Debian: New phpbb2 packages fix several vulnerabilities

    Date21 Dec 2005
    CategoryDebian
    10156
    Posted ByJoe Shakespeare
    Updated package.
    - --------------------------------------------------------------------------
    Debian Security Advisory DSA 925-1                     This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                             Martin Schulze
    December 22nd, 2005                     http://www.debian.org/security/faq
    - --------------------------------------------------------------------------
    
    Package        : phpbb2
    Vulnerability  : several
    Problem type   : remote
    Debian-specific: no
    CVE ID         : CVE-2005-3310 CVE-2005-3415 CVE-2005-3416 CVE-2005-3417
                     CVE-2005-3418 CVE-2005-3419 CVE-2005-3420 CVE-2005-3536
                     CVE-2005-3537
    BugTraq IDs    : 15170 15243
    Debian Bugs    : 35662 336582 336587
    
    Several vulnerabilities have been discovered in phpBB, a fully
    featured and skinnable flat webforum, 
    
    The Common Vulnerabilities and Exposures project identifies the
    following problems:
    
    
    CVE-2005-3310
    
        Multiple interpretation errors allow remote authenticated users to
        inject arbitrary web script when remote avatars and avatar
        uploading are enabled.
    
    CVE-2005-3415
    
        phpBB allows remote attackers to bypass protection mechanisms that
        deregister global variables that allows attackers to manipulate
        the behaviour of phpBB.
    
    CVE-2005-3416
    
        phpBB allows remote attackers to bypass security checks when
        register_globals is enabled and the session_start function has not
        been called to handle a session.
    
    CVE-2005-3417
    
        phpBB allows remote attackers to modify global variables and
        bypass security mechanisms.
    
    CVE-2005-3418
    
        Multiple cross-site scripting (XSS) vulnerabilities allow remote
        attackers to inject arbitrary web scripts.
    
    CVE-2005-3419
    
        An SQL injection vulnerability allows remote attackers to execute
        arbitrary SQL commands.
    
    CVE-2005-3420
    
        phpBB allows remote attackers to modify regular expressions and
        execute PHP code via the signature_bbcode_uid parameter.
    
    CVE-2005-3536
    
        Missing input sanitising of the topic type allows remote attackers
        to inject arbitrary SQL commands.
    
    CVE-2005-3537
    
        Missing request validation permitted remote attackers to edit
        private messages of other users.
    
    The old stable distribution (woody) does not contain phpbb2 packages.
    
    For the stable distribution (sarge) these problems have been fixed in
    version 2.0.13+1-6sarge2.
    
    For the unstable distribution (sid) these problems have been fixed in
    version 2.0.18-1.
    
    We recommend that you upgrade your phpbb2 packages.
    
    
    Upgrade Instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 3.1 alias sarge
    - --------------------------------
    
      Source archives:
    
        http://security.debian.org/pool/updates/main/p/phpbb2/phpbb2_2.0.13+1-6sarge2.dsc
          Size/MD5 checksum:      783 84a0dab5af965cf6ff418c2b2383a9ee
        http://security.debian.org/pool/updates/main/p/phpbb2/phpbb2_2.0.13+1-6sarge2.diff.gz
          Size/MD5 checksum:    64580 e644237009e5eff92b86f21a5f6f4cbe
        http://security.debian.org/pool/updates/main/p/phpbb2/phpbb2_2.0.13+1.orig.tar.gz
          Size/MD5 checksum:  3340445 678d0cb0372e46402a472c510fb90d78
    
      Architecture independent components:
    
        http://security.debian.org/pool/updates/main/p/phpbb2/phpbb2-conf-mysql_2.0.13-6sarge2_all.deb
          Size/MD5 checksum:    37474 4cbfd2fe1e336214a3defddeff55ce65
        http://security.debian.org/pool/updates/main/p/phpbb2/phpbb2-languages_2.0.13-6sarge2_all.deb
          Size/MD5 checksum:  2873096 f71e21b77d9f5bffa076a25d6687b4c2
        http://security.debian.org/pool/updates/main/p/phpbb2/phpbb2_2.0.13-6sarge2_all.deb
          Size/MD5 checksum:   525514 f88101af29bf00db9a8fdb264e35d891
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"25","type":"x","order":"1","pct":54.35,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":10.87,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"16","type":"x","order":"3","pct":34.78,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.