Debian Bug report logs -
#879954
spip: CVE-2017-15736
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 27 Oct 2017 15:27:02 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in version spip/3.1.4-1
Fixed in versions spip/3.1.4-4, spip/3.1.4-4~deb9u1
Done: David Prévot <taffit@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, SPIP packaging team <spip-maintainers@lists.alioth.debian.org>:
Bug#879954; Package src:spip.
(Fri, 27 Oct 2017 15:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, SPIP packaging team <spip-maintainers@lists.alioth.debian.org>.
(Fri, 27 Oct 2017 15:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: spip
Version: 3.1.4-1
Severity: important
Tags: patch security upstream fixed-upstream
Hi,
the following vulnerability was published for spip.
CVE-2017-15736[0]:
| Cross-site scripting (XSS) vulnerability (stored) in SPIP before 3.1.7
| allows remote attackers to inject arbitrary web script or HTML via a
| crafted string, as demonstrated by a PGP field, related to
| prive/objets/contenu/auteur.html and ecrire/inc/texte_mini.php.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-15736
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15736
[1] https://core.spip.net/projects/spip/repository/revisions/23701
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) pending.
Request was from David Prévot <taffit@debian.org>
to control@bugs.debian.org.
(Mon, 11 Jun 2018 01:45:04 GMT) (full text, mbox, link).
Reply sent
to David Prévot <taffit@debian.org>:
You have taken responsibility.
(Mon, 11 Jun 2018 04:09:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 11 Jun 2018 04:09:08 GMT) (full text, mbox, link).
Message #12 received at 879954-close@bugs.debian.org (full text, mbox, reply):
Source: spip
Source-Version: 3.1.4-4
We believe that the bug you reported is fixed in the latest version of
spip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 879954@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <taffit@debian.org> (supplier of updated spip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 10 Jun 2018 14:57:12 -1000
Source: spip
Binary: spip
Architecture: source
Version: 3.1.4-4
Distribution: unstable
Urgency: medium
Maintainer: David Prévot <taffit@debian.org>
Changed-By: David Prévot <taffit@debian.org>
Description:
spip - website engine for publishing
Closes: 879954 899895
Changes:
spip (3.1.4-4) unstable; urgency=medium
.
* Update security screen to 1.3.6
* Backport security fixes from 3.1.7
- Do not disclose PHP version in headers
- Secure inserted URL in anchors
- Secure URLs sent by self()
- Escape charset in error message
- Allow filter mode to be passed in interdire_scripts()
- No onclick nor JS popup in footer
- Fix missing escapes
- Secure _T() and _L() arguments
- Provide a sanitize option for _T() and _L()
- Deactivate sanitization when calling _T() in affdate_debut_fin() that
uses secured data
- Cross-site scripting (XSS) vulnerability [CVE-2017-15736]
(Closes: #879954)
- [Privacy] add rel attribute (noopener noreferrer) in private footer
* Backport security fix from 3.1.8
- PHP injection via XML file
* Drop dead list from Maintainer (and Romain from Uploaders) (Closes: #899895)
* Move project repository to salsa.d.o
Checksums-Sha1:
e8476560faafff2f6e8a7a98621137256169443a 1452 spip_3.1.4-4.dsc
ac7dbf7550dab269d1c7b0f48f3bb255aebdce81 88484 spip_3.1.4-4.debian.tar.xz
Checksums-Sha256:
984cfbecc3ca82667e8c8dbbbabd78b4275a3a606e40408bf8116b25bc34c2ac 1452 spip_3.1.4-4.dsc
aa4de988ca7a0e217514b5e5778320c4868d6b2124d6caafb409d7bc1e00de60 88484 spip_3.1.4-4.debian.tar.xz
Files:
cb5f2ae320b34ecd759bdfd17e8f792f 1452 web extra spip_3.1.4-4.dsc
ab0971c9c6da84b585b409b13e88b7dd 88484 web extra spip_3.1.4-4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAlsd4gQACgkQBYwc+UT2
vTwyIgf/VOIdJWalCFB35b9OrS8HzTBc4kFmkJjKCEotlIHswDo2ZjE6YmUSEFoK
iXn1P58BKhrfVPO9scI3QrmHB9EUZmNdaVcguYmHDQ7gRxlmEmqGHzj63tgkmEYo
qSgngIb2cfZ3dHU14LeUQh9Jeo8Bj2wdv+0X6oSoZaNvkR9eJdcOLZB4f+z9UTKE
NskSWirz1k25EOi/VINGFlwQPZ14gvaI6kb63VmNHq1SOAUvhgsaiHw1icpY6dje
gFsTbWlRP9LQi/V3Xt7Oa/fEvphmqvPY6RXxnWAeBvBtj0IcFm2BiaGAx2RibBK9
I8kQLgTv8xL4gPiERs47a+Oa5lC3dA==
=SdgD
-----END PGP SIGNATURE-----
Reply sent
to David Prévot <taffit@debian.org>:
You have taken responsibility.
(Thu, 14 Jun 2018 19:21:22 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 14 Jun 2018 19:21:22 GMT) (full text, mbox, link).
Message #17 received at 879954-close@bugs.debian.org (full text, mbox, reply):
Source: spip
Source-Version: 3.1.4-4~deb9u1
We believe that the bug you reported is fixed in the latest version of
spip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 879954@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <taffit@debian.org> (supplier of updated spip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 10 Jun 2018 16:49:16 -1000
Source: spip
Binary: spip
Architecture: source
Version: 3.1.4-4~deb9u1
Distribution: stretch-security
Urgency: medium
Maintainer: David Prévot <taffit@debian.org>
Changed-By: David Prévot <taffit@debian.org>
Description:
spip - website engine for publishing
Closes: 879954 899895
Changes:
spip (3.1.4-4~deb9u1) stretch-security; urgency=medium
.
* Upload previous fixes to stretch
.
spip (3.1.4-4) unstable; urgency=medium
.
* Update security screen to 1.3.6
* Backport security fixes from 3.1.7
- Do not disclose PHP version in headers
- Secure inserted URL in anchors
- Secure URLs sent by self()
- Escape charset in error message
- Allow filter mode to be passed in interdire_scripts()
- No onclick nor JS popup in footer
- Fix missing escapes
- Secure _T() and _L() arguments
- Provide a sanitize option for _T() and _L()
- Deactivate sanitization when calling _T() in affdate_debut_fin() that
uses secured data
- Cross-site scripting (XSS) vulnerability [CVE-2017-15736]
(Closes: #879954)
- [Privacy] add rel attribute (noopener noreferrer) in private footer
* Backport security fix from 3.1.8
- PHP injection via XML file
* Drop dead list from Maintainer (and Romain from Uploaders) (Closes: #899895)
* Move project repository to salsa.d.o
Checksums-Sha1:
bb22b2633453d4bb8e91cb13bbb652f44415c50d 1480 spip_3.1.4-4~deb9u1.dsc
5c11a4ba509364298fda7e5e6838c7caead8d091 5848656 spip_3.1.4.orig.tar.xz
85fd2d0dac340e8b9feedac3c53036fb05600462 88460 spip_3.1.4-4~deb9u1.debian.tar.xz
Checksums-Sha256:
8633d5beffa305fdf4a20f20df767cb8fb2d587454be81cb92636a6102249c22 1480 spip_3.1.4-4~deb9u1.dsc
884778eca338242da714641727b9acaa8ec10a5aefeefc1dbe1d38ad379d8318 5848656 spip_3.1.4.orig.tar.xz
d45d7a71803f7a5b179b520ddb3e169246b2864b030c811472345652f07575c1 88460 spip_3.1.4-4~deb9u1.debian.tar.xz
Files:
a6fc51716e258056fd9c36d25d3303b2 1480 web extra spip_3.1.4-4~deb9u1.dsc
773ba92d20896200e8301361cbc814f6 5848656 web extra spip_3.1.4.orig.tar.xz
d2928a3072640d2d63c5ac10b73c3569 88460 web extra spip_3.1.4-4~deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAlsheb8ACgkQBYwc+UT2
vTxUogf+Kmh45JepKN+aDusyW5icoRp8yK6bRDQkvS/10obRvJ+UBJ05B/q3LQFh
IKFXm1UsabTgEUbwcAoVTsxkH5WzCrCn9BKFIA1YDUCWIDbXeR6lOI5Hk17t/gCa
R+ELYiVt4opDdkgvZwMbpEW31yESUpSDeBX9E7QwDrqu+3/hY/IcF7UvMK5SOQCw
gqRNHYRZQgaaSRqj9ADmCZly7w6neAES2OOSO/zhQh0VgEJ9F47B0S+rqMSPbXUi
GF+lYX09vIqqwt+OpFZSE5zSWxv7aqePZ2mpjo3UTZlx1bVGqimTsV+BuMDfSGTg
YlW+LC8WIWLhC+FIJfAGwXzWUbajQA==
=cMgG
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 14 Jul 2018 07:26:17 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:43:06 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon