[Git][security-tracker-team/security-tracker][master] CVE-2019-13376/phpbb3: clear-up confusion following my registering...

Sylvain Beucler beuc at debian.org
Tue Oct 1 12:23:33 BST 2019 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9c1aa9a4 by Sylvain Beucler at 2019-10-01T11:22:53Z
CVE-2019-13376/phpbb3: clear-up confusion following my registering CVE-2019-16993 (earlier vulnerability with incomplete fix)

- - - - -


2 changed files:

- data/CVE/list
- data/DLA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -11542,12 +11542,14 @@ CVE-2019-13377 (The implementations of SAE and EAP-pwd in hostapd and wpa_suppli
 	NOTE: Patches: https://w1.fi/security/2019-6/
 CVE-2019-13376 (phpBB version 3.2.7 allows the stealing of an Administration Control P ...)
 	- phpbb3 <removed>
-	NOTE: https://github.com/phpbb/phpbb/commit/dc5a167c429a3813d66b0ae3d14242650466cac6
+	NOTE: https://ssd-disclosure.com/archives/4007/ssd-advisory-phpbb-csrf-token-hijacking-leading-to-stored-xss
+	NOTE: fixed in 3.2.8 as 'SECURITY-246'
+	NOTE: https://github.com/phpbb/phpbb/commit/cdf4f5ef85f05c0f94eae1a9edb1c28d4ac3515f
+	NOTE: follow-up to incomplete fix for CVE-2019-16993
 CVE-2019-16993 (In phpBB before 3.1.7-PL1, includes/acp/acp_bbcodes.php has improper v ...)
 	{DLA-1942-1}
 	- phpbb3 <removed>
 	NOTE: https://github.com/phpbb/phpbb/commit/18abef716ecf42a35416444f3f84f5459d573789
-	NOTE: https://github.com/phpbb/phpbb/commit/cdf4f5ef85f05c0f94eae1a9edb1c28d4ac3515f
 	NOTE: https://www.phpbb.com/community/viewtopic.php?t=2352606
 CVE-2019-13375 (A SQL Injection was discovered in D-Link Central WiFi Manager CWM(100) ...)
 	NOT-FOR-US: D-Link


=====================================
data/DLA/list
=====================================
@@ -1,5 +1,5 @@
 [01 Oct 2019] DLA-1942-1 phpbb3 - security update
-	{CVE-2019-16993}
+	{CVE-2019-13376 CVE-2019-16993}
 	[jessie] - phpbb3 3.0.12-5+deb8u4
 [30 Sep 2019] DLA-1941-1 netty - security update
 	{CVE-2019-16869}



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9c1aa9a434df31002696af43bec084775018523c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9c1aa9a434df31002696af43bec084775018523c
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191001/2a8eb6b7/attachment.html>

More information about the debian-security-tracker-commits mailing list