Your message dated Wed, 12 Mar 2025 03:03:20 +0000
with message-id <e1tscnm-007opi...@fasolo.debian.org>
and subject line Bug#1092183: Removed package(s) from unstable
has caused the Debian Bug report #1088798,
regarding kanboard: CVE-2024-51747 CVE-2024-51748
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1088798: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088798
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: kanboard
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for kanboard.
CVE-2024-51747[0]:
| Kanboard is project management software that focuses on the Kanban
| methodology. An authenticated Kanboard admin can read and delete
| arbitrary files from the server. File attachments, that are viewable
| or downloadable in Kanboard are resolved through its `path` entry in
| the `project_has_files` SQLite db. Thus, an attacker who can upload
| a modified sqlite.db through the dedicated feature, can set
| arbitrary file links, by abusing path traversals. Once the modified
| db is uploaded and the project page is accessed, a file download can
| be triggered and all files, readable in the context of the Kanboard
| application permissions, can be downloaded. This issue has been
| addressed in version 1.2.42 and all users are advised to upgrade.
| There are no known workarounds for this vulnerability.
https://github.com/kanboard/kanboard/security/advisories/GHSA-78pf-vg56-5p8v
CVE-2024-51748[1]:
| Kanboard is project management software that focuses on the Kanban
| methodology. An authenticated Kanboard admin can run arbitrary php
| code on the server in combination with a file write possibility. The
| user interface language is determined and loaded by the setting
| `application_language` in the `settings` table. Thus, an attacker
| who can upload a modified sqlite.db through the dedicated feature,
| has control over the filepath, which is loaded. Exploiting this
| vulnerability has one constraint: the attacker must be able to place
| a file (called translations.php) on the system. However, this is not
| impossible, think of anonymous FTP server or another application
| that allows uploading files. Once the attacker has placed its file
| with the actual php code as the payload, the attacker can craft a
| sqlite db settings, which uses path traversal to point to the
| directory, where the `translations.php` file is stored. Then gaining
| code execution after importing the crafted sqlite.db. This issue has
| been addressed in version 1.2.42 and all users are advised to
| upgrade. There are no known workarounds for this vulnerability.
https://github.com/kanboard/kanboard/security/advisories/GHSA-jvff-x577-j95p
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-51747
https://www.cve.org/CVERecord?id=CVE-2024-51747
[1] https://security-tracker.debian.org/tracker/CVE-2024-51748
https://www.cve.org/CVERecord?id=CVE-2024-51748
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Version: 1.2.31+ds2-1+rm
Dear submitter,
as the package kanboard has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/1092183
The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.
Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Paul Tagliamonte (the ftpmaster behind the curtain)
--- End Message ---
