Debian Bug report logs -
#832316
cakephp: CVE-2015-8379
Reported by: balint@balintreczey.hu
Date: Sat, 23 Jul 2016 18:57:02 UTC
Severity: serious
Tags: fixed-upstream, security, upstream
Found in version cakephp/1.3.15-1
Fixed in version cakephp/2.8.0-1
Done: Dmitry Smirnov <onlyjob@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://github.com/cakephp/cakephp/issues/9160
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Dmitry Smirnov <onlyjob@debian.org>:
Bug#832283; Package src:cakephp.
(Sat, 23 Jul 2016 18:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to balint@balintreczey.hu:
New Bug report received and forwarded. Copy sent to Dmitry Smirnov <onlyjob@debian.org>.
(Sat, 23 Jul 2016 18:57:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: cakephp
Version: 2.8.3-1
Severity: serious
Dear Maintainers,
CakePHP is affected by the following security issues listed at
https://security-tracker.debian.org/tracker/source-package/cakephp:
TEMP-0000000-698CF7: cakephp: XML class SSRF vulnerability
CVE-2015-8379: CakePHP 2.x and 3.x before 3.1.5 might allow remote
attackers to bypass the CSRF protection mechanism via the _method
parameter.
The former has been addressed by upstream in the 3.0.6 release:
https://github.com/cakephp/cakephp/releases/tag/3.0.6
The latter has been partially fixed in the 3.1.5 then in the 3.2.0 releases:
https://packetstormsecurity.com/files/135301/CakePHP-3.2.0-CSRF-Bypass.html
https://github.com/cakephp/cakephp/pull/7938
Cheers,
Balint
Added tag(s) security, fixed-upstream, and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 24 Jul 2016 05:51:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Dmitry Smirnov <onlyjob@debian.org>:
Bug#832283; Package src:cakephp.
(Sun, 24 Jul 2016 05:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Dmitry Smirnov <onlyjob@debian.org>.
(Sun, 24 Jul 2016 05:57:04 GMT) (full text, mbox, link).
Message #12 received at 832283@bugs.debian.org (full text, mbox, reply):
Hi Balint,
On Sat, Jul 23, 2016 at 08:55:39PM +0200, Bálint Réczey wrote:
> TEMP-0000000-698CF7: cakephp: XML class SSRF vulnerability
> CVE-2015-8379: CakePHP 2.x and 3.x before 3.1.5 might allow remote
> attackers to bypass the CSRF protection mechanism via the _method
> parameter.
Since one of the issues has (and probably will never get a CVE id), I
have cloned this bugreport to identify the two issues separatly via
the security-tracker and the bug number.
Btw, please never use TEMP-.* as identifier, it is not meant to be
stable. You will see that the above is not anymore valid.
Regards,
Salvatore
Bug 832283 cloned as bug 832316
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 24 Jul 2016 05:57:06 GMT) (full text, mbox, link).
Changed Bug title to 'cakephp: CVE-2015-8379' from 'cakephp: Affected by multiple security issues'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 24 Jul 2016 05:57:10 GMT) (full text, mbox, link).
Marked as found in versions cakephp/1.3.15-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 24 Jul 2016 05:57:11 GMT) (full text, mbox, link).
Reply sent
to Dmitry Smirnov <onlyjob@debian.org>:
You have taken responsibility.
(Sun, 24 Jul 2016 09:57:18 GMT) (full text, mbox, link).
Notification sent
to balint@balintreczey.hu:
Bug acknowledged by developer.
(Sun, 24 Jul 2016 09:57:18 GMT) (full text, mbox, link).
Message #23 received at 832316-close@bugs.debian.org (full text, mbox, reply):
Source: cakephp
Source-Version: 2.8.5-1
We believe that the bug you reported is fixed in the latest version of
cakephp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 832316@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dmitry Smirnov <onlyjob@debian.org> (supplier of updated cakephp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 24 Jul 2016 18:29:17 +1000
Source: cakephp
Binary: cakephp cakephp-scripts
Architecture: source all
Version: 2.8.5-1
Distribution: unstable
Urgency: medium
Maintainer: Dmitry Smirnov <onlyjob@debian.org>
Changed-By: Dmitry Smirnov <onlyjob@debian.org>
Description:
cakephp - rapid application development framework for PHP
cakephp-scripts - rapid application development framework for PHP (scripts)
Closes: 832316
Changes:
cakephp (2.8.5-1) unstable; urgency=medium
.
* New upstream release [June 2016].
+ Fixed CVE-2015-8379 (Closes: #832316).
* Corrected Vcs-Git URL.
* Standards-Version: 3.9.8.
Checksums-Sha1:
55f4f1f49dc062799157d6c93e23721b4a26cfa0 1940 cakephp_2.8.5-1.dsc
a65cc6b403c798ccce21dc5694f46bb8a83d2a5c 1509582 cakephp_2.8.5.orig.tar.gz
21cf8d161ac320cb5d08d88fbaa732b70db61f8e 8196 cakephp_2.8.5-1.debian.tar.xz
fb81d1b6465bfdacf404a015f14ea698b99bf7fd 38024 cakephp-scripts_2.8.5-1_all.deb
fb45be7293452c269f0a9b74932c3f2f61a19c12 1115506 cakephp_2.8.5-1_all.deb
Checksums-Sha256:
24bb38d2eb5cb6013715d7e22a3e5de135022bcf2a80df6539fa7e98c3b191db 1940 cakephp_2.8.5-1.dsc
cb9a7c15504eaee0d85d60595e8ef163d3e9640a02474069107f44a25c6bde40 1509582 cakephp_2.8.5.orig.tar.gz
30f7d46bd5bc790022d0d400ba087fdcf631cc696252b23d8117c15c0a83e59c 8196 cakephp_2.8.5-1.debian.tar.xz
e181511b4ab1905b3a36793d411900a3f2d0c60ceee48db31b977db18bfe258a 38024 cakephp-scripts_2.8.5-1_all.deb
afd4b7e19e05eeef29130e243b4b23fcf4eea01d249225ba1b46824e82cc4b78 1115506 cakephp_2.8.5-1_all.deb
Files:
223b0248f69ede1b4dcb66afdb8c631e 1940 web optional cakephp_2.8.5-1.dsc
6e731d0712280e2fb00c6a6a8e3f3ffc 1509582 web optional cakephp_2.8.5.orig.tar.gz
030cd2e8b022c32a78f4dd2757841e6d 8196 web optional cakephp_2.8.5-1.debian.tar.xz
83d87942424959a65124c701edfaacb9 38024 web optional cakephp-scripts_2.8.5-1_all.deb
2d0770ee970adf545d231d3c01493253 1115506 web optional cakephp_2.8.5-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJXlH6kAAoJEFK2u9lTlo0bKtQP/3WbyJx05uuzAmtsLlENlism
NMkp4PXz6XukESPi2QgSQvB5D1NJXMVdx8D1Ch4eSDYymilXRoZNBX0yyolA4cut
pse26wzcYd1jDSaPDvECTZ54nnlBwG1s3DXMyDuS8P1ELhWQU8XkIZCnJoSY/BQt
79+X/1s4PCZraO2J2Z8eJkxWU16bDSTtw6sRVZvMBaldv00yG8k6el9eoAjqgk6i
wh594uTa9bCIWIgv4zuwZfoiHySzrGRlKaZsojJKGkJHpB5ab/+0h4dzc7SRl4OM
hgASeI+Vlx+dA3BRv7oUSXGVpqStq7DRSvbl6id8pBLOxGOCSZr6gSNblW9tyWhs
uxZUS+zjjGusvP9RbWF8UZy86yJa9kA2gorF1wK3Ya2aU+8KMhZnKpILLydPbu39
Zpba1TYaqwYjVrE+tgJ0Q2/aJr7YPM/W2ZwGFaUkrOm3BPHKIs45RWUV1cFx7Rq3
y7mL4PjyrXPGPpMSlaiqlBZ54uNvkqpSOeuZm3fA/lmeaH1kX2z/bBqNTaps14ny
nFx6q7wNGxGx1MuqOWSebNetspsD8BujJE+CCPU2A7xOsAwOwuK8mhjSF6Vcd+aN
DAlA8aaK61qT1Z0I8kz+r20xSRzEIi98hpg35pVrXGPwLuNkGe2GpSZppzMYzXti
4/Jzye3vhO/MXHIbh6pi
=WrBW
-----END PGP SIGNATURE-----
Bug reopened
Request was from Dmitry Smirnov <onlyjob@debian.org>
to control@bugs.debian.org.
(Mon, 25 Jul 2016 14:48:09 GMT) (full text, mbox, link).
No longer marked as fixed in versions cakephp/2.8.5-1.
Request was from Dmitry Smirnov <onlyjob@debian.org>
to control@bugs.debian.org.
(Mon, 25 Jul 2016 14:48:10 GMT) (full text, mbox, link).
Marked as found in versions cakephp/2.8.5-1.
Request was from Dmitry Smirnov <onlyjob@debian.org>
to control@bugs.debian.org.
(Mon, 25 Jul 2016 14:48:13 GMT) (full text, mbox, link).
No longer marked as found in versions cakephp/2.8.5-1.
Request was from Dmitry Smirnov <onlyjob@debian.org>
to control@bugs.debian.org.
(Mon, 25 Jul 2016 14:57:03 GMT) (full text, mbox, link).
No longer marked as found in versions cakephp/2.8.3-1.
Request was from Dmitry Smirnov <onlyjob@debian.org>
to control@bugs.debian.org.
(Mon, 25 Jul 2016 14:57:07 GMT) (full text, mbox, link).
Marked as fixed in versions cakephp/2.8.0-1.
Request was from Dmitry Smirnov <onlyjob@debian.org>
to control@bugs.debian.org.
(Mon, 25 Jul 2016 15:00:06 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Dmitry Smirnov <onlyjob@debian.org>
to control@bugs.debian.org.
(Mon, 25 Jul 2016 15:00:09 GMT) (full text, mbox, link).
Notification sent
to balint@balintreczey.hu:
Bug acknowledged by developer.
(Mon, 25 Jul 2016 15:00:10 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 05 Dec 2016 08:05:54 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org.
(Wed, 07 Dec 2016 01:51:51 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 16 Jul 2017 07:31:37 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:26:38 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon