oss-sec mailing list archives
Re: CVE Request: multiple vulnerabilities in spip
From: Kurt Seifried <kseifried () redhat com>
Date: Sun, 10 Nov 2013 14:57:28 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/09/2013 11:23 PM, Salvatore Bonaccorso wrote:
Hi (Cc'ing David Prévot, maintainer in Debian for the spip package; I'm not a native french speaker, so he might help get it right) Upstream for SPIP, a website engine for publishing fixed the following issues in their upstream release for 2.1.24 (and 3.0.12): - cross-site request forgery on logout. The patch adds a confirmation button when loggin out. commit for 2.1.24: http://core.spip.org/projects/spip/repository/revisions/20874 3.0.x did not contain the fix, and is probably not affected (David can you confirm?)
Please use CVE-2013-4555 for this issue.
- cross-site scripting on author page: commit for 2.1.24: http://core.spip.org/projects/spip/repository/revisions/20880 commit for 3.0.12: http://core.spip.org/projects/spip/repository/revisions/20879
Please use CVE-2013-4556 for this issue.
- updates the security screen for possible php injection (updates the "Écran de sécurité" to version 1.1.8):
Please use CVE-2013-4557 for this issue.
commit: http://zone.spip.org/trac/spip-zone/changeset/75105/_core_/securite/ecran_securite.php References: - http://bugs.debian.org/729172 - http://www.spip.net/fr_article5646.html (2.1.24; french) - http://www.spip.net/fr_article5648.html (3.0.12; french) Regards, Salvatore
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBAgAGBQJSgAFIAAoJEBYNRVNeJnmTbegP/inqTKv35N6MyneLUfUNvI7F ktuVni1nFhFH8Hd3xGdaoVtgw5CtuFWbf9B3e1IuOsD7FkGCrU7MD1UUy1f7CkN2 xLOcbKsBbaKxyEJuAds/7xYYJkbgH/VqAdsMoCZQY0icZrk7poSWjGDd0K4jVDFT tfN5Et4hRAdNMN8eH+fEk+XlPoq88UoMIBD8BI4NJsMLhCV2uEDk23JDNIbuc+M5 DTKfosgeVr2l1b38Sg5D0vvfBM1fk8QUJ90/QII8TTMv5sStJXzXW6nbB9Qw2IvD j8ViDHM3x3cy81zlAQTxlsdAVocRvlFL1NKSStbhif1daH22YZy6osFW58QWVOjq aX6erQ2Ww5s8mfhL5ROUIoo75RNt+LErInit6/r/X4j8xdKoNnktilHuIc+deyb3 Km5Odv0nLtetFJrVKcf40lUD+gn3on+GcojCmqw2irFk1OtuG4LKnDWm+Fvbjlmu qD6Z5YJZhpqcUaXsyVrCTZkJ0ugJVQ78w4sIM7DSlBP4rUtYj84VnTAOBXYe5PVM 4DFqhqXFuPkGZqfdVv0seXzNef9qfEiEmWbCRIFFAhIwUwlZIJAtN0Y9J1CZpfqo LZHDuV7RZhI5p3jrhsWHsnvvPS7uKcKKcmcWp/1g0/gBl+6IKpDQGlwaHHSxc/Ap l8mnW+4LVbX8tPnsDTT3 =ZPDs -----END PGP SIGNATURE-----
Current thread:
- CVE Request: multiple vulnerabilities in spip Salvatore Bonaccorso (Nov 09)
- Re: CVE Request: multiple vulnerabilities in spip David Prévot (Nov 10)
- Re: CVE Request: multiple vulnerabilities in spip Kurt Seifried (Nov 10)