1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1103881: php-laravel-framework: CVE-2025-27515

    From =?UTF-8?Q?Moritz_M=C3=BChlenhoff?=@21:1/5 to All on Tue Apr 22 14:20:01 2025
    Source: php-laravel-framework
    X-Debbugs-CC: team@security.debian.org
    Severity: grave
    Tags: security

    Hi,

    The following vulnerability was published for php-laravel-framework.

    CVE-2025-27515[0]:
    | Laravel is a web application framework. When using wildcard
    | validation to validate a given file or image field (`files.*`), a
    | user-crafted malicious request could potentially bypass the
    | validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.

    https://github.com/laravel/framework/security/advisories/GHSA-78fx-h6xr-vch4 https://github.com/laravel/framework/commit/2d133034fefddfb047838f4caca3687a3ba811a5 (v12.1.1)

    There are also two other security issues affecting sid/trixie and
    which are already fixed in experimental: https://security-tracker.debian.org/tracker/CVE-2024-13918 https://security-tracker.debian.org/tracker/CVE-2024-13919

    So possibly trixie should be moved to 11.44.1 unless it's a very
    breaking change between 10 and 11?

    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-27515
    https://www.cve.org/CVERecord?id=CVE-2025-27515

    Please adjust the affected versions in the BTS as needed.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Tue Apr 22 23:50:01 2025
    This is a multi-part message in MIME format...

    Your message dated Tue, 22 Apr 2025 21:39:42 +0000
    with message-id <E1u7LLC-009ph7-Ko@fasolo.debian.org>
    and subject line Bug#1103881: fixed in php-laravel-framework 10.48.29+dfsg-1 has caused the Debian Bug report #1103881,
    regarding php-laravel-framework: CVE-2025-27515
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1103881: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103881
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 22 Apr 2025 12:09:40 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-4.9 required=4.0 tests=BAYES_00,FOURLA,MD5_SHA1_SUM,
    SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no
    version=3.4.6-bugs.debian.org_2005_01_02
    X-Spam-Bayes: score:0.0000 Tokens: new, 34; hammy, 138; neutral, 38; spammy,
    0. spammytokens: hammytokens:0.000-+--trixie, 0.000-+--H*r:jmm,
    0.000-+--UD:security-tracker.debian.org,
    0.000-+--security-tracker.debian.org, 0.000-+--securitytrackerdebianorg Return-path: <jmm@inutil.org>
    Received: from vps-b7ad3695.vps.ovh.net ([51.38.114.215]:45194)
    by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
    (Exim 4.94.2)
    (envelope-from <jmm@inutil.o
  • From Debian Bug Tracking System@21:1/5 to All on Wed Apr 23 00:00:02 2025
    This is a multi-part message in MIME format...

    Your message dated Tue, 22 Apr 2025 21:51:20 +0000
    with message-id <E1u7LWS-009rvY-3F@fasolo.debian.org>
    and subject line Bug#1103881: fixed in php-laravel-framework 11.44.2+dfsg-1
    has caused the Debian Bug report #1103881,
    regarding php-laravel-framework: CVE-2025-27515
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1103881: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103881
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 22 Apr 2025 12:09:40 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-4.9 required=4.0 tests=BAYES_00,FOURLA,MD5_SHA1_SUM,
    SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no
    version=3.4.6-bugs.debian.org_2005_01_02
    X-Spam-Bayes: score:0.0000 Tokens: new, 34; hammy, 138; neutral, 38; spammy,
    0. spammytokens: hammytokens:0.000-+--trixie, 0.000-+--H*r:jmm,
    0.000-+--UD:security-tracker.debian.org,
    0.000-+--security-tracker.debian.org, 0.000-+--securitytrackerdebianorg Return-path: <jmm@inutil.org>
    Received: from vps-b7ad3695.vps.ovh.net ([51.38.114.215]:45194)
    by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
    (Exim 4.94.2)
    (envelope-from <jmm@inutil.o
  • From Moritz =?iso-8859-1?Q?M=FChlenhoff?@21:1/5 to Robin Gustafsson on Wed Apr 23 08:50:01 2025
    On Tue, Apr 22, 2025 at 10:46:57PM +0200, Robin Gustafsson wrote:
    Hi Moritz,

    Thanks for the report.

    On 4/22/25 14:09, Moritz Mühlenhoff wrote:
    [...]
    The following vulnerability was published for php-laravel-framework.

    CVE-2025-27515[0]:

    Thanks. I'll upload a fix for sid/trixie soon.

    Great, thanks.

    There are also two other security issues affecting sid/trixie and
    which are already fixed in experimental: https://security-tracker.debian.org/tracker/CVE-2024-13918 https://security-tracker.debian.org/tracker/CVE-2024-13919

    These were introduced in 11.9.0 so the versions in Debian aren't affected.

    We've updated the Security Tracker accordingly.

    So possibly trixie should be moved to 11.44.1 unless it's a very
    breaking change between 10 and 11?

    Unfortunately, that isn't possible due to a dependency on php-symfony 7.

    Ah, I see.

    Cheers,
    Moritz

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)