Accepted phpbb2 2.0.13+1-6sarge2 (source all)

To: debian-changes@lists.debian.org
Subject: Accepted phpbb2 2.0.13+1-6sarge2 (source all)
From: Thijs Kinkhorst <kink@squirrelmail.org>
Date: Thu, 22 Dec 2005 00:32:07 -0800
Message-id: <[🔎] E1EpLrr-0004LE-LN@spohr.debian.org>
Mail-followup-to: debian-devel@lists.debian.org
Reply-to: debian-devel@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 30 Nov 2005 11:52:53 +0100
Source: phpbb2
Binary: phpbb2-languages phpbb2-conf-mysql phpbb2
Architecture: source all
Version: 2.0.13+1-6sarge2
Distribution: stable-security
Urgency: high
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Thijs Kinkhorst <kink@squirrelmail.org>
Description: 
 phpbb2     - A fully featured and skinneable flat (non-threaded) webforum
 phpbb2-conf-mysql - Automatic configurator for phpbb2 on MySQL database
 phpbb2-languages - phpBB2 additional languages
Closes: 335662 336582 336587
Changes: 
 phpbb2 (2.0.13+1-6sarge2) stable-security; urgency=high
 .
   * Security update by phpBB maintainers
   * Backport fixes for the following issues announced by upstream and
     independent researchers (Closes: #336582, #336587, #335662):
     - fixed validation of topic type when posting.
     - fixed potential to select images outside the specified path as avatars
       or smilies.
     - fixed ability to edit PM's you did not send.
     - CVE-2005-3419, CVE-2005-3420: fixed inadquate signature field input
       sanitising, which allowed for arbitrary code execution
     - CVE-2005-3310: compare imagetype on avatar uploading to match the file
       extension from uploaded file.
 .
     Additionally, the following three issues are fixed, though they are only a
     threat when running with the heavily discouraged register_globals = off
     setting:
     - CVE-2005-3415: bypass protection mechanisms that deregister global
       variables by setting both a GPC variable and a GLOBALS[] variable.
     - CVE-2005-3416: bypass security checks by setting the $_SESSION and
       $HTTP_SESSION_VARS variables to strings instead of arrays.
     - CVE-2005-3418: Multiple cross-site scripting (XSS) vulnerabilities.
Files: 
 84a0dab5af965cf6ff418c2b2383a9ee 783 web optional phpbb2_2.0.13+1-6sarge2.dsc
 e644237009e5eff92b86f21a5f6f4cbe 64580 web optional phpbb2_2.0.13+1-6sarge2.diff.gz
 f88101af29bf00db9a8fdb264e35d891 525514 web optional phpbb2_2.0.13-6sarge2_all.deb
 4cbfd2fe1e336214a3defddeff55ce65 37474 web extra phpbb2-conf-mysql_2.0.13-6sarge2_all.deb
 f71e21b77d9f5bffa076a25d6687b4c2 2873096 web optional phpbb2-languages_2.0.13-6sarge2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Signed by Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

iD8DBQFDpgbUl2uISwgTVp8RAgcyAJ93wvWZCBowQ74CtZRAIOXZ1ZQw3QCgrYEu
iBIbdbFUbbhEctbUEWdfu0I=
=R/22
-----END PGP SIGNATURE-----


Accepted:
phpbb2-conf-mysql_2.0.13-6sarge2_all.deb
  to pool/main/p/phpbb2/phpbb2-conf-mysql_2.0.13-6sarge2_all.deb
phpbb2-languages_2.0.13-6sarge2_all.deb
  to pool/main/p/phpbb2/phpbb2-languages_2.0.13-6sarge2_all.deb
phpbb2_2.0.13+1-6sarge2.diff.gz
  to pool/main/p/phpbb2/phpbb2_2.0.13+1-6sarge2.diff.gz
phpbb2_2.0.13+1-6sarge2.dsc
  to pool/main/p/phpbb2/phpbb2_2.0.13+1-6sarge2.dsc
phpbb2_2.0.13-6sarge2_all.deb
  to pool/main/p/phpbb2/phpbb2_2.0.13-6sarge2_all.deb

Reply to:

Prev by Date: Accepted nbd 1:2.7.3-3sarge1 (source powerpc)
Next by Date: Accepted ketm 0.0.6-17sarge1 (source i386 all)
Previous by thread: Accepted nbd 1:2.7.3-3sarge1 (source powerpc)
Next by thread: Accepted ketm 0.0.6-17sarge1 (source i386 all)
Index(es):
- Date
- Thread