David Prévot
2011-Jan-07 12:47 UTC
[Secure-testing-team] Bug#609212: spip: Cross-Site Scripting and other security issues
Package: spip Version: 2.1.1-2 Severity: grave Tags: security upstream patch Justification: user security hole Hi, Version 2.1.6 released Monday correct various security issues [1]. According to the changelog [2], these should be addressed by r16879 [3], r16880 [4] and r16884 [5]. 1: http://archives.rezo.net/archives/spip-ann.mbox/GLOR4XJWY2W46N7PVXDF6YYOZGYF427P/ 2: http://core.spip.org/projects/spip/repository/entry/branches/spip-2.1/CHANGELOG.txt 3: http://core.spip.org/projects/spip/repository/revisions/16879/diff/branches/spip-2.1/ 4: http://core.spip.org/projects/spip/repository/revisions/16880/diff/branches/spip-2.1/ 5: http://core.spip.org/projects/spip/repository/revisions/16884/diff/branches/spip-2.1/ Regards David -- System Information: Debian Release: 6.0 APT prefers unstable APT policy: (600, ''unstable''), (500, ''testing''), (500, ''stable''), (150, ''experimental'') Architecture: amd64 (x86_64) Kernel: Linux 2.6.36-trunk-amd64 (SMP w/1 CPU core) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages spip depends on: ii apache2-mpm-prefork [httpd] 2.2.16-6 Apache HTTP Server - traditional n ii debconf [debconf-2.0] 1.5.37 Debian configuration management sy ii libjs-jquery 1.4.2-2 JavaScript library for dynamic web ii lighttpd [httpd] 1.4.28-2 A fast webserver with minimal memo ii php-html-safe 0.10.0-1 strip down all potentially dangero ii php5 5.3.3-7 server-side, HTML-embedded scripti ii php5-mysql 5.3.3-7 MySQL module for php5 Versions of packages spip recommends: ii imagemagick 8:6.6.0.4-3 image manipulation programs ii mysql-server 5.1.49-3 MySQL database server (metapackage ii mysql-server-5.1 [mysql-s 5.1.49-3 MySQL database server binaries and ii netpbm 2:10.0-12.2+b1 Graphics conversion tools between spip suggests no packages. -- debconf information excluded