Secure testing team - Oct 2011 - Bug#646758: spip: New version (2.1.11) fixes a security issue

Package: spip
Version: 2.1.1-3squeeze1
Severity: important
Tags: security upstream

Hi,

The last SPIP upstream version (2.1.11) fixes a (not too important
according to upstream) full path disclosure security issue [0].

0:
http://archives.rezo.net/archives/spip-ann.mbox/5XCQ4RYDCYRXQSQQK42DT7IO2GVT7ZSI/

Romain, I''m also stuck with an URL rewriting issue with attached
documents in the 2.1.1 version (that doesn''t work as expected with the
?Acc?s Restreint? (?Restricted Access?) plugin), so I''m going to
prepare
a 2.1.11 package any time soon (before the weekend) unless of course
you''ve already done all the needed work ;-). Would you agree if I
upload
this package to unstable when it''s ready?

Regards

David

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (600, ''unstable''), (500,
''testing''), (500, ''stable''), (150,
''experimental'')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-2-amd64 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages spip depends on:
ii  apache2-mpm-prefork [httpd]  2.2.21-2
ii  debconf [debconf-2.0]        1.5.41  
ii  libjs-jquery                 1.6.4-1 
ii  lighttpd [httpd]             1.4.29-1
ii  php-html-safe                0.10.1-1
ii  php5                         5.3.8-2 
ii  php5-mysql                   5.3.8-2 

Versions of packages spip recommends:
ii  imagemagick                      8:6.6.9.7-5+b1
ii  mysql-server                     5.1.58-1      
ii  mysql-server-5.1 [mysql-server]  5.1.58-1      
ii  netpbm                           2:10.0-15     

spip suggests no packages.

-- debconf information excluded

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Le 26/10/2011 15:54, David Pr?vot a ?crit :
> I''m going to prepare
> a 2.1.11 package any time soon (before the weekend) unless of course
> you''ve already done all the needed work ;-).
It seems like I''m a lucky guy: just found your hidden Subversion
repository on Alioth, where you already prepared an upload for the
2.1.10 version! I just updated the package with the last upstream
version [1] and sent the patches [2].

  1: http://people.debian.org/~taffit/spip/spip_2.1.11-0.1.dsc
  2:
http://lists.alioth.debian.org/pipermail/spip-maintainers/2011-October/thread.html#615
> Would you agree if I upload
> this package to unstable when it''s ready?
I''ll start testing it in a production environment tomorrow, if nothing
goes wrong, I''ll send it to DELAYED/10 but would of course prefer if
you''d take the time to review it and send it yourself. Since you set up
the Maintainer field to the list, I guess you''d accept co-maintainer,
I''d be happy to join.

Regards

David

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJOqMC4AAoJELgqIXr9/gny8awP/R7laDbyMEiZYguJJE7TMEwI
TKulQnhON7dtZqKikcqMxDNavB3lcaHVN08FY6CWwkUiWjhVQnTG6a3kHtkB3946
W7Bai6nk0nERIHNOeldRpcBAVSdzzSp4lohNH8b1MY/5hiT+iE8EfzTzYZogZPR9
tFdEn1QQ/vb8uo9pKhl+gTnm63puIhdhnQjeR2tS/F7PrKHbV6vT8RlvwA2Yb+qg
FzeoGkIRlE9GtYdU7H6JDmdpS17p1s6ohcmn7sCYOq/ETmpKc8mEDu8/F8CPT29j
+IC8J1Yl077KVRdVy37h91b9PvwuQLveXG8qtdVKrtbP8bqoeX3bitoH/VJlKmXq
JKfomlNbqNoalq+6Hiq3MBf7EVItIa+VXdk2IvrHtLpjW4dtH7rqUHhtUNDzydg+
fd/rMndVx8VwsSXjgNt/NzubI3bLDBlLcDJg8SyAcUEYRuSuAqULs0ZG3kSzB98F
H5izwlYFZM5GVTI6Yfm/8zLVd6ywYNbaz7+v6NlH3KJ0DRzoS1ch7fXUN9BuG/iy
1S9X+o9JP9XU6RWjQHAx3dvZfHVGZglrz5fGIBXJHyWNugweIC6gSMwkeP7IRt4m
2Dz+/N0ajHfS70pf2x+4sj+eGDWOP1Aah3CIYyuWnRQ5JaInU6y4CrAf4EzlXJdh
hNdPYGXJCCefJ0Er8Z8/
=FadY
-----END PGP SIGNATURE-----