Debian Bug report logs -
#736170
CVE-2013-7303: XSS on author
Reported by: David Prévot <taffit@debian.org>
Date: Mon, 20 Jan 2014 17:39:01 UTC
Severity: important
Tags: patch, security, upstream
Fixed in versions spip/3.0.13-1, spip/2.1.17-1+deb7u3, spip/2.1.1-3squeeze8
Done: David Prévot <taffit@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, SPIP packaging team <spip-maintainers@lists.alioth.debian.org>:
Bug#736170; Package spip.
(Mon, 20 Jan 2014 17:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to David Prévot <taffit@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, SPIP packaging team <spip-maintainers@lists.alioth.debian.org>.
(Mon, 20 Jan 2014 17:39:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: spip
Severity: important
Tags: security patch upstream
Control: fixed -1 3.0.13-1
Hi,
A minor security issue has just been fixed upstream in the 2.1 branch,
and is already fixed in Sid and Jessie. After a quick exchange with the
security team (RT#4911), we agreed it’s not worth a DSA (so I’ll request
two pu shortly).
Regards
David
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (110, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.12-1-rt-amd64 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages spip depends on:
ii apache2 2.4.7-1
ii apache2-bin [httpd] 2.4.7-1
ii debconf [debconf-2.0] 1.5.52
ii fonts-dustin 20030517-10
ii libjs-excanvas 0.r3-3
ii libjs-ie7 2.1~beta4-1
ii libjs-jquery 1.7.2+dfsg-3
ii libjs-jquery-cookie 8-2
ii libjs-jquery-flot 0.8.1+dfsg-2
ii libjs-jquery-form 8-2
ii libjs-jquery-ui 1.10.1+dfsg-1
ii libphp-pclzip 2.8.2-2
ii php-html-safe 0.10.1-2
ii php-xml-htmlsax3 3.0.0+really3.0.0-1
ii php5 5.5.8+dfsg-2
ii php5-mysql 5.5.8+dfsg-2
ii w3c-dtd-xhtml 1.2-4
Versions of packages spip recommends:
ii imagemagick 8:6.7.7.10-7
ii mysql-server 5.5.35+dfsg-1
ii netpbm 2:10.0-15+b2
ii php5-sqlite 5.5.8+dfsg-2
spip suggests no packages.
-- debconf information excluded
[signature.asc (application/pgp-signature, inline)]
Marked as fixed in versions spip/3.0.13-1.
Request was from David Prévot <taffit@debian.org>
to submit@bugs.debian.org.
(Mon, 20 Jan 2014 17:39:06 GMT) (full text, mbox, link).
Reply sent
to David Prévot <taffit@debian.org>:
You have taken responsibility.
(Tue, 21 Jan 2014 22:18:22 GMT) (full text, mbox, link).
Notification sent
to David Prévot <taffit@debian.org>:
Bug acknowledged by developer.
(Tue, 21 Jan 2014 22:18:22 GMT) (full text, mbox, link).
Message #12 received at 736170-close@bugs.debian.org (full text, mbox, reply):
Source: spip
Source-Version: 2.1.17-1+deb7u3
We believe that the bug you reported is fixed in the latest version of
spip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 736170@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <taffit@debian.org> (supplier of updated spip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 20 Jan 2014 14:36:37 -0400
Source: spip
Binary: spip
Architecture: source all
Version: 2.1.17-1+deb7u3
Distribution: wheezy
Urgency: medium
Maintainer: SPIP packaging team <spip-maintainers@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Description:
spip - website engine for publishing
Closes: 736170
Changes:
spip (2.1.17-1+deb7u3) wheezy; urgency=medium
.
* Document fixed #729172
* Document CVE in previous changelog entries
* Fix XSS on signature from author [CVE-2013-7303] (Closes: #736170)
Checksums-Sha1:
98ef279ea335dc59d57d131d895476c783f5ffd0 1562 spip_2.1.17-1+deb7u3.dsc
89e02c2597ee341c990b3f422e9507bfed37b7fe 65412 spip_2.1.17-1+deb7u3.debian.tar.gz
37e0c01ed80eee52733e28669619fd776574fe1a 3875562 spip_2.1.17-1+deb7u3_all.deb
Checksums-Sha256:
b012684d548bb7504dbdd208b403d6f7e3525bf062ec34abedc8fd0bbfd8fabc 1562 spip_2.1.17-1+deb7u3.dsc
9ea72c0476a81bdb8d1c987ab0c027a87b56c0818655fe1adca14aa45e17414d 65412 spip_2.1.17-1+deb7u3.debian.tar.gz
ab3cb786234015c807eff3fff5ed58f679d31ece40ec55444a65894c88a458ea 3875562 spip_2.1.17-1+deb7u3_all.deb
Files:
4526ba3d6c1fe7d62779963ba6c3cd8d 1562 web extra spip_2.1.17-1+deb7u3.dsc
a52e2ce3055dce5553bed0a3fe6a439b 65412 web extra spip_2.1.17-1+deb7u3.debian.tar.gz
5cdfbe6894b203e9bb72debd69b942a9 3875562 web extra spip_2.1.17-1+deb7u3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJS3W5rAAoJEAWMHPlE9r08svsH/0m0Hh8i3mSubU585/9+YgHc
xM77tfJgA4x0aN7mq2KpdzFPYSTSdxmt6PxQ57/2XazRwfGnSQ9Cxsyl0b2OtWOt
WfIN6y42CnIkfuh5SxFaEOHPE5acUwQlUs0U89Evtxm64yY2BWpFHEtGlPdNkWUE
LjROt+oMyqeIABIBoFMlrk1XF9BodadoddN1meNccyv94gwC2BomafVKX97RJzAg
7sTWEpQ9iwHLs8syDHGXtyGd1tw21AHKhhA/4SchLiP7NQhuac80hfZB+OpvehQu
Fcqxlzpgm3KRQ8amkklbck9caX6wmw6BM+YS2NqMM3o9tnIYZnlxy2X9TeweJlk=
=U7pA
-----END PGP SIGNATURE-----
Reply sent
to David Prévot <taffit@debian.org>:
You have taken responsibility.
(Tue, 21 Jan 2014 22:18:26 GMT) (full text, mbox, link).
Notification sent
to David Prévot <taffit@debian.org>:
Bug acknowledged by developer.
(Tue, 21 Jan 2014 22:18:26 GMT) (full text, mbox, link).
Message #17 received at 736170-close@bugs.debian.org (full text, mbox, reply):
Source: spip
Source-Version: 2.1.1-3squeeze8
We believe that the bug you reported is fixed in the latest version of
spip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 736170@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <taffit@debian.org> (supplier of updated spip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 20 Jan 2014 14:42:46 -0400
Source: spip
Binary: spip
Architecture: source all
Version: 2.1.1-3squeeze8
Distribution: squeeze
Urgency: medium
Maintainer: SPIP packaging team <spip-maintainers@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Description:
spip - website engine for publishing
Closes: 736170
Changes:
spip (2.1.1-3squeeze8) squeeze; urgency=medium
.
* Document fixed #729172
* Document CVE in previous changelog entries
* Fix XSS on signature from author [CVE-2013-7303] (Closes: #736170)
Checksums-Sha1:
74175bde53445074865b101b5e51bf1947678194 1407 spip_2.1.1-3squeeze8.dsc
91fd4ff729d82c76d60651ca935bbdf6e7e0dc1f 27539 spip_2.1.1-3squeeze8.diff.gz
058d8f8bde833ab84b0fcd70b4948a73adcbd7f5 3870210 spip_2.1.1-3squeeze8_all.deb
Checksums-Sha256:
8c5745c7fc2932cc27ed69ae2c28cf521807c1a558d47a3ae4b6416d554a5b19 1407 spip_2.1.1-3squeeze8.dsc
077f1b88de1a25a76e22e33b924e397b6eb2f9bb8232ea9975d8de950fa8273d 27539 spip_2.1.1-3squeeze8.diff.gz
357cdff7d145ca3c88ecd4feffce45e668eeb96cfcdc2826772b968956514a96 3870210 spip_2.1.1-3squeeze8_all.deb
Files:
1deb9b8cea7202d83bf63ce8e21e458c 1407 web extra spip_2.1.1-3squeeze8.dsc
e093a615c68f9658a87556b612dcbc87 27539 web extra spip_2.1.1-3squeeze8.diff.gz
cdd4c15062dd51a544065d60ab99f9d5 3870210 web extra spip_2.1.1-3squeeze8_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEbBAEBCAAGBQJS3W9CAAoJEAWMHPlE9r08b+sH+PX/VIl/WwXirFdXhHhgSjxq
NLUoJeJAYFOMqKD3ysWFnEzP6Ypav3mj/yygbYNArTOQBar6qx4QclpmVKGo/8QR
9B2xhdZe34zy+viCenjYYHlN1olueh4DDNwEqnB5vnoGhXupncLE2fFvdGq5VLJR
Hd4MJXfVWleH9a+IJ6nQlgNPcU1xaJJ5T7/PiZCa32sbWorhdNAtgl5LI3TzGR/7
gOYJQrR2MVagSp63yF7drkV34e4k/35Jpe6UYoXVXl58wlBts7Z/rX1bworSOG5G
Z1yi+uMwDlt+m6v+lgWIdmCKGe9EtajqAy58tYTAx0DNauEIiSA9mgHYfSBoFw==
=7WlM
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 19 Feb 2014 07:35:53 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:47:01 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon