminate-container_6.20.14+dfsg-3_all.deb
f32b923da4609d9ea54139babc39a123 21816 php optional php-illuminate-contracts_6.20.14+dfsg-3_all.deb
dfaf15911b2f4ad3cbe101e5876008f3 6712 php optional php-illuminate-cookie_6.20.14+dfsg-3_all.deb
05755d0b2ba42c0cc491404070863b24 118820 php optional php-illuminate-database_6.20.14+dfsg-3_all.deb
cb9910959c418efa5c21dea00e936c91 6060 php optional php-illuminate-encryption_6.20.14+dfsg-3_all.deb
56e21624209b5f5f282a87a7995052e4 8020 php optional php-illuminate-events_6.20.14+dfsg-3_all.deb
ae251a253b4b1d63073af9508b9eaced 12008 php optional php-illuminate-filesystem_6.20.14+dfsg-3_all.deb
50561447ee32bdae885154a44be5650f 5712 php optional php-illuminate-hashing_6.20.14+dfsg-3_all.deb
8ed8159314186f0143cb57a496f7b152 26328 php optional php-illuminate-http_6.20.14+dfsg-3_all.deb
5e0020d578e85753a37141fd522c60a6 8540 php optional php-illuminate-log_6.20.14+dfsg-3_all.deb
ad40c373171b47612f74f2111e541c8f 19932 php optional php-illuminate-mail_6.20.14+dfsg-3_all.deb
dd350a2fa731d8f841c086b45ad77671 14056 php optional php-illuminate-notifications_6.20.14+dfsg-3_all.deb
8af9ca226e4b4d58bb19add7c0c71e83 9808 php optional php-illuminate-pagination_6.20.14+dfsg-3_all.deb
9b006905663de07055969119db861fc5 5924 php optional php-illuminate-pipeline_6.20.14+dfsg-3_all.deb
fa758e3b7ee606df03504bedef1dc935 30596 php optional php-illuminate-queue_6.20.14+dfsg-3_all.deb
f578b52005f42aface4316370d494d60 12376 php optional php-illuminate-redis_6.20.14+dfsg-3_all.deb
94ddf6f463d23f3608a6da4ce5512691 36228 php optional php-illuminate-routing_6.20.14+dfsg-3_all.deb
b23229f0cf78d3a13b071f3bf781a881 12552 php optional php-illuminate-session_6.20.14+dfsg-3_all.deb
1078fa78ebdf5891a5e49327971eee3c 52092 php optional php-illuminate-support_6.20.14+dfsg-3_all.deb
f8e47a190ad03475e6a3cdd2cb861c09 9480 php optional php-illuminate-translation_6.20.14+dfsg-3_all.deb
f6b3ef848d4c160497b1c1ae6b323cc2 28152 php optional php-illuminate-validation_6.20.14+dfsg-3_all.deb
90b7e32b928abb672724dcb4a645fd63 21936 php optional php-illuminate-view_6.20.14+dfsg-3_all.deb
72f6cb4ad3aaa316fae4b690fd1d8ff9 78996 php optional php-laravel-framework_6.20.14+dfsg-3_all.deb
06fcc48e4e78f3836fb36011c997dcc6 15805 php optional php-laravel-framework_6.20.14+dfsg-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEESLC/dKNbQnm0zJBRnS1ied5zQWEFAmHLK/YACgkQnS1ied5z
QWEK5g//VzyLZCSqM6bQ77qj+qSclJoPNWR/AehKv3INtMdzSi3hk/o1kpagSWbn
sqWH7yZuxUPF5eSFAn2Akc97AV+HCFaM1pJ2UWAzR3YmsODeyNnEQRKcFrHJqhhJ
BuQBeRQKgCUL2Pw7nUngUItfjFOj9YSpjmXHhxDzPYkqJOA0PM7Agzy3WxFVeV+m
sz3/9AVAaXIuSC8tXb8JK7cnaI1oFzn9ylWTGa0nJ+U1XkVb+qQHyQH4a6hUvZE2
VndmGtUzMsIOrzxH30KEKIVPKfbzrOmTIHS3rrN3W6saI8yahOD3Wk+doMF/sNM2
lZavaSy6HZF5C2LvYZYAMsnGYjymdOHA4XUcWQclYRIiqOnv5aus3e0DFcfYifGo
scwO1/tSHCCJX4H0J8T4woP5nEhMBQHoPJtO+Pi8k2gVpOKx1+idrtOFqG7SQv/D
kRrQd0AvAQOh+SLd2KdA24fu6+V/Ncb08QxM39ZZxuI7QpGwV9WWbYRAhZW7W989
F4gl3hr4nOgagsl1u/oN10WFUTNnv+mmSxXYMqXPfJegA9wbc1+e8I+H95gGwlzw
dQwFz9Vph4KRTRs5SNYQ3PjjqtchXXT+Pxe6U/knu3vpQn8p7gPsvGCE4FZu/D5i
IXwUVXNbulrEUCiTl6IYaLrqjDV+mn7EVlRVemib9rU8TIIVncU=
=VuB7
-----END PGP SIGNATURE-----
Changed Bug title to 'php-illuminate-validation: CVE-2021-43617: Failure to block the upload of executable PHP content' from 'php-illuminate-validation: Failure to block the upload of executable PHP content'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 02 Jan 2022 15:09:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Jan 3 14:41:26 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon