[Spip-maintainers] [rt.debian.org #3837] SPIP stable update (fixes #677290)
David Prévot
taffit at debian.org
Wed Jun 13 14:44:53 UTC 2012
Hi,
As noted in #677290, I just updated the proposed security upload [0].
0: http://people.debian.org/~taffit/spip/spip_2.1.1-3squeeze4.dsc
Here is an attempt DSA text:
----------------%<--------------------------------%<----------------
Package : spip
Vulnerability : cross-site scripting
Problem type : remote
Debian-specific: no
CVE ID : not available yet
Four cross-site scripting vulnerabilities have been found in SPIP, a
website engine for publishing.
For the stable distribution (squeeze), this problem has been fixed in
version 2.1.1-3squeeze4.
For the unstable distribution (sid), this problem has been fixed in
version 2.1.15-1.
---------------->%-------------------------------->%----------------
The attached debdiff shows the actual differences from the last security
update.
The first of these four XSS is actually part of the CVE-2012-2151 fix
(that was not completely addressed in DSA-2461-1), so you may wish to
publish it as an updated DSA-2461-2.
As a side note: upstream just released a 3.0 upstream branch, but since
they're pretty responsive, and take care of updating the security fixes
for previous branches, I intend to stick with the 2.1 branch in Wheezy
instead of rushing a non trivial update path (and to be honest, they're
still fixing many issues in the 3.0 branch anyway).
Regards
David
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: spip-secu.diff
URL: <http://lists.alioth.debian.org/pipermail/spip-maintainers/attachments/20120613/c570c312/attachment.ksh>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/spip-maintainers/attachments/20120613/c570c312/attachment.pgp>
More information about the Spip-maintainers
mailing list