[Spip-maintainers] [rt.debian.org #3493] spip update to fix #649113
David Prévot
taffit at debian.org
Fri Nov 18 21:28:04 UTC 2011
Hi,
On 18/11/2011 16:52, Moritz Muehlenhoff via RT wrote:
> On Fri, Nov 18, 2011 at 03:23:07AM +0000, David Prévot via RT wrote:
>> 1: http://people.debian.org/~taffit/spip/spip_2.1.1-3squeeze1.1.dsc
>>
>> Follows a DSA-like description of the problem fixed, please let me know
>> if I can be of any help.
>
> Thanks, I'll take care of the update.
Thank you,
> What kind of testing did this package receive? I can't test it myself.
I've tested smooth upgrade (and downgrade) from the current Squeeze SPIP
version, didn't noticed any issue (especially the issue fixed in r18700
after the r18627 security fix, both patched in the proposed package as
fix_privilege_escalation.patch).
I have not been able to actually exploit the two security issues, so I
can't personally testify that it's fixed, but upstream developers
weren't able to reproduce the exploit on my [test] website with the
proposed security update.
r18627: http://core.spip.org/projects/spip/repository/revisions/18627
r18700: http://core.spip.org/projects/spip/repository/revisions/18700
test: http://test.tilapin.org/ (login: toto; password: tototo).
Unfortunately, I already use the Sid version on my production server
(which fixes a plugin issue as explained in #646758), so I didn't test
the package in a real production environment.
Regards
David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/spip-maintainers/attachments/20111118/acbba555/attachment.pgp>
More information about the Spip-maintainers
mailing list