[Secure-testing-team] Bug#649113: spip: New version (2.1.12) fixes several security issues
David Prévot
taffit at debian.org
Thu Nov 17 18:56:02 UTC 2011
Package: spip
Version: 2.1.1-3squeeze1
Severity: important
Tags: security upstream
Hi,
The last SPIP upstream version (2.1.12) fixes several security issues.
The most severe one allows a privilege escalation: an unauthorized
member can become administrator (with full access to the SPIP website).
This version also fixes a cross site scripting (XSS) and a full path
disclosure. [0]
Unfortunately, the security screen file added recently in the package to
fix previous security issues could not be updated by upstream authors
“it was not possible to produce a light code to fix those three
issues”).
0: http://archives.rezo.net/archives/spip-ann.mbox/GFZZLMG4ZO5MA4KWQ77XEHDM27ZRMCQH/
I'm preparing a package for Sid and will upload it ASAP, but I'm not
sure it will be easy to backport the other 2.1.11 to 2.1.12 changes in
the 2.1.1 version currently in Squeeze, I'll update this bug report
after further investigation or get directly in touch with the security
team when ready.
Regards
David
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (600, 'unstable'), (500, 'testing'), (500, 'stable'), (150, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.1.0-1-amd64 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages spip depends on:
ii apache2-mpm-prefork [httpd] 2.2.21-2
ii debconf [debconf-2.0] 1.5.41
ii libjs-jquery 1.6.4-1
ii lighttpd [httpd] 1.4.29-1
ii php-html-safe 0.10.1-1
ii php5 5.3.8.0-1
ii php5-mysql 5.3.8.0-1+b1
Versions of packages spip recommends:
ii imagemagick 8:6.6.9.7-5+b2
ii mysql-server 5.1.58-1
ii mysql-server-5.1 [mysql-server] 5.1.58-1
ii netpbm 2:10.0-15
spip suggests no packages.
-- debconf information excluded
More information about the Secure-testing-team
mailing list