spip: CVE-2017-9736: remote code execution

Debian Bug report logs - #864921
spip: CVE-2017-9736: remote code execution

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: spip: remote code execution flaw

Date: Sat, 17 Jun 2017 08:39:10 +0200

Source: spip
Version: 3.1.4-2
Severity: grave
Tags: security upstream
Justification: user security hole
Control: fixed -1 3.1.4-2

As per

https://contrib.spip.net/CRITICAL-security-update-SPIP-3-1-6-and-SPIP-3-2-Beta?var_zapl=non
> A CRITICAL flaw was discovered recently in SPIP, allowing the
> execution of arbitrary code.
>
> It affects SPIP 3.1.x and 3.2 versions (alpha & beta), and impacts all
> websites using these versions.
> SPIP 3.0.x and earlier versions are not affected by this issue.
>
> It is imperative to update your SPIP website as soon as possible.
>
> In the meantime, the security screen version 1.3.2 will block possible
> exploitations of the vulnerability. Updating the security screen
> remains a transitional measure that should not prevent you from
> updating SPIP as soon as possible.
>
> The team thanks Emeric Boit and ANSSI for identifying and reporting
> the issue.

and since there is no CVE to track the issue, filling the bug in the
BTS even though already fixed in unstable.

Regards,
Salvatore

Message #16 received at 864921@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 864921@bugs.debian.org

Subject: Re: Bug#864921: spip: remote code execution flaw

Date: Sat, 17 Jun 2017 17:21:34 +0200

Control: retitle -1 spip: CVE-2017-9736: remote code execution

On Sat, Jun 17, 2017 at 08:39:10AM +0200, Salvatore Bonaccorso wrote:
> Source: spip
> Version: 3.1.4-2
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Control: fixed -1 3.1.4-2
> 
> As per
> 
> https://contrib.spip.net/CRITICAL-security-update-SPIP-3-1-6-and-SPIP-3-2-Beta?var_zapl=non
> > A CRITICAL flaw was discovered recently in SPIP, allowing the
> > execution of arbitrary code.
> >
> > It affects SPIP 3.1.x and 3.2 versions (alpha & beta), and impacts all
> > websites using these versions.
> > SPIP 3.0.x and earlier versions are not affected by this issue.
> >
> > It is imperative to update your SPIP website as soon as possible.
> >
> > In the meantime, the security screen version 1.3.2 will block possible
> > exploitations of the vulnerability. Updating the security screen
> > remains a transitional measure that should not prevent you from
> > updating SPIP as soon as possible.
> >
> > The team thanks Emeric Boit and ANSSI for identifying and reporting
> > the issue.
> 
> and since there is no CVE to track the issue, filling the bug in the
> BTS even though already fixed in unstable.

CVE-2017-9736 was assigned for this issue.

Regards,
Salvatore

Message #25 received at 864921-close@bugs.debian.org (full text, mbox, reply):

From: David Prévot <taffit@debian.org>

To: 864921-close@bugs.debian.org

Subject: Bug#864921: fixed in spip 3.1.4-3~deb9u1

Date: Sat, 24 Jun 2017 14:51:39 +0000

Source: spip
Source-Version: 3.1.4-3~deb9u1

We believe that the bug you reported is fixed in the latest version of
spip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 864921@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Prévot <taffit@debian.org> (supplier of updated spip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 19 Jun 2017 09:36:46 -1000
Source: spip
Binary: spip
Architecture: source
Version: 3.1.4-3~deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: SPIP packaging team <spip-maintainers@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Description:
 spip       - website engine for publishing
Closes: 864921
Changes:
 spip (3.1.4-3~deb9u1) stretch-security; urgency=high
 .
   * Upload previous fixes to Stretch
   * Update previous changelog entry with CVE and bug report
 .
 spip (3.1.4-3) unstable; urgency=high
 .
   * Track Stretch
   * Backport security fix from 3.1.6
     - Execution of arbitrary code [CVE-2017-9736] (Closes: #864921)
   * Update security screen to 1.3.2
Checksums-Sha1:
 7ebd6794431e14d5c53b98849c7f76f16aad130c 1604 spip_3.1.4-3~deb9u1.dsc
 5c11a4ba509364298fda7e5e6838c7caead8d091 5848656 spip_3.1.4.orig.tar.xz
 ddf928c5a754559697b78fd2bbe4d17d83c509d9 81588 spip_3.1.4-3~deb9u1.debian.tar.xz
Checksums-Sha256:
 f183335113efe985153400406b73d054f13e2107845ad97f726c786b8202afb9 1604 spip_3.1.4-3~deb9u1.dsc
 884778eca338242da714641727b9acaa8ec10a5aefeefc1dbe1d38ad379d8318 5848656 spip_3.1.4.orig.tar.xz
 005526c5806b00dd524d5d437ccc318ede3c989687f7a29b2db0b5cbc57be6ef 81588 spip_3.1.4-3~deb9u1.debian.tar.xz
Files:
 5e38b7a4eda96a6d3962acedbfbd12d3 1604 web extra spip_3.1.4-3~deb9u1.dsc
 773ba92d20896200e8301361cbc814f6 5848656 web extra spip_3.1.4.orig.tar.xz
 177ecfbf57bb01da37084c392952cc3f 81588 web extra spip_3.1.4-3~deb9u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAllKA5AACgkQBYwc+UT2
vTxR7ggAn7ij0FPeor1NJLpQvJoLUaaQU/8GrxE5wmPXfdYJzqs3ltfWO1+DlA+P
4teGPAMQBZiK84uCN91xm3EvS5Xfo/BiS7ATTxX1nB4Br//ZPAHoDLNCxQMD4aRw
uWUDKyPURA9Qm5efK1R3tSPYnwYO+7/rtB6pWKZYXvIe0bHKEGP1M1D5A3SRiV3R
0I1enXSb0lO22UGudlUpAR4hbqAYggl7/DegVOf2StumJnzXHt0Ef6AGnscYeblY
NFdhiYbUbMP1AR/JMoyHWzlwynBw+WaoJ70q5/r11tA1yStL9dUai+eK5BlJEsK6
JDWnZzCneAe1HLq/N8ls5cTHtHK8ag==
=+4mB
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.