Debian Bug report logs -
#926764
spip: CVE-2019-11071: arbitrary code execution by any identified visitor
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 10 Apr 2019 06:21:02 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in versions spip/3.2.3-1, spip/3.1.4-4~deb9u1, spip/3.1.4-4
Fixed in versions spip/3.2.4-1, spip/3.1.4-4~deb9u2
Done: David Prévot <taffit@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, David Prévot <taffit@debian.org>
:
Bug#926764
; Package src:spip
.
(Wed, 10 Apr 2019 06:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, David Prévot <taffit@debian.org>
.
(Wed, 10 Apr 2019 06:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: spip
Version: 3.2.3-1
Severity: grave
Tags: upstream security fixed-upstream
Control: fixed -1 3.2.4-1
Control: found -1 3.1.4-4~deb9u1
Control: found -1 3.1.4-4
Hi
Filling a bug in Debian BTS to have a tracking reference (ideally
though this will recieve a CVE):
https://blog.spip.net/Mise-a-jour-CRITIQUE-de-securite-Sortie-de-SPIP-3-1-10-et-SPIP-3-2-4.html?lang=fr
Already fixed in the unstable upload 3.2.4-1.
Regards,
Salvatore
Marked as fixed in versions spip/3.2.4-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Wed, 10 Apr 2019 06:21:04 GMT) (full text, mbox, link).
Marked as found in versions spip/3.1.4-4~deb9u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Wed, 10 Apr 2019 06:21:05 GMT) (full text, mbox, link).
Marked as found in versions spip/3.1.4-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Wed, 10 Apr 2019 06:21:05 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from David Prévot <taffit@debian.org>
to control@bugs.debian.org
.
(Wed, 10 Apr 2019 07:33:03 GMT) (full text, mbox, link).
Changed Bug title to 'spip: CVE-2019-11071: arbitrary code execution by any identified visitor' from 'spip: arbitrary code execution by any identified visitor'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 11 Apr 2019 04:33:02 GMT) (full text, mbox, link).
Reply sent
to David Prévot <taffit@debian.org>
:
You have taken responsibility.
(Sun, 14 Apr 2019 10:33:21 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sun, 14 Apr 2019 10:33:21 GMT) (full text, mbox, link).
Message #20 received at 926764-close@bugs.debian.org (full text, mbox, reply):
Source: spip
Source-Version: 3.1.4-4~deb9u2
We believe that the bug you reported is fixed in the latest version of
spip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 926764@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <taffit@debian.org> (supplier of updated spip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 10 Apr 2019 16:26:35 +0900
Source: spip
Binary: spip
Architecture: source
Version: 3.1.4-4~deb9u2
Distribution: stretch-security
Urgency: medium
Maintainer: David Prévot <taffit@debian.org>
Changed-By: David Prévot <taffit@debian.org>
Description:
spip - website engine for publishing
Closes: 926764
Changes:
spip (3.1.4-4~deb9u2) stretch-security; urgency=medium
.
* Update security screen to 1.3.11
* Backport security fix from 3.1.10
- Arbitrary code execution for any identified visitor (Closes: #926764)
Checksums-Sha1:
7f32da75b2cdceaedff9d783b6d3a9e8265313be 1504 spip_3.1.4-4~deb9u2.dsc
5c11a4ba509364298fda7e5e6838c7caead8d091 5848656 spip_3.1.4.orig.tar.xz
ac9d0a11a6cb99268f2d1417ac2577cacc58a8a2 89912 spip_3.1.4-4~deb9u2.debian.tar.xz
291e7576b1451c94690cd6d4fd115a2ca3da1645 7924 spip_3.1.4-4~deb9u2_amd64.buildinfo
Checksums-Sha256:
745bf56f438894befcbbad634fc760452d29c00b2fb099e8918e5fa20c3e13b4 1504 spip_3.1.4-4~deb9u2.dsc
884778eca338242da714641727b9acaa8ec10a5aefeefc1dbe1d38ad379d8318 5848656 spip_3.1.4.orig.tar.xz
144e66009c6a1c7b9e7d037e99bada7c04a0066403494ed565d75d61c455585c 89912 spip_3.1.4-4~deb9u2.debian.tar.xz
98d99e3edc2bf33577dfb32e191d77fe67bbe2a30db233e36130d9e2f93a08cb 7924 spip_3.1.4-4~deb9u2_amd64.buildinfo
Files:
1a84920da409e8ce2bff348af4cddade 1504 web extra spip_3.1.4-4~deb9u2.dsc
773ba92d20896200e8301361cbc814f6 5848656 web extra spip_3.1.4.orig.tar.xz
95609f1a43599bb2eb9d50de69f8730d 89912 web extra spip_3.1.4-4~deb9u2.debian.tar.xz
edf6e22f4a6cf6558f2cd605dc409520 7924 web extra spip_3.1.4-4~deb9u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFGBAEBCAAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAlyt2OsSHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08RaMH/04MQlxiKU502IA6OhuhHQN0AThSmfJf
AP2AeRqTbbBpNgQoUvzpYlx4wvzyhEGhxbzsQWsXV8FOiiu9Nm1xzUom+mSszWew
DGdkZyMl5+gmX+pLtF1YHV1LjrEU7um9mgBJLx5/28tXdVhWtUYyoxP3N2Hin11D
FyGZSCDzy6XLz+pWacuV0S8nG7POvfyNIjTBzpjVO8K4CPdu4JRs2Bfx/K4U75p+
neKJtNh4H9GCFVuNFcIsrMFOas2rBhZepZF0s5jOsb+VdthH4kWFJViPRN77XGR9
w+K5vO9GDEMUJyfZJ9uMuVXS5ltTrVPHm07ANLzSltRTWGs+2gsD4mY=
=Ad5y
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 13 May 2019 07:27:34 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:42:03 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.