Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1229
phpbb3 security update
9 September 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: phpbb3
Publisher: Debian
Operating System: Debian GNU/Linux 6
Debian GNU/Linux 7
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Overwrite Arbitrary Files -- Existing Account
Resolution: Patch/Upgrade
Original Bulletin:
http://www.debian.org/security/2013/dsa-2752
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running phpbb3 check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2752-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
September 07, 2013 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : phpbb3
Vulnerability : permissions too wide
Problem type : local
Debian-specific: yes
Debian Bug : 711172
Andreas Beckmann discovered that phpBB, a web forum, as installed in
Debian, sets incorrect permissions for cached files, allowing a
malicious local user to overwrite them.
For the oldstable distribution (squeeze), this problem has been fixed in
version 3.0.7-PL1-4+squeeze1.
For the stable distribution (wheezy), this problem has been fixed in
version 3.0.10-4+deb7u1.
For the unstable distribution (sid), this problem has been fixed in
version 3.0.11-4.
We recommend that you upgrade your phpbb3 packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJSKt+YAAoJEFb2GnlAHawEmA8H/jrIDcup1umihZit5gFIOIj0
ns/UjcXHj/aW1e+IG85FqVBQ+BYnN4VmQDpbq8sTrpRdZnIwVHKn+gyF4J/ZN6ne
6xpqPzMrtjrSSP5g4uDreGKoqS2bH2HFDx4mYIUVUYHjB3XmnegoXJnD5iNXwM5E
Tc2gBXuo0UkKEkOObPrbZ26V7jEHoVMGRojyUdhjaOMeKlCRZOoLabXLkq34bQF7
ISz3pgyr1tvAPHGTRWRsrLvvU2TwkC4MPrRDjAA6EWaseWy8MVylGoSsgqFOuuQh
YtzVLaWcDdC+/2LAOA+UK8byiGgDKBEtqjEgA/QSz2RjH9s0qrgjWAuIIKBDzik=
=seAO
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUi0wUxLndAQH1ShLAQIphw//SGZwN3Ej3NCg/UeunwWzcQTQ11IYq7ZE
xwJCXP9cF7sWsBTJ0eoPJ4GFfdQuXkfCtTSAAAun2jIibK7xBPIMeXTipbS8M+Kd
6HoFMj0D7mod4EIiFPATfYbAgK04pvTbqkz3ZwcDSzgUFbmT3lEbKb+LQF/l7+iH
K9d5XlITfNSph/kn9G3B5Ju9K5VjIvnOdU+sXIY/phOWq7diXoVDX1fmkLdkwZMJ
O4j4NHJObErXojNtURl8O0PnpSjcIi3/esch+wVb8bn3Xb/9lPpa7IwU5l2xx5jQ
345LKSH6xksHbV5J1hOB9P2o+Extq7T9lEqhKShOOj+QAp/EseoOtxqXjnYXwweb
7Zx5G0t1A0/RCjE5alCseCo68Op0pBMBJZx/XkFTGMeurkFW32mMh3963EJGmseS
K3BG+SaLwnQxZ5cV9UzxerMF5T/kzsJdphRTvyhc0O5YHbrS7eiufT4S5Q1LP65K
Doc9yybfyoQiWGs/ZQC50EJeM2jYtMJyABZR5t6nmk8cPHgiRodvRK2CaXTLsOIT
X6IHdC2o6m9EZ0zDr/V7PSVQ+EyEnR886mNGgGRcNv6eKwuu3NFoDTR+n6idspqR
k6L8J4rpkeEt+3okw7RhVto6Rg4ioPzBf3oY8ZuKlucBC26/edh/65yYRlp5GotS
oWfpXxgjWm0=
=9PPm
-----END PGP SIGNATURE-----