ports/66150: [PATCH] SECURITY UPDATE ports/www/phpbb for IP spoofing vulnerablity

Xin LI delphij at frontfree.net
Sat May 1 18:00:38 UTC 2004 

The following reply was made to PR ports/66150; it has been noted by GNATS.

From: Xin LI <delphij at frontfree.net>
To: FreeBSD-gnats-submit at FreeBSD.org
Cc: Kang LIU <liukang at bjut.edu.cn>, portmgr at FreeBSD.org,
	vuxml at FreeBSD.org
Subject: Re: ports/66150: [PATCH] SECURITY UPDATE ports/www/phpbb for IP spoofing vulnerablity
Date: Sun, 2 May 2004 01:57:16 +0800

 --W/nzBZO5zC0uMSeA
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Also, I hope the attached patch, which mitigates session table exhaustion
 which could be used in a DDoS attack after the above patch to get its
 way into phpbb/files so it will be automatically patched.
 
 I suggest to add the following item to be added into vuxml:
 
   <vuln vid=3D(A newly generated UUID?)>
     <topic>phpBB ession table exhaustion</topic>
     <affects>
       <package>
 	<name>phpbb</name>
 	<range><le>2.0.8_2</le></range>
       </package>
     </affects>
     <description>
       <body xmlns=3D"http://www.w3.org/1999/xhtml">
 	<p>The includes/sessions.php unnecessarily adds session item into
 	session table and therefore vulnerable to a DDoS attacK.</p>
 	</body>
     </description>
     <references>
 	<url>http://www.securityfocus.com/archive/1/360931</url>
       <!--
 	<mlist msgid=3D"20040421011055.GA1448 at frontfree.net">
 	  http://www.securityfocus.com/archive/1/360931
 	</mlist>
       -->
     </references>
     <dates>
       <discovery>2004-03-05</discovery>
       <entry>2004-05-01</entry>
     </dates>
   </vuln>
 
 --=20
 Xin LI <delphij frontfree net>	http://www.delphij.net/
 See complete headers for GPG key and other information.
 
 --W/nzBZO5zC0uMSeA
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.4 (FreeBSD)
 
 iD8DBQFAk+T8OfuToMruuMARAoOhAJwNtNwkw7xNBVs4Ffvq0F8tKf+l0wCfTpln
 xifsBDeN5JGAYIFJf9pm/E8=
 =AQAo
 -----END PGP SIGNATURE-----
 
 --W/nzBZO5zC0uMSeA--

More information about the freebsd-ports-bugs mailing list