Debian Bug report logs -
#352076
spip: Input validation vulnerability in SPIP Spip_RSS.PHP
Reported by: Micah Anderson <micah@debian.org>
Date: Thu, 9 Feb 2006 16:04:02 UTC
Severity: normal
Done: Martin Michlmayr <tbm@cyrius.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Gaetan RYCKEBOER <gryckeboer@virtual-net.fr>:
Bug#352076; Package spip.
(full text, mbox, link).
Acknowledgement sent to Micah Anderson <micah@debian.org>:
New Bug report received and forwarded. Copy sent to Gaetan RYCKEBOER <gryckeboer@virtual-net.fr>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: spip
Severity: normal
Some more SPIP vulnerabilities released today, fresh with zero-day
exploits!
http://www.securityfocus.com/bid/16556
SPIP is prone to a remote command-execution vulnerability. This is due
to a lack of proper sanitization of user-supplied input.
An attacker can exploit this issue to execute arbitrary remote PHP
commands on an affected computer with the privileges of the webserver
process.
Successful exploitation could facilitate unauthorized access; other
attacks are also possible.
Version 1.8.2g and earlier are vulnerable; other versions may also be
affected.
CVE ID being requested.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-686-smp
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Information forwarded to debian-bugs-dist@lists.debian.org, Gaetan RYCKEBOER <gryckeboer@virtual-net.fr>:
Bug#352076; Package spip.
(full text, mbox, link).
Acknowledgement sent to Micah Anderson <micah@debian.org>:
Extra info received and forwarded to list. Copy sent to Gaetan RYCKEBOER <gryckeboer@virtual-net.fr>.
(full text, mbox, link).
Message #10 received at 352076@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This now has CVE id: CVE-2006-0625
Please reference this id in any changelog that fixes this issue.
micah
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFD64S29n4qXRzy1ioRAm2zAJ9nVDX7Y5PsWBweHeQavxJIiaqo3ACdFfHK
S9xa1fIxG++c5nPWOYvdDUM=
=XXIg
-----END PGP SIGNATURE-----
Reply sent to Martin Michlmayr <tbm@cyrius.com>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Micah Anderson <micah@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #15 received at 352076-done@bugs.debian.org (full text, mbox, reply):
spip has been removed because it's buggy, has never been part of a
stable release and security issues, see #384385
--
Martin Michlmayr
http://www.cyrius.com/
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 18 Jun 2007 18:52:52 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:28:04 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon