[Secure-testing-team] Bug#609212: spip: Cross-Site Scripting and other security issues

David Prévot david at tilapin.org
Fri Jan 7 12:47:30 UTC 2011 

Package: spip
Version: 2.1.1-2
Severity: grave
Tags: security upstream patch
Justification: user security hole

Hi,

Version 2.1.6 released Monday correct various security issues [1].
According to the changelog [2], these should be addressed by r16879 [3],
r16880 [4] and r16884 [5].

  1: http://archives.rezo.net/archives/spip-ann.mbox/GLOR4XJWY2W46N7PVXDF6YYOZGYF427P/
  2: http://core.spip.org/projects/spip/repository/entry/branches/spip-2.1/CHANGELOG.txt
  3: http://core.spip.org/projects/spip/repository/revisions/16879/diff/branches/spip-2.1/
  4: http://core.spip.org/projects/spip/repository/revisions/16880/diff/branches/spip-2.1/
  5: http://core.spip.org/projects/spip/repository/revisions/16884/diff/branches/spip-2.1/

Regards

David

-- System Information:
Debian Release: 6.0
  APT prefers unstable
  APT policy: (600, 'unstable'), (500, 'testing'), (500, 'stable'), (150, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.36-trunk-amd64 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages spip depends on:
ii  apache2-mpm-prefork [httpd]   2.2.16-6   Apache HTTP Server - traditional n
ii  debconf [debconf-2.0]         1.5.37     Debian configuration management sy
ii  libjs-jquery                  1.4.2-2    JavaScript library for dynamic web
ii  lighttpd [httpd]              1.4.28-2   A fast webserver with minimal memo
ii  php-html-safe                 0.10.0-1   strip down all potentially dangero
ii  php5                          5.3.3-7    server-side, HTML-embedded scripti
ii  php5-mysql                    5.3.3-7    MySQL module for php5

Versions of packages spip recommends:
ii  imagemagick               8:6.6.0.4-3    image manipulation programs
ii  mysql-server              5.1.49-3       MySQL database server (metapackage
ii  mysql-server-5.1 [mysql-s 5.1.49-3       MySQL database server binaries and
ii  netpbm                    2:10.0-12.2+b1 Graphics conversion tools between 

spip suggests no packages.

-- debconf information excluded

More information about the Secure-testing-team mailing list