-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 15 Jun 2023 23:02:33 -0400 Source: kanboard Architecture: source Version: 1.2.26+ds-2+deb12u1 Distribution: bookworm Urgency: high Maintainer: Joseph Nahmias <jello@debian.org> Changed-By: Joseph Nahmias <jello@debian.org> Closes: 1036874 1037167 Changes: kanboard (1.2.26+ds-2+deb12u1) bookworm; urgency=high . * Cherry-pick security fixes from kanboard_1.2.26+ds-[34] for bookworm. * backport fix for CVE-2023-32685 from kanboard v1.2.29 https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv Based on upstream commits 26b6eeb & c9c1872. (cherry picked from commit d9b8d854f2d35831b04b84cfdda41cc7b49e3a28) (Closes: #1036874) * backport security fixes from kanboard v1.2.30. > CVE-2023-33956: Parameter based Indirect Object Referencing leading to private file exposure > CVE-2023-33968: Missing access control allows user to move and duplicate tasks to any project in the software > CVE-2023-33969: Stored XSS in the Task External Link Functionality > CVE-2023-33970: Missing access control in internal task links feature (cherry picked from commit 4ad0ad220613bbf04bef559addba8c363fdf0dfa) (Closes: #1037167) * point gbp & salsa at bookworm Checksums-Sha1: 6d39d4ef8df484a68b9c272ce92cdbd62acbd694 2797 kanboard_1.2.26+ds-2+deb12u1.dsc 35493fa22de1e6ce3b6151f9435d40c7e1243b0e 18472 kanboard_1.2.26+ds-2+deb12u1.debian.tar.xz 42cf644ea0ad2153e47ea04c6ec573e97a2a68ea 11216 kanboard_1.2.26+ds-2+deb12u1_amd64.buildinfo Checksums-Sha256: cc60e6992239d3493233ee7255d58d3e7fe2cfe69c5dd34dbd08708a226f0dbd 2797 kanboard_1.2.26+ds-2+deb12u1.dsc 627195d2f7066921c684ea5baa58063117080dc07478ea7ecba04da1a9c3274b 18472 kanboard_1.2.26+ds-2+deb12u1.debian.tar.xz 9109e9219cb325816619b7066afd4fecf18de49f0d5346ecbffeccb974caec2d 11216 kanboard_1.2.26+ds-2+deb12u1_amd64.buildinfo Files: 6a8a619c02d20da64250f3e22d206065 2797 web optional kanboard_1.2.26+ds-2+deb12u1.dsc 05ef2c8593648613528d8b32b8eda5c0 18472 web optional kanboard_1.2.26+ds-2+deb12u1.debian.tar.xz 89f73bfa18f310d979489a839e6709e2 11216 web optional kanboard_1.2.26+ds-2+deb12u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEcxc7CTsDz7hRCK0UsRvZGQeaO5gFAmSblK8ACgkQsRvZGQea O5jnbA//awO7eMAtuUy+gSRvM6k2ahTs0cF/BP/6wWRVrlnGGnrgJclkDsbVrM7B oEzHzIFUTcmleRQvcJ8X9tuFqpZoefKGLhVIwRZxoB3MG5/L687cLtQT83/JJjTd GN6/xeFqPrby+LSNytpwU1jwY3JtfEzrzepzDp+JzpP42GXbxAaSKvlWPfpxz1db AC3BCA8Einbyp7WyqK02NIaw8XrixK1NOGa5kpdFgu8aOcJiStdZkHUYlvemAV2z Ch/6Zp2WBIjo72o2zYkk+6YmGD+wkGnvVfii2XcmWm6X7DWy73pt3JrsJhUvXicE l0sFmQT+KGj+uGohwWAClNL/unPWUeyKGbbjngN/7u32wHURjjI3kHqP/A8esqgf BQPrVqoJHWy9XMF0z29KwDkoxb8UuddqivASp8yALy3IcD9soexuC2TvStDXXlSt Yv98KlTfIiE/k8C3kZozd3HMS/hn1Z8E7PrdCqE+nlLzMPjKwd1R4qj6dLfI43wW 4p+lz3aNeRVFrWowjIMTC+Ig8+ZfM0/Teunj9CHMHIemU21BYlJ+DPFxoJjGV69f iOhLvSfILbPsGHr4E4McDagdEK+zpg2MsqQaV61o1ZUGZdLY3dGinU2tWOO7PeMJ dwyqYffABpDHPBN/e7WiT8uv2trr23Tz521kOO99VI5Gmz3dXIg= =yfdh -----END PGP SIGNATURE-----