David Prévot
2011-Nov-17 18:56 UTC
[Secure-testing-team] Bug#649113: spip: New version (2.1.12) fixes several security issues
Package: spip Version: 2.1.1-3squeeze1 Severity: important Tags: security upstream Hi, The last SPIP upstream version (2.1.12) fixes several security issues. The most severe one allows a privilege escalation: an unauthorized member can become administrator (with full access to the SPIP website). This version also fixes a cross site scripting (XSS) and a full path disclosure. [0] Unfortunately, the security screen file added recently in the package to fix previous security issues could not be updated by upstream authors ?it was not possible to produce a light code to fix those three issues?). 0: http://archives.rezo.net/archives/spip-ann.mbox/GFZZLMG4ZO5MA4KWQ77XEHDM27ZRMCQH/ I''m preparing a package for Sid and will upload it ASAP, but I''m not sure it will be easy to backport the other 2.1.11 to 2.1.12 changes in the 2.1.1 version currently in Squeeze, I''ll update this bug report after further investigation or get directly in touch with the security team when ready. Regards David -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (600, ''unstable''), (500, ''testing''), (500, ''stable''), (150, ''experimental'') Architecture: amd64 (x86_64) Kernel: Linux 3.1.0-1-amd64 (SMP w/1 CPU core) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages spip depends on: ii apache2-mpm-prefork [httpd] 2.2.21-2 ii debconf [debconf-2.0] 1.5.41 ii libjs-jquery 1.6.4-1 ii lighttpd [httpd] 1.4.29-1 ii php-html-safe 0.10.1-1 ii php5 5.3.8.0-1 ii php5-mysql 5.3.8.0-1+b1 Versions of packages spip recommends: ii imagemagick 8:6.6.9.7-5+b2 ii mysql-server 5.1.58-1 ii mysql-server-5.1 [mysql-server] 5.1.58-1 ii netpbm 2:10.0-15 spip suggests no packages. -- debconf information excluded