Debian: New phpbb2 packages fix several vulnerabilities

    Date21 Dec 2005
    Posted ByJoe Shakespeare
    Updated package.
    - --------------------------------------------------------------------------
    Debian Security Advisory DSA 925-1                     This email address is being protected from spambots. You need JavaScript enabled to view it.                             Martin Schulze
    December 22nd, 2005           
    - --------------------------------------------------------------------------
    Package        : phpbb2
    Vulnerability  : several
    Problem type   : remote
    Debian-specific: no
    CVE ID         : CVE-2005-3310 CVE-2005-3415 CVE-2005-3416 CVE-2005-3417
                     CVE-2005-3418 CVE-2005-3419 CVE-2005-3420 CVE-2005-3536
    BugTraq IDs    : 15170 15243
    Debian Bugs    : 35662 336582 336587
    Several vulnerabilities have been discovered in phpBB, a fully
    featured and skinnable flat webforum, 
    The Common Vulnerabilities and Exposures project identifies the
    following problems:
        Multiple interpretation errors allow remote authenticated users to
        inject arbitrary web script when remote avatars and avatar
        uploading are enabled.
        phpBB allows remote attackers to bypass protection mechanisms that
        deregister global variables that allows attackers to manipulate
        the behaviour of phpBB.
        phpBB allows remote attackers to bypass security checks when
        register_globals is enabled and the session_start function has not
        been called to handle a session.
        phpBB allows remote attackers to modify global variables and
        bypass security mechanisms.
        Multiple cross-site scripting (XSS) vulnerabilities allow remote
        attackers to inject arbitrary web scripts.
        An SQL injection vulnerability allows remote attackers to execute
        arbitrary SQL commands.
        phpBB allows remote attackers to modify regular expressions and
        execute PHP code via the signature_bbcode_uid parameter.
        Missing input sanitising of the topic type allows remote attackers
        to inject arbitrary SQL commands.
        Missing request validation permitted remote attackers to edit
        private messages of other users.
    The old stable distribution (woody) does not contain phpbb2 packages.
    For the stable distribution (sarge) these problems have been fixed in
    version 2.0.13+1-6sarge2.
    For the unstable distribution (sid) these problems have been fixed in
    version 2.0.18-1.
    We recommend that you upgrade your phpbb2 packages.
    Upgrade Instructions
    - --------------------
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    Debian GNU/Linux 3.1 alias sarge
    - --------------------------------
      Source archives:
          Size/MD5 checksum:      783 84a0dab5af965cf6ff418c2b2383a9ee
          Size/MD5 checksum:    64580 e644237009e5eff92b86f21a5f6f4cbe
          Size/MD5 checksum:  3340445 678d0cb0372e46402a472c510fb90d78
      Architecture independent components:
          Size/MD5 checksum:    37474 4cbfd2fe1e336214a3defddeff55ce65
          Size/MD5 checksum:  2873096 f71e21b77d9f5bffa076a25d6687b4c2
          Size/MD5 checksum:   525514 f88101af29bf00db9a8fdb264e35d891
      These files will probably be moved into the stable distribution on
      its next update.
    - ---------------------------------------------------------------------------------
    For apt-get: deb stable/updates main
    For dpkg-ftp: dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"25","type":"x","order":"1","pct":54.35,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":10.87,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"16","type":"x","order":"3","pct":34.78,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.