Debian Bug report logs -
#672961
SPIP: Cross-site scripting fixed in new upstream release
Reported by: David Prévot <taffit@debian.org>
Date: Mon, 14 May 2012 23:21:02 UTC
Severity: grave
Tags: security, upstream
Found in versions spip/2.1.1-3squeeze3, spip/2.1.13-1
Fixed in versions spip/2.1.14-1, spip/2.1.1-3squeeze4
Done: David Prévot <taffit@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, SPIP packaging team <spip-maintainers@lists.alioth.debian.org>:
Bug#672961; Package spip.
(Mon, 14 May 2012 23:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to David Prévot <taffit@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, SPIP packaging team <spip-maintainers@lists.alioth.debian.org>.
(Mon, 14 May 2012 23:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: spip
Version: 2.1.13-1
Severity: grave
Tags: security upstream
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
Upstream, just released a new version, fixing two cross-site scripting
vulnerabilities.
The stable security update is ready [rt.debian.org #3837].
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages spip depends on:
ii apache2 2.4.2-1
ii apache2-bin [httpd] 2.4.2-1
ii cherokee [httpd] 1.2.101-1
ii debconf [debconf-2.0] 1.5.43
ii fonts-dustin 20030517-9
ii libjs-jquery 1.7.2-1
ii libjs-jquery-cookie 5-1
ii libjs-jquery-form 5-1
ii php-html-safe 0.10.1-1
ii php5 5.4.3-1
ii php5-mysql 5.4.3-1
Versions of packages spip recommends:
ii imagemagick 8:6.7.4.0-5
ii mysql-server 5.5.23-2
ii netpbm 2:10.0-15+b1
spip suggests no packages.
- -- debconf information excluded
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPsZL9AAoJELgqIXr9/gny5Q0QALMCRA10/ObfwBIkngPozuDL
1kmWBe6DWKdnN5u5EezIPl8RBqdLTSyo1YC4KGE+R/Thh6kg8TyhlToUtqiTIqyl
O5uxnb5zqekSY8bkIniL/OZVkLVMu9PdzFARCUbj4ZOZLyIpyI25RNg9AkqhQ++U
6VBTruXI1+2/L/R5DXpgo3uzIjinqnJGG3jwKVlkJ7ijDMh62eaYmaX4MmAJNLKG
Qkd44YRpFvNj5vOVPkZ713/A0brAs4a21Lbl0LjGacvKGplJY0sNifu3l+lO1wvI
Wa7Zlb2GLiyUxYBPulOU4+VhIR/Cmk3HDmk+osq+Bacn2A5DRRgCIo5VjTz3SzV0
VgfJrfKIaA9oDCV3ZYkg0JhFrXyHBA4f9OIi18y231btTMEIzYRg84BJiT0bYoJc
gUykTzClPb1E3ONqpKcARg0Q/74tiaoZcaDijx1TD+LNEbd32Llly0RbGPPTU8/v
mvzmMXjyLGcCa9ZtWsm7Is/mobVrsy9lC1z9ZVpmZRotG2ZXgatQ1eAW8FsU/+5+
ib/hofk7C/8scIrmYeJywwe9pn6YRdO/LSSaztYGx+DFJxD646TuT1Gb+5ijJIO4
FxC14CLTkUo/EdtWcBa6McoEMttMpBBhanqrVf+2uQ0xg3RtdMUpgnWGul6DqnxN
V0rpvMDYvNbEt8Wv59Lg
=Ff/4
-----END PGP SIGNATURE-----
Marked as found in versions spip/2.1.1-3squeeze3.
Request was from David Prévot <taffit@debian.org>
to control@bugs.debian.org.
(Tue, 15 May 2012 00:51:06 GMT) (full text, mbox, link).
Reply sent
to David Prévot <taffit@debian.org>:
You have taken responsibility.
(Tue, 15 May 2012 03:00:06 GMT) (full text, mbox, link).
Notification sent
to David Prévot <taffit@debian.org>:
Bug acknowledged by developer.
(Tue, 15 May 2012 03:00:07 GMT) (full text, mbox, link).
Message #12 received at 672961-close@bugs.debian.org (full text, mbox, reply):
Source: spip
Source-Version: 2.1.14-1
We believe that the bug you reported is fixed in the latest version of
spip, which is due to be installed in the Debian FTP archive:
spip_2.1.14-1.debian.tar.gz
to main/s/spip/spip_2.1.14-1.debian.tar.gz
spip_2.1.14-1.dsc
to main/s/spip/spip_2.1.14-1.dsc
spip_2.1.14-1_all.deb
to main/s/spip/spip_2.1.14-1_all.deb
spip_2.1.14.orig.tar.gz
to main/s/spip/spip_2.1.14.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 672961@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <taffit@debian.org> (supplier of updated spip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 14 May 2012 21:12:03 -0400
Source: spip
Binary: spip
Architecture: source all
Version: 2.1.14-1
Distribution: unstable
Urgency: low
Maintainer: SPIP packaging team <spip-maintainers@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Description:
spip - website engine for publishing
Closes: 672961
Changes:
spip (2.1.14-1) unstable; urgency=low
.
* New upstream version, fixes cross site scripting.
Closes: #672961
* Update security screen file to 1.1.0.
* Add CVE number to previous entry (#671264 related).
Checksums-Sha1:
3de79f5facb6010d75f3583652d9bc14dfe98d7e 1897 spip_2.1.14-1.dsc
4220cd013dbb1807c18e6361386472d8575baf84 3942709 spip_2.1.14.orig.tar.gz
5f79442fb681916f8ac302fcd33a3124a0068455 59523 spip_2.1.14-1.debian.tar.gz
061c73060a6d7d835cde5af1ff41b74e6fe4d248 3866950 spip_2.1.14-1_all.deb
Checksums-Sha256:
4b6ec5fd431edfa76a5686b3e1b531b57a94335438aa71486a3fcd218da4a365 1897 spip_2.1.14-1.dsc
ca988175cebfc49b6771f7a1e430f665c77619afcf381c7d432e37869d01a5bc 3942709 spip_2.1.14.orig.tar.gz
4d5f639259d12d9fc86501a2685f4fee7bf563d1cbac5a0d2c4b69231cae9f41 59523 spip_2.1.14-1.debian.tar.gz
ae9134a667b5e94c113f1f1bc853103faebe46b88ed738750920b861097eed0d 3866950 spip_2.1.14-1_all.deb
Files:
8cfdb402c6e1edcddb7487902d2ebc4d 1897 web extra spip_2.1.14-1.dsc
0069dca77773381bcf345fbe23d5b8c2 3942709 web extra spip_2.1.14.orig.tar.gz
ea5e4cbcc8d4aa7e51ed1df5cac60dc5 59523 web extra spip_2.1.14-1.debian.tar.gz
dbc80facf700463417d75ec8303c217c 3866950 web extra spip_2.1.14-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPsa7WAAoJELgqIXr9/gnyg1oP/3BB0HhlDg4s0cfJMEnoluG4
7EiOQM9DDgxD75YHGSgB173CGcEuR3Nbgixnz3Vyx9P/OE6be5k6EoPxGc0cYIzs
Re9bbBrFjyaK19O+QJXMKh4KnqhiGovl2BWzkp+Moi5UjkbP0mF97vDCIpvjX2ZG
7SsXqtXwF3T6VOteTlFUbzHkcDbVhgWdCjsvehxDywNdJvXUbpb7h/xzYPjTitBe
lKGulA56vSy3PhSkTJRC5s8lFb/hqNixfxiX/hBV3+IWugZ+S1QprLgIhljzqHpj
YLm/sZu0nhVf1TbpSTMfvqQH3nmjwh97HY0w99DMC611sReBnZXaEfY6QrntVCza
7U8XVdYFhGYYdtq9TMwNoVvPE4p304VW4LzQRyUYFfoidTsN/n/JwiDyqpiYtsp2
/rjJmYiTvU5t2LcZ2pR9G5wp5q+umC5OhhggZynAeQO4GYhHjd5d/pbiENQ4N0yk
bsnmbfJ1baK8pr8t2GULJJIGZicOPsfhSfNAW4i4OzZxb8+kdhOXieVsjBBUwjWq
rjC1lG7OcQtPA623IYGuLx3DxTdmwhh61myesP0lHnIuKBFp2/f3WTS8MLPmZzLI
25btyEVI7yePYOhYLWB1MNWUXplbo88wYb3p0SLaOXwKEPch6fJPO1XfbzEYZtl2
YZRBH7785Yy8mizF7np4
=RaFN
-----END PGP SIGNATURE-----
Reply sent
to David Prévot <taffit@debian.org>:
You have taken responsibility.
(Sun, 29 Jul 2012 18:03:10 GMT) (full text, mbox, link).
Notification sent
to David Prévot <taffit@debian.org>:
Bug acknowledged by developer.
(Sun, 29 Jul 2012 18:03:10 GMT) (full text, mbox, link).
Message #17 received at 672961-close@bugs.debian.org (full text, mbox, reply):
Source: spip
Source-Version: 2.1.1-3squeeze4
We believe that the bug you reported is fixed in the latest version of
spip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 672961@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <taffit@debian.org> (supplier of updated spip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 28 Jul 2012 15:54:52 -0400
Source: spip
Binary: spip
Architecture: source all
Version: 2.1.1-3squeeze4
Distribution: stable
Urgency: low
Maintainer: SPIP packaging team <spip-maintainers@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Description:
spip - website engine for publishing
Closes: 672961 677290 680118
Changes:
spip (2.1.1-3squeeze4) stable; urgency=low
.
* Updated security screen to 1.1.3. Prevent cross site scripting on referer
(addresses missing bits of [CVE-2012-2151]), cross site scripting and PHP
injections in internal functions. Closes: #680118
* Backport patch from 2.1.14:
- fix XSS on password. Closes: #672961
* Backport patch from 2.1.15:
- fix XSS injection in variable name. Closes: #677290
Checksums-Sha1:
9e5f754d0dc4822f06262f8491f23d748440116f 1770 spip_2.1.1-3squeeze4.dsc
f3eb62944eab419f85167956fcbcc0766376d26c 22669 spip_2.1.1-3squeeze4.diff.gz
1a3c170dc26667c192deee95df2ae0951519a510 3864040 spip_2.1.1-3squeeze4_all.deb
Checksums-Sha256:
a00c7a7bfe751c1d36853b5948f365f9b75757226c62d5e83859c2070d79b711 1770 spip_2.1.1-3squeeze4.dsc
ad592921f732f5aa48e6bdb0a8bb6b8110a03b26aa6a233268a443652d2ec4c0 22669 spip_2.1.1-3squeeze4.diff.gz
41feb52e53643b905589d0faa0ef5da552bb6056e5eecd8d1197e58e8ee15a59 3864040 spip_2.1.1-3squeeze4_all.deb
Files:
5423d34d8bf7ec48ffc955207ab5559b 1770 web extra spip_2.1.1-3squeeze4.dsc
643a60e5300649db2c43a673518db812 22669 web extra spip_2.1.1-3squeeze4.diff.gz
07e6df4d0e7207d47dce999e6cb65766 3864040 web extra spip_2.1.1-3squeeze4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJQFExMAAoJELgqIXr9/gny7DEQAL01EGe+2e19rb8wh6I7Kpil
pB5sFgJtvIRlFD/Hd68grrd5//09eMmwlmIZjlVYwbHF3splGlc+2vSyWxBwqjOp
HsnJrdWIhoaJ+mbgyrZCzjERHAwiNSEzgaT1Vb1bx6NUuUaTvgvb1s67IlEtFM+U
N3tGr+wXaNlrBesX5BDm5OBNv8WY1vatoJJBa5fI+NTqL2MQWNYwliTVW87j13Y9
AyECbB88tcHm0FiN7hU3ulN/5JCgpv5av9PKYRj5D9DdW4KOGgMMwmhsoehXpMHG
RLlAM/nrBqMyJygccQiqezkaqSuya2Tj0/rKXVlfv0YhYCpQjI7k/JF7rGd6LHRl
K+LHYOKvyYiz6LYqeSJapGdNYvYZ6y7AyM8Dz1/K1THUhqpOB9qUWXq0aabQ6VEr
CMHjs7JupnoCiZCSiby6XnBr4lxrA2Ax3k0qpgfq5FoS5dWU16kSeg9bs/c/a1CH
09R/qu0SS4zQ3SKYON/9hFUQIJDA/46zZ6HtMkVfV0e4MGREpIGZVGgXNhr4Y3H8
MKSxdW48lkvPqwIOB1iuYFdZGK/xgYT/FZxnSwLKjF89DnC3IcC1lR3MbRSzAl/8
A8u5Q4FzRRJjBOegtHjasCU3nm9V2R9DQc1L9ScHGqiaPmMzcBPfyGJC67iSSYp5
UFrjbLjqV5I7ThXD52BS
=qbSp
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 30 Sep 2012 07:30:12 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:17:27 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon