[Secure-testing-team] Bug#649113: spip: New version (2.1.12) fixes several security issues

David Prévot taffit at debian.org
Thu Nov 17 18:56:02 UTC 2011


Package: spip
Version: 2.1.1-3squeeze1
Severity: important
Tags: security upstream

Hi,

The last SPIP upstream version (2.1.12) fixes several security issues.
The most severe one allows a privilege escalation: an unauthorized
member can become administrator (with full access to the SPIP website).
This version also fixes a cross site scripting (XSS) and a full path
disclosure. [0]

Unfortunately, the security screen file added recently in the package to
fix previous security issues could not be updated by upstream authors
“it was not possible to produce a light code to fix those three
issues”).

  0: http://archives.rezo.net/archives/spip-ann.mbox/GFZZLMG4ZO5MA4KWQ77XEHDM27ZRMCQH/

I'm preparing a package for Sid and will upload it ASAP, but I'm not
sure it will be easy to backport the other 2.1.11 to 2.1.12 changes in
the 2.1.1 version currently in Squeeze, I'll update this bug report
after further investigation or get directly in touch with the security
team when ready.

Regards

David

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (600, 'unstable'), (500, 'testing'), (500, 'stable'), (150, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-1-amd64 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages spip depends on:
ii  apache2-mpm-prefork [httpd]  2.2.21-2    
ii  debconf [debconf-2.0]        1.5.41      
ii  libjs-jquery                 1.6.4-1     
ii  lighttpd [httpd]             1.4.29-1    
ii  php-html-safe                0.10.1-1    
ii  php5                         5.3.8.0-1   
ii  php5-mysql                   5.3.8.0-1+b1

Versions of packages spip recommends:
ii  imagemagick                      8:6.6.9.7-5+b2
ii  mysql-server                     5.1.58-1      
ii  mysql-server-5.1 [mysql-server]  5.1.58-1      
ii  netpbm                           2:10.0-15     

spip suggests no packages.

-- debconf information excluded





More information about the Secure-testing-team mailing list