[Spip-maintainers] Bug#864921: spip: remote code execution flaw
Salvatore Bonaccorso
carnil at debian.org
Sat Jun 17 15:21:34 UTC 2017
Control: retitle -1 spip: CVE-2017-9736: remote code execution
On Sat, Jun 17, 2017 at 08:39:10AM +0200, Salvatore Bonaccorso wrote:
> Source: spip
> Version: 3.1.4-2
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Control: fixed -1 3.1.4-2
>
> As per
>
> https://contrib.spip.net/CRITICAL-security-update-SPIP-3-1-6-and-SPIP-3-2-Beta?var_zapl=non
> > A CRITICAL flaw was discovered recently in SPIP, allowing the
> > execution of arbitrary code.
> >
> > It affects SPIP 3.1.x and 3.2 versions (alpha & beta), and impacts all
> > websites using these versions.
> > SPIP 3.0.x and earlier versions are not affected by this issue.
> >
> > It is imperative to update your SPIP website as soon as possible.
> >
> > In the meantime, the security screen version 1.3.2 will block possible
> > exploitations of the vulnerability. Updating the security screen
> > remains a transitional measure that should not prevent you from
> > updating SPIP as soon as possible.
> >
> > The team thanks Emeric Boit and ANSSI for identifying and reporting
> > the issue.
>
> and since there is no CVE to track the issue, filling the bug in the
> BTS even though already fixed in unstable.
CVE-2017-9736 was assigned for this issue.
Regards,
Salvatore
More information about the Spip-maintainers
mailing list