Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.1229 phpbb3 security update 9 September 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: phpbb3 Publisher: Debian Operating System: Debian GNU/Linux 6 Debian GNU/Linux 7 UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Overwrite Arbitrary Files -- Existing Account Resolution: Patch/Upgrade Original Bulletin: http://www.debian.org/security/2013/dsa-2752 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running phpbb3 check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2752-1 security@debian.org http://www.debian.org/security/ Thijs Kinkhorst September 07, 2013 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : phpbb3 Vulnerability : permissions too wide Problem type : local Debian-specific: yes Debian Bug : 711172 Andreas Beckmann discovered that phpBB, a web forum, as installed in Debian, sets incorrect permissions for cached files, allowing a malicious local user to overwrite them. For the oldstable distribution (squeeze), this problem has been fixed in version 3.0.7-PL1-4+squeeze1. For the stable distribution (wheezy), this problem has been fixed in version 3.0.10-4+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 3.0.11-4. We recommend that you upgrade your phpbb3 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSKt+YAAoJEFb2GnlAHawEmA8H/jrIDcup1umihZit5gFIOIj0 ns/UjcXHj/aW1e+IG85FqVBQ+BYnN4VmQDpbq8sTrpRdZnIwVHKn+gyF4J/ZN6ne 6xpqPzMrtjrSSP5g4uDreGKoqS2bH2HFDx4mYIUVUYHjB3XmnegoXJnD5iNXwM5E Tc2gBXuo0UkKEkOObPrbZ26V7jEHoVMGRojyUdhjaOMeKlCRZOoLabXLkq34bQF7 ISz3pgyr1tvAPHGTRWRsrLvvU2TwkC4MPrRDjAA6EWaseWy8MVylGoSsgqFOuuQh YtzVLaWcDdC+/2LAOA+UK8byiGgDKBEtqjEgA/QSz2RjH9s0qrgjWAuIIKBDzik= =seAO - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUi0wUxLndAQH1ShLAQIphw//SGZwN3Ej3NCg/UeunwWzcQTQ11IYq7ZE xwJCXP9cF7sWsBTJ0eoPJ4GFfdQuXkfCtTSAAAun2jIibK7xBPIMeXTipbS8M+Kd 6HoFMj0D7mod4EIiFPATfYbAgK04pvTbqkz3ZwcDSzgUFbmT3lEbKb+LQF/l7+iH K9d5XlITfNSph/kn9G3B5Ju9K5VjIvnOdU+sXIY/phOWq7diXoVDX1fmkLdkwZMJ O4j4NHJObErXojNtURl8O0PnpSjcIi3/esch+wVb8bn3Xb/9lPpa7IwU5l2xx5jQ 345LKSH6xksHbV5J1hOB9P2o+Extq7T9lEqhKShOOj+QAp/EseoOtxqXjnYXwweb 7Zx5G0t1A0/RCjE5alCseCo68Op0pBMBJZx/XkFTGMeurkFW32mMh3963EJGmseS K3BG+SaLwnQxZ5cV9UzxerMF5T/kzsJdphRTvyhc0O5YHbrS7eiufT4S5Q1LP65K Doc9yybfyoQiWGs/ZQC50EJeM2jYtMJyABZR5t6nmk8cPHgiRodvRK2CaXTLsOIT X6IHdC2o6m9EZ0zDr/V7PSVQ+EyEnR886mNGgGRcNv6eKwuu3NFoDTR+n6idspqR k6L8J4rpkeEt+3okw7RhVto6Rg4ioPzBf3oY8ZuKlucBC26/edh/65yYRlp5GotS oWfpXxgjWm0= =9PPm -----END PGP SIGNATURE-----