From carnil at debian.org Tue Dec 6 06:11:18 2016 From: carnil at debian.org (Salvatore Bonaccorso) Date: Tue, 06 Dec 2016 07:11:18 +0100 Subject: [Spip-maintainers] Bug#847156: spip: CVE-2016-9152 Message-ID: <148100467800.19739.1722104935066291684.reportbug@lorien.valinor.li> Source: spip Version: 3.1.3-1 Severity: important Tags: security upstream patch Hi, the following vulnerability was published for spip. CVE-2016-9152[0]: cross-site scripting If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-9152 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9152 Please adjust the affected versions in the BTS as needed. Regards, Salvatore From david at tilapin.org Tue Dec 6 07:54:00 2016 From: david at tilapin.org (David =?UTF-8?Q?Pr=C3=A9vot?=) Date: Mon, 5 Dec 2016 21:54:00 -1000 Subject: [Spip-maintainers] Bug#847156: Bug#847156: spip: CVE-2016-9152 In-Reply-To: <148100467800.19739.1722104935066291684.reportbug@lorien.valinor.li> References: <148100467800.19739.1722104935066291684.reportbug@lorien.valinor.li> Message-ID: <7e4720e8-6455-87cc-8275-05133139e28a@tilapin.org> Hi Salvatore, Thanks for the report, Le 05/12/2016 ? 20:11, Salvatore Bonaccorso a ?crit : > the following vulnerability was published for spip. > > CVE-2016-9152[0]: > cross-site scripting [?] > [0] https://security-tracker.debian.org/tracker/CVE-2016-9152 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9152 I was about to ask where did you find the link between the CVE entry and the commit, but my search engine was quicker to answer ;). FYI, a few other security-oriented commits are being staged for the next upstream release (coming soon), and the previous fixes that already made it in a ?recent? DLA are still waiting for an upstream ack (they recently acknowledge on IRC that they have to reply to us). Regards David -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From root at fssprus.ru Tue Dec 13 14:24:39 2016 From: root at fssprus.ru (Mr;Chris Eze) Date: Tue, 13 Dec 2016 15:24:39 +0100 Subject: [Spip-maintainers] FROM; Mr; Chris Eze. &&& Sat, Dec 13, 2016 at 12:37 PM Message-ID: <3ae0d42d37f21170624fe06b92c07179@r65.fssprus.ru> Dec 13, 2016 Dear Friend, You may not understand why this email came to you. But if you do not remember me, you might have receive an email from me in the past regarding business proposal which we never concluded. I want to use this opportunity to thank you very much for your past efforts to assist me with this transaction which failed due to one reason or the other. And also to inform you that the transaction has been concluded with the assistance of another partner from Thailand who financed the transaction to a logical conclusion. Due to your past effort, sincerity, and trust you showed during the course of the transaction. I want to compensate you and show my gratitude to you with the sum of $1,200,000.00 , as a sign of appreciation. I have left a certified international bank draft for you worth of $1,200,000.00 ,cash able anywhere in the world. I would like you to contact my secretary Mr. Foxton Richard, on his direct email address at:(foxtonrichard at yandex.com ) for the collection of the bank draft. I authorized him to release the Bank draft to you whenever you contact him. At this moment, I'm very busy because of the investment projects and charity organization which I want to run with my new partner. CONTACT: Mr. Foxton Richard, My Secretary, and forward to him your full name, Postal address and your telephone number to open contact with him. His email address :( foxtonrichard at yandex.com ) Yours Sincerely Mr;Chris Eze. From otto at debian.org Sat Dec 17 15:32:44 2016 From: otto at debian.org (otto at debian.org) Date: Sat, 17 Dec 2016 17:32:44 +0200 Subject: [Spip-maintainers] Bug#848450: spip: Should Depends/Recommends the metapackage default-mysql-* Message-ID: <58555a9e.879e190a.31dab.b13c@mx.google.com> Package: spip Severity: important User: pkg-mysql-maint at lists.alioth.debian.org Usertags: default-mysql default-mysql-depends-recommends Hi! This package depends (or recommends) direclty on Oracle MySQL. It should instead depend on the default-mysql-* metapackages, and end up being installed with the MySQL implementation Debian has chosen to use, currently MariaDB instead of Oracle MySQL. Announcement of the new default-mysql-* metapackages: https://lists.debian.org/debian-devel-announce/2016/09/msg00000.html Wiki: https://wiki.debian.org/Teams/MySQL/default-mysql-server MBF: https://lists.debian.org/debian-devel/2016/11/msg00832.html Please update the depencies accordingly. In most cases the required change follows this pattern: * BEFORE: Depends: mysql-server | virtual-mysql-server * AFTER: Depends: default-mysql-server | virtual-mysql-server As this is a mass bug filing, the exact solution above might not apply to directly. For example, if your package depends on some other Oracle MySQL package, like mysql-client, then use to default-mysql-client. Thanks, Otto From carnil at debian.org Mon Dec 19 05:37:25 2016 From: carnil at debian.org (Salvatore Bonaccorso) Date: Mon, 19 Dec 2016 06:37:25 +0100 Subject: [Spip-maintainers] Bug#848641: spip: CVE-2016-9997 CVE-2016-9998 Message-ID: <148212584522.12091.4375633702406211055.reportbug@lorien.valinor.li> Source: spip Version: 3.1.3-1 Severity: important Tags: security upstream patch Hi, the following vulnerabilities were published for spip. CVE-2016-9997[0]: 'id' parameter in '/ecrire/exec/puce_statut.php' XSS CVE-2016-9998[1]: 'plugin' parameter in '/ecrire/exec/info_plugin.php' XSS If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-9997 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9997 [1] https://security-tracker.debian.org/tracker/CVE-2016-9998 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9998 Please adjust the affected versions in the BTS as needed. Only sid's version has been doublechecked so far. Regards, Salvatore -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) From opal at debian.org Thu Dec 22 22:19:29 2016 From: opal at debian.org (Ola Lundqvist) Date: Thu, 22 Dec 2016 23:19:29 +0100 Subject: [Spip-maintainers] Wheezy update of spip? Message-ID: <20161222221925.GA14536@inguza.net> Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of spip: https://security-tracker.debian.org/tracker/CVE-2016-9997 https://security-tracker.debian.org/tracker/CVE-2016-9998 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts at lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of spip updates for the LTS releases. Thank you very much. Ola Lundqvist, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup -- -------------- Ola Lundqvist -------------------- / opal at debian.org GPG fingerprint \ | ola at inguza.com 22F2 32C6 B1E0 F4BF 2B26 | | http://inguza.com/ 0A6A 5E90 DCFA 9426 876F / ------------------------------------------------- From zidi.gazalbah at brisyariah.co.id Fri Dec 23 22:21:18 2016 From: zidi.gazalbah at brisyariah.co.id (Brigitte MEYER) Date: Sat, 24 Dec 2016 05:21:18 +0700 (WIB) Subject: [Spip-maintainers] Receive my greetings Message-ID: <1516692622.4423476.1482531678801.JavaMail.zimbra@brisyariah.co.id> Goodmorning, While thanking you for the attention you give to my dearest wish, I want you to know that Im not wrong sending you this message. My ardent wish has always been to meet an anonymous individual so that he will lead social actions through a foundation. My name is Brigitte MEYER, born 27 March 1944 nationality French but currently in a medical observation in a hospital located in the United Kingdom. I had to contact you in this way because I want to take you to donate a sum of $2.000.000 in order to help people in need, make happy poor families, orphans, helping young entrepreneurs looking for financing to grow their sectors by the means of some acquaintances. My professional life has been a real tourism as much as I have always lived away from my country. First to Kuwait, where I worked in the oil industry for two years. Then I was in the Republic of Benin (year 2001) where I implemented several companies (real estate, engineer). It is in this country so welcoming that I have experienced true happiness, that of marriage with a Belgian who also worked in this country. Unfortunately we did not have the chance to have children. After five (05) years of common life, my husband lost his life following a long illness. So I stayed again alone with a Butler at my disposal and a dog until this cancer came to limit my life. It will be almost four years now that I have been fighting this disease and medicine can no longer anything. following the results of the medical examinations that my days are numbered according to the investigation of my treating doctor. I had blocked this important sum in one of the banks of BENIN for a construction project. I will be rigged given to you this money to ensure that my donation projectwill geta positive resulte. I want you to accept this because it is a gift from a dying woman and this without asking anything in return. Please answer me quiqly to my email address as follows: brigittemeyer1944 at gmail.com Ms Brigitte MEYER From caterina.costantini at mail.aslbenevento1.it Wed Dec 28 19:49:14 2016 From: caterina.costantini at mail.aslbenevento1.it (Brigitte MEYER) Date: Wed, 28 Dec 2016 20:49:14 +0100 (CET) Subject: [Spip-maintainers] Good morning Message-ID: <1623109733.681278.1482954554328.JavaMail.zimbra@mail.aslbenevento1.it> Goodmorning, While thanking you for the attention you give to my dearest wish, I want you to know that Im not wrong sending you this message. My ardent wish has always been to meet an anonymous individual so that he will lead social actions through a foundation. My name is Brigitte MEYER, born 27 March 1944 nationality French but currently in a medical observation in a hospital located in the Canada. I had to contact you in this way because I want to take you to donate a sum of $2.000.000 in order to help people in need, make happy poor families, orphans, helping young entrepreneurs looking for financing to grow their sectors by the means of some acquaintances. My professional life has been a real tourism as much as I have always lived away from my country. First to Kuwait, where I worked in the oil industry for two years. Then I was in the Republic of Benin (year 2001) where I implemented several companies (real estate, engineer). It is in this country so welcoming that I have experienced true happiness, that of marriage with a Belgian who also worked in this country. Unfortunately we did not have the chance to have children. After five (05) years of common life, my husband lost his life following a long illness. So I stayed again alone with a Butler at my disposal and a dog until this cancer came to limit my life. It will be almost four years now that I have been fighting this disease and medicine can no longer anything. following the results of the medical examinations that my days are numbered according to the investigation of my treating doctor. I had blocked this important sum in one of the banks of BENIN for a construction project. I will be rigged given to you this money to ensure that my donation projectwill geta positive resulte. I want you to accept this because it is a gift from a dying woman and this without asking anything in return. Please answer me quiqly to my email address as follows: brigittemeyer1944 at gmail.com Ms Brigitte MEYER