[Secure-testing-team] Bug#646758: spip: New version (2.1.11) fixes a security issue

David Prévot taffit at debian.org
Wed Oct 26 19:54:51 UTC 2011


Package: spip
Version: 2.1.1-3squeeze1
Severity: important
Tags: security upstream

Hi,

The last SPIP upstream version (2.1.11) fixes a (not too important
according to upstream) full path disclosure security issue [0].

0: http://archives.rezo.net/archives/spip-ann.mbox/5XCQ4RYDCYRXQSQQK42DT7IO2GVT7ZSI/

Romain, I'm also stuck with an URL rewriting issue with attached
documents in the 2.1.1 version (that doesn't work as expected with the
“Accès Restreint” (“Restricted Access”) plugin), so I'm going to prepare
a 2.1.11 package any time soon (before the weekend) unless of course
you've already done all the needed work ;-). Would you agree if I upload
this package to unstable when it's ready?

Regards

David

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (600, 'unstable'), (500, 'testing'), (500, 'stable'), (150, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-2-amd64 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages spip depends on:
ii  apache2-mpm-prefork [httpd]  2.2.21-2
ii  debconf [debconf-2.0]        1.5.41  
ii  libjs-jquery                 1.6.4-1 
ii  lighttpd [httpd]             1.4.29-1
ii  php-html-safe                0.10.1-1
ii  php5                         5.3.8-2 
ii  php5-mysql                   5.3.8-2 

Versions of packages spip recommends:
ii  imagemagick                      8:6.6.9.7-5+b1
ii  mysql-server                     5.1.58-1      
ii  mysql-server-5.1 [mysql-server]  5.1.58-1      
ii  netpbm                           2:10.0-15     

spip suggests no packages.

-- debconf information excluded





More information about the Secure-testing-team mailing list