oss-sec mailing list archives
CVE Request: multiple vulnerabilities in spip
From: Salvatore Bonaccorso <carnil () debian org>
Date: Sun, 10 Nov 2013 07:23:36 +0100
Hi (Cc'ing David Prévot, maintainer in Debian for the spip package; I'm not a native french speaker, so he might help get it right) Upstream for SPIP, a website engine for publishing fixed the following issues in their upstream release for 2.1.24 (and 3.0.12): - cross-site request forgery on logout. The patch adds a confirmation button when loggin out. commit for 2.1.24: http://core.spip.org/projects/spip/repository/revisions/20874 3.0.x did not contain the fix, and is probably not affected (David can you confirm?) - cross-site scripting on author page: commit for 2.1.24: http://core.spip.org/projects/spip/repository/revisions/20880 commit for 3.0.12: http://core.spip.org/projects/spip/repository/revisions/20879 - updates the security screen for possible php injection (updates the "Écran de sécurité" to version 1.1.8): commit: http://zone.spip.org/trac/spip-zone/changeset/75105/_core_/securite/ecran_securite.php References: - http://bugs.debian.org/729172 - http://www.spip.net/fr_article5646.html (2.1.24; french) - http://www.spip.net/fr_article5648.html (3.0.12; french) Regards, Salvatore
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE Request: multiple vulnerabilities in spip Salvatore Bonaccorso (Nov 09)
- Re: CVE Request: multiple vulnerabilities in spip David Prévot (Nov 10)
- Re: CVE Request: multiple vulnerabilities in spip Kurt Seifried (Nov 10)