Debian Bug report logs -
#864921
spip: CVE-2017-9736: remote code execution
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 17 Jun 2017 06:42:02 UTC
Severity: grave
Tags: security, upstream
Found in version spip/3.1.4-2
Fixed in versions spip/3.1.4-3, spip/3.1.4-3~deb9u1
Done: David Prévot <taffit@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, SPIP packaging team <spip-maintainers@lists.alioth.debian.org>
:
Bug#864921
; Package src:spip
.
(Sat, 17 Jun 2017 06:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, SPIP packaging team <spip-maintainers@lists.alioth.debian.org>
.
(Sat, 17 Jun 2017 06:42:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: spip
Version: 3.1.4-2
Severity: grave
Tags: security upstream
Justification: user security hole
Control: fixed -1 3.1.4-2
As per
https://contrib.spip.net/CRITICAL-security-update-SPIP-3-1-6-and-SPIP-3-2-Beta?var_zapl=non
> A CRITICAL flaw was discovered recently in SPIP, allowing the
> execution of arbitrary code.
>
> It affects SPIP 3.1.x and 3.2 versions (alpha & beta), and impacts all
> websites using these versions.
> SPIP 3.0.x and earlier versions are not affected by this issue.
>
> It is imperative to update your SPIP website as soon as possible.
>
> In the meantime, the security screen version 1.3.2 will block possible
> exploitations of the vulnerability. Updating the security screen
> remains a transitional measure that should not prevent you from
> updating SPIP as soon as possible.
>
> The team thanks Emeric Boit and ANSSI for identifying and reporting
> the issue.
and since there is no CVE to track the issue, filling the bug in the
BTS even though already fixed in unstable.
Regards,
Salvatore
Marked as fixed in versions spip/3.1.4-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Sat, 17 Jun 2017 06:42:04 GMT) (full text, mbox, link).
No longer marked as fixed in versions spip/3.1.4-2.
Request was from Adrian Bunk <bunk@debian.org>
to control@bugs.debian.org
.
(Sat, 17 Jun 2017 10:03:05 GMT) (full text, mbox, link).
Marked as fixed in versions spip/3.1.4-3.
Request was from Adrian Bunk <bunk@debian.org>
to control@bugs.debian.org
.
(Sat, 17 Jun 2017 10:03:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, SPIP packaging team <spip-maintainers@lists.alioth.debian.org>
:
Bug#864921
; Package src:spip
.
(Sat, 17 Jun 2017 15:24:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to SPIP packaging team <spip-maintainers@lists.alioth.debian.org>
.
(Sat, 17 Jun 2017 15:24:02 GMT) (full text, mbox, link).
Message #16 received at 864921@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 spip: CVE-2017-9736: remote code execution
On Sat, Jun 17, 2017 at 08:39:10AM +0200, Salvatore Bonaccorso wrote:
> Source: spip
> Version: 3.1.4-2
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Control: fixed -1 3.1.4-2
>
> As per
>
> https://contrib.spip.net/CRITICAL-security-update-SPIP-3-1-6-and-SPIP-3-2-Beta?var_zapl=non
> > A CRITICAL flaw was discovered recently in SPIP, allowing the
> > execution of arbitrary code.
> >
> > It affects SPIP 3.1.x and 3.2 versions (alpha & beta), and impacts all
> > websites using these versions.
> > SPIP 3.0.x and earlier versions are not affected by this issue.
> >
> > It is imperative to update your SPIP website as soon as possible.
> >
> > In the meantime, the security screen version 1.3.2 will block possible
> > exploitations of the vulnerability. Updating the security screen
> > remains a transitional measure that should not prevent you from
> > updating SPIP as soon as possible.
> >
> > The team thanks Emeric Boit and ANSSI for identifying and reporting
> > the issue.
>
> and since there is no CVE to track the issue, filling the bug in the
> BTS even though already fixed in unstable.
CVE-2017-9736 was assigned for this issue.
Regards,
Salvatore
Changed Bug title to 'spip: CVE-2017-9736: remote code execution' from 'spip: remote code execution flaw'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 864921-submit@bugs.debian.org
.
(Sat, 17 Jun 2017 15:24:02 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from David Prévot <taffit@debian.org>
to control@bugs.debian.org
.
(Mon, 19 Jun 2017 22:15:05 GMT) (full text, mbox, link).
Reply sent
to David Prévot <taffit@debian.org>
:
You have taken responsibility.
(Sat, 24 Jun 2017 14:54:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sat, 24 Jun 2017 14:54:08 GMT) (full text, mbox, link).
Message #25 received at 864921-close@bugs.debian.org (full text, mbox, reply):
Source: spip
Source-Version: 3.1.4-3~deb9u1
We believe that the bug you reported is fixed in the latest version of
spip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 864921@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <taffit@debian.org> (supplier of updated spip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 19 Jun 2017 09:36:46 -1000
Source: spip
Binary: spip
Architecture: source
Version: 3.1.4-3~deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: SPIP packaging team <spip-maintainers@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Description:
spip - website engine for publishing
Closes: 864921
Changes:
spip (3.1.4-3~deb9u1) stretch-security; urgency=high
.
* Upload previous fixes to Stretch
* Update previous changelog entry with CVE and bug report
.
spip (3.1.4-3) unstable; urgency=high
.
* Track Stretch
* Backport security fix from 3.1.6
- Execution of arbitrary code [CVE-2017-9736] (Closes: #864921)
* Update security screen to 1.3.2
Checksums-Sha1:
7ebd6794431e14d5c53b98849c7f76f16aad130c 1604 spip_3.1.4-3~deb9u1.dsc
5c11a4ba509364298fda7e5e6838c7caead8d091 5848656 spip_3.1.4.orig.tar.xz
ddf928c5a754559697b78fd2bbe4d17d83c509d9 81588 spip_3.1.4-3~deb9u1.debian.tar.xz
Checksums-Sha256:
f183335113efe985153400406b73d054f13e2107845ad97f726c786b8202afb9 1604 spip_3.1.4-3~deb9u1.dsc
884778eca338242da714641727b9acaa8ec10a5aefeefc1dbe1d38ad379d8318 5848656 spip_3.1.4.orig.tar.xz
005526c5806b00dd524d5d437ccc318ede3c989687f7a29b2db0b5cbc57be6ef 81588 spip_3.1.4-3~deb9u1.debian.tar.xz
Files:
5e38b7a4eda96a6d3962acedbfbd12d3 1604 web extra spip_3.1.4-3~deb9u1.dsc
773ba92d20896200e8301361cbc814f6 5848656 web extra spip_3.1.4.orig.tar.xz
177ecfbf57bb01da37084c392952cc3f 81588 web extra spip_3.1.4-3~deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAllKA5AACgkQBYwc+UT2
vTxR7ggAn7ij0FPeor1NJLpQvJoLUaaQU/8GrxE5wmPXfdYJzqs3ltfWO1+DlA+P
4teGPAMQBZiK84uCN91xm3EvS5Xfo/BiS7ATTxX1nB4Br//ZPAHoDLNCxQMD4aRw
uWUDKyPURA9Qm5efK1R3tSPYnwYO+7/rtB6pWKZYXvIe0bHKEGP1M1D5A3SRiV3R
0I1enXSb0lO22UGudlUpAR4hbqAYggl7/DegVOf2StumJnzXHt0Ef6AGnscYeblY
NFdhiYbUbMP1AR/JMoyHWzlwynBw+WaoJ70q5/r11tA1yStL9dUai+eK5BlJEsK6
JDWnZzCneAe1HLq/N8ls5cTHtHK8ag==
=+4mB
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 23 Jul 2017 07:26:49 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:31:38 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.