-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 12 Jul 2023 20:13:20 -0400 Source: kanboard Architecture: source Version: 1.2.26+ds-2+deb12u2 Distribution: bookworm-security Urgency: high Maintainer: Joseph Nahmias Changed-By: Joseph Nahmias Closes: 1036874 1037167 1040265 Changes: kanboard (1.2.26+ds-2+deb12u2) bookworm-security; urgency=high . * backport fix for CVE-2023-36813: Multiple Authenticated SQL Injections https://github.com/kanboard/kanboard/security/advisories/GHSA-9gvq-78jp-jxcx Fix picked from kanboard v1.2.31 https://github.com/kanboard/kanboard/commit/25b93343baeaf8ad (Closes: #1040265) . kanboard (1.2.26+ds-2+deb12u1) bookworm; urgency=high . * Cherry-pick security fixes from kanboard_1.2.26+ds-[34] for bookworm. * backport fix for CVE-2023-32685 from kanboard v1.2.29 https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv Based on upstream commits 26b6eeb & c9c1872. (cherry picked from commit d9b8d854f2d35831b04b84cfdda41cc7b49e3a28) (Closes: #1036874) * backport security fixes from kanboard v1.2.30. > CVE-2023-33956: Parameter based Indirect Object Referencing leading to private file exposure > CVE-2023-33968: Missing access control allows user to move and duplicate tasks to any project in the software > CVE-2023-33969: Stored XSS in the Task External Link Functionality > CVE-2023-33970: Missing access control in internal task links feature (cherry picked from commit 4ad0ad220613bbf04bef559addba8c363fdf0dfa) (Closes: #1037167) * point gbp & salsa at bookworm Checksums-Sha1: 67286f8f8d9468136f602dcabc366c8e9f189c84 2797 kanboard_1.2.26+ds-2+deb12u2.dsc 71d224ceb1086b40603bf9b0a2f8dbc5cbeee0ed 974764 kanboard_1.2.26+ds.orig.tar.xz e779447aa41af05852f27af20f1c26eeeafac18f 18904 kanboard_1.2.26+ds-2+deb12u2.debian.tar.xz 475008987c4be6b5a9db6b966504e9525cb2b4c3 11216 kanboard_1.2.26+ds-2+deb12u2_amd64.buildinfo Checksums-Sha256: 257197766cd6c6b38b954f402252082aedd8cec37b1bd1bfa1e8180b7a12bacf 2797 kanboard_1.2.26+ds-2+deb12u2.dsc 89b68186c24bd13d33b883e807eee9a8c07e35c0d4b92e2f13803be3d0cfe653 974764 kanboard_1.2.26+ds.orig.tar.xz e26110f9c97df285f99a40f92bac2b80f0d23ecbfbbcbd902c3844292d15a093 18904 kanboard_1.2.26+ds-2+deb12u2.debian.tar.xz 190e54f8a4518244ff753bbd07b992c4f5dfef1f76f03e11aba6874314e2e62a 11216 kanboard_1.2.26+ds-2+deb12u2_amd64.buildinfo Files: 03c5bf6da536bd27c4e59cec746fd5fa 2797 web optional kanboard_1.2.26+ds-2+deb12u2.dsc e572ec6c2b81d5a9df63d9ebf513de7a 974764 web optional kanboard_1.2.26+ds.orig.tar.xz 9074f3fb03ffbedf358191fa063fd75d 18904 web optional kanboard_1.2.26+ds-2+deb12u2.debian.tar.xz 8470c958bc45094c76b18e50129a4b40 11216 web optional kanboard_1.2.26+ds-2+deb12u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEcxc7CTsDz7hRCK0UsRvZGQeaO5gFAmSzYxAACgkQsRvZGQea O5iPFQ//c4k4kEiC4ZfXb+4+EfdufdBjO/Esto/GaZXfsZJvb04kTtKZDWhFL1CH 0xhL2s0aruM73NlVhHmiBlvgZnZ7xdXfjG+y8EZkX4ssimCZ9g8I9EHeMbUmvJsI lbRqWEcARokCyUHkmWn9SKVx5AOmkEMOAjRRnYLK5Cn5pI6e4IlfL6GMzSwStChK GF0OWvMuA39JeZyO30C6lbbRWCYY+uMjPP2EoDFnYED+t+AB58HD2RRTthwQ9/q2 alayJPZb5+9XE5gRYv0mTwoe2uuGGYMYopuVsipST2WLUAtv62EG1bQPIlzANxNg h0GN/rvGPTDorYgEejfochiaH6LZxmCuSp0zp6nulOncCrgVVvulFq9mrbuoiZX5 CUqPS9+xrdnYtYg0qq4/d7HX2lFpSz+R5bxVU7V1V8A/8NmU8nAlvHE21+4C974s 61FPIJP/ZmVHYTXmxuObslQT11M9Qf2WLlSEOcp1GSjYvIems9xyI0Wmq7ynuaY+ GQLTn3jw2cKmn+OcSZT11anF48vyBo7BqlN+uvQ7vDEmQ44lCAKbpQAdmXm9K9U3 r8jPY4Fl8PXkzfeNmSRBSwdqY++dtSeIApcDV9+nA6olrq18gdFewRe8OB3QoMwO 8lYj0U5XGRiCmrbpVphPkRgKaqH6k2mWRqvZEHqlDvmS8ctfAEQ= =MixI -----END PGP SIGNATURE-----