oss-sec mailing list archives

CVE Request: multiple vulnerabilities in spip

From: Salvatore Bonaccorso <carnil () debian org>
Date: Sun, 10 Nov 2013 07:23:36 +0100

Hi

(Cc'ing David Prévot, maintainer in Debian for the spip package; I'm
not a native french speaker, so he might help get it right)

Upstream for SPIP, a website engine for publishing fixed the following
issues in their upstream release for 2.1.24 (and 3.0.12):

 - cross-site request forgery on logout. The patch adds a confirmation
   button when loggin out.
   commit for 2.1.24: http://core.spip.org/projects/spip/repository/revisions/20874
   3.0.x did not contain the fix, and is probably not affected (David
   can you confirm?)

 - cross-site scripting on author page:
   commit for 2.1.24: http://core.spip.org/projects/spip/repository/revisions/20880
   commit for 3.0.12: http://core.spip.org/projects/spip/repository/revisions/20879

 - updates the security screen for possible php injection (updates the
   "Écran de sécurité" to version 1.1.8):

   commit: http://zone.spip.org/trac/spip-zone/changeset/75105/_core_/securite/ecran_securite.php

References:
 - http://bugs.debian.org/729172
 - http://www.spip.net/fr_article5646.html (2.1.24; french)
 - http://www.spip.net/fr_article5648.html (3.0.12; french)

Regards,
Salvatore

Attachment: signature.asc
Description: Digital signature

Current thread:

CVE Request: multiple vulnerabilities in spip Salvatore Bonaccorso (Nov 09)
- Re: CVE Request: multiple vulnerabilities in spip David Prévot (Nov 10)
- Re: CVE Request: multiple vulnerabilities in spip Kurt Seifried (Nov 10)