Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

spip: CVE-2019-11071: arbitrary code execution by any identified visitor

Related Vulnerabilities: CVE-2019-11071  

Source

Debian Bug report logs - #926764
spip: CVE-2019-11071: arbitrary code execution by any identified visitor

version graph

Package: src:spip; Maintainer for src:spip is David Prévot <taffit@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 10 Apr 2019 06:21:02 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Found in versions spip/3.2.3-1, spip/3.1.4-4~deb9u1, spip/3.1.4-4

Fixed in versions spip/3.2.4-1, spip/3.1.4-4~deb9u2

Done: David Prévot <taffit@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, David Prévot <taffit@debian.org>:
Bug#926764; Package src:spip. (Wed, 10 Apr 2019 06:21:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, David Prévot <taffit@debian.org>. (Wed, 10 Apr 2019 06:21:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: spip: arbitrary code execution by any identified visitor
Date: Wed, 10 Apr 2019 08:17:35 +0200
Source: spip
Version: 3.2.3-1
Severity: grave
Tags: upstream security fixed-upstream
Control: fixed -1 3.2.4-1
Control: found -1 3.1.4-4~deb9u1
Control: found -1 3.1.4-4

Hi

Filling a bug in Debian BTS to have a tracking reference (ideally
though this will recieve a CVE):

https://blog.spip.net/Mise-a-jour-CRITIQUE-de-securite-Sortie-de-SPIP-3-1-10-et-SPIP-3-2-4.html?lang=fr

Already fixed in the unstable upload 3.2.4-1.

Regards,
Salvatore

Marked as fixed in versions spip/3.2.4-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Wed, 10 Apr 2019 06:21:04 GMT) (full text, mbox, link).

Marked as found in versions spip/3.1.4-4~deb9u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Wed, 10 Apr 2019 06:21:05 GMT) (full text, mbox, link).

Marked as found in versions spip/3.1.4-4. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Wed, 10 Apr 2019 06:21:05 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from David Prévot <taffit@debian.org> to control@bugs.debian.org. (Wed, 10 Apr 2019 07:33:03 GMT) (full text, mbox, link).

Changed Bug title to 'spip: CVE-2019-11071: arbitrary code execution by any identified visitor' from 'spip: arbitrary code execution by any identified visitor'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 11 Apr 2019 04:33:02 GMT) (full text, mbox, link).

Reply sent to David Prévot <taffit@debian.org>:
You have taken responsibility. (Sun, 14 Apr 2019 10:33:21 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 14 Apr 2019 10:33:21 GMT) (full text, mbox, link).

Message #20 received at 926764-close@bugs.debian.org (full text, mbox, reply):

From: David Prévot <taffit@debian.org>
To: 926764-close@bugs.debian.org
Subject: Bug#926764: fixed in spip 3.1.4-4~deb9u2
Date: Sun, 14 Apr 2019 10:32:49 +0000
Source: spip
Source-Version: 3.1.4-4~deb9u2

We believe that the bug you reported is fixed in the latest version of
spip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 926764@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Prévot <taffit@debian.org> (supplier of updated spip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 10 Apr 2019 16:26:35 +0900
Source: spip
Binary: spip
Architecture: source
Version: 3.1.4-4~deb9u2
Distribution: stretch-security
Urgency: medium
Maintainer: David Prévot <taffit@debian.org>
Changed-By: David Prévot <taffit@debian.org>
Description:
 spip       - website engine for publishing
Closes: 926764
Changes:
 spip (3.1.4-4~deb9u2) stretch-security; urgency=medium
 .
   * Update security screen to 1.3.11
   * Backport security fix from 3.1.10
     - Arbitrary code execution for any identified visitor (Closes: #926764)
Checksums-Sha1:
 7f32da75b2cdceaedff9d783b6d3a9e8265313be 1504 spip_3.1.4-4~deb9u2.dsc
 5c11a4ba509364298fda7e5e6838c7caead8d091 5848656 spip_3.1.4.orig.tar.xz
 ac9d0a11a6cb99268f2d1417ac2577cacc58a8a2 89912 spip_3.1.4-4~deb9u2.debian.tar.xz
 291e7576b1451c94690cd6d4fd115a2ca3da1645 7924 spip_3.1.4-4~deb9u2_amd64.buildinfo
Checksums-Sha256:
 745bf56f438894befcbbad634fc760452d29c00b2fb099e8918e5fa20c3e13b4 1504 spip_3.1.4-4~deb9u2.dsc
 884778eca338242da714641727b9acaa8ec10a5aefeefc1dbe1d38ad379d8318 5848656 spip_3.1.4.orig.tar.xz
 144e66009c6a1c7b9e7d037e99bada7c04a0066403494ed565d75d61c455585c 89912 spip_3.1.4-4~deb9u2.debian.tar.xz
 98d99e3edc2bf33577dfb32e191d77fe67bbe2a30db233e36130d9e2f93a08cb 7924 spip_3.1.4-4~deb9u2_amd64.buildinfo
Files:
 1a84920da409e8ce2bff348af4cddade 1504 web extra spip_3.1.4-4~deb9u2.dsc
 773ba92d20896200e8301361cbc814f6 5848656 web extra spip_3.1.4.orig.tar.xz
 95609f1a43599bb2eb9d50de69f8730d 89912 web extra spip_3.1.4-4~deb9u2.debian.tar.xz
 edf6e22f4a6cf6558f2cd605dc409520 7924 web extra spip_3.1.4-4~deb9u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFGBAEBCAAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAlyt2OsSHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08RaMH/04MQlxiKU502IA6OhuhHQN0AThSmfJf
AP2AeRqTbbBpNgQoUvzpYlx4wvzyhEGhxbzsQWsXV8FOiiu9Nm1xzUom+mSszWew
DGdkZyMl5+gmX+pLtF1YHV1LjrEU7um9mgBJLx5/28tXdVhWtUYyoxP3N2Hin11D
FyGZSCDzy6XLz+pWacuV0S8nG7POvfyNIjTBzpjVO8K4CPdu4JRs2Bfx/K4U75p+
neKJtNh4H9GCFVuNFcIsrMFOas2rBhZepZF0s5jOsb+VdthH4kWFJViPRN77XGR9
w+K5vO9GDEMUJyfZJ9uMuVXS5ltTrVPHm07ANLzSltRTWGs+2gsD4mY=
=Ad5y
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 13 May 2019 07:27:34 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:42:03 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started