[Spip-maintainers] Bug#864921: spip: remote code execution flaw
Salvatore Bonaccorso
carnil at debian.org
Sat Jun 17 06:39:10 UTC 2017
Source: spip
Version: 3.1.4-2
Severity: grave
Tags: security upstream
Justification: user security hole
Control: fixed -1 3.1.4-2
As per
https://contrib.spip.net/CRITICAL-security-update-SPIP-3-1-6-and-SPIP-3-2-Beta?var_zapl=non
> A CRITICAL flaw was discovered recently in SPIP, allowing the
> execution of arbitrary code.
>
> It affects SPIP 3.1.x and 3.2 versions (alpha & beta), and impacts all
> websites using these versions.
> SPIP 3.0.x and earlier versions are not affected by this issue.
>
> It is imperative to update your SPIP website as soon as possible.
>
> In the meantime, the security screen version 1.3.2 will block possible
> exploitations of the vulnerability. Updating the security screen
> remains a transitional measure that should not prevent you from
> updating SPIP as soon as possible.
>
> The team thanks Emeric Boit and ANSSI for identifying and reporting
> the issue.
and since there is no CVE to track the issue, filling the bug in the
BTS even though already fixed in unstable.
Regards,
Salvatore
More information about the Spip-maintainers
mailing list