|
|
Subscribe / Log in / New account

Debian alert DLA-1942-2 (phpbb3)



From:
              Mike Gabriel <sunweaver@debian.org> 


To:
              debian-lts-announce@lists.debian.org 


Subject:
              [SECURITY] [DLA 1942-2] phpbb3 regression update 


Date:
              Mon, 7 Oct 2019 09:23:52 +0200


Message-ID:
              <20191007072352.k54ymetmqqoqwjav@layer-acht.org>


This is a follow-up to DLA-1942-1.

There was some confusion about the correct
fix for CVE-2019-13776.

The correct announcement for this DLA should have been:

Package        : phpbb3
Version        : 3.0.12-5+deb8u4
CVE ID         : CVE-2019-13776 CVE-2019-16993

CVE-2019-16993

   In phpBB, includes/acp/acp_bbcodes.php had improper verification of a
   CSRF token on the BBCode page in the Administration Control Panel. An
   actual CSRF attack was possible if an attacker also managed to retrieve
   the session id of a reauthenticated administrator prior to targeting
   them.

CVE-2019-13776

   phpBB allowed the stealing of an Administration Control Panel session id
   by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking
   lead to stored XSS.

For Debian 8 "Jessie", these problems have been fixed in version
3.0.12-5+deb8u4.

We recommend that you upgrade your phpbb3 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds