[Secure-testing-team] Bug#742456: Log sanitizing and SQL injection

David Prévot taffit at debian.org
Sun Mar 23 22:02:06 UTC 2014

Package: spip
Version: 2.1.17-1+deb7u3
Severity: important
Tags: security upstream
Control: fixed -1 3.1~21281-1
Control: fixed -1 3.0.16-1
Control: found -1 2.1.1-3squeeze8


The latest upstream update [1] fixes two security issues:
- an SQL injection, already blocked by the security screen;
- a lack of sanitizing visible in log files.

I’ve already prepared the Wheezy [2] and Squeeze updates, and open this
bug report in order to follow up with the security team and the release
team to get these a priori minor issues fixed in the next (old)stable

	1: http://contrib.spip.net/Alerte-SPIP-2-0-25-SPIP-2-1-26-SPIP-3-0-16-sont-gavees
	2: http://people.debian.org/~taffit/spip/


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20140323/43e47244/attachment.sig>

More information about the Secure-testing-team mailing list