[Spip-maintainers] Debian RT spip update to fix #649113

David Prévot taffit at debian.org
Fri Nov 18 03:22:28 UTC 2011


Hi,

I've prepared a security update for spip. As described in #649113, the
2.1.12 version fixes an important bug, allowing any author to become a
site administrator. Thanks to upstream authors, I've applied the needed
fixes to the current 2.1.1 available in Squeeze (and they weren't able
to reproduce the issues on the updated package).

The package associated to the attached debdiff is available :

    1: http://people.debian.org/~taffit/spip/spip_2.1.1-3squeeze1.1.dsc

Follows a DSA-like description of the problem fixed, please let me know
if I can be of any help.

Regards

David


Package        : spip
Vulnerability  : several
Problem type   : remote
Debian-specific: no
Debian Bug     : 649113

Several vulnerabilities have been discovered in SPIP, a website engine
for publishing.

   Arnault Pachot discovered a cross-site scripting issue in the online
   help.

   Davy Douhine discovered a privilege escalation allowing a connected
   author to become a site administrator.

For the stable distribution (squeeze), these problems have been fixed in
version 2.1.1-3squeeze1.1.

For the unstable distribution (sid), these problems have been fixed in
version 2.1.12-1.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spipdeb.diff
Type: text/x-diff
Size: 4983 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/spip-maintainers/attachments/20111117/47dad827/attachment-0001.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/spip-maintainers/attachments/20111117/47dad827/attachment-0001.pgp>


More information about the Spip-maintainers mailing list