Debian Bug report logs -
#847156
spip: CVE-2016-9152
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 6 Dec 2016 06:15:01 UTC
Severity: important
Tags: patch, security, upstream
Found in version spip/3.1.3-1
Fixed in versions spip/3.1.4-2, spip/3.0.17-2+deb8u3
Done: David Prévot <taffit@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, SPIP packaging team <spip-maintainers@lists.alioth.debian.org>:
Bug#847156; Package src:spip.
(Tue, 06 Dec 2016 06:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, SPIP packaging team <spip-maintainers@lists.alioth.debian.org>.
(Tue, 06 Dec 2016 06:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: spip
Version: 3.1.3-1
Severity: important
Tags: security upstream patch
Hi,
the following vulnerability was published for spip.
CVE-2016-9152[0]:
cross-site scripting
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-9152
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9152
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, SPIP packaging team <spip-maintainers@lists.alioth.debian.org>:
Bug#847156; Package src:spip.
(Tue, 06 Dec 2016 07:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to David Prévot <david@tilapin.org>:
Extra info received and forwarded to list. Copy sent to SPIP packaging team <spip-maintainers@lists.alioth.debian.org>.
(Tue, 06 Dec 2016 07:57:05 GMT) (full text, mbox, link).
Message #10 received at 847156@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Salvatore,
Thanks for the report,
Le 05/12/2016 à 20:11, Salvatore Bonaccorso a écrit :
> the following vulnerability was published for spip.
>
> CVE-2016-9152[0]:
> cross-site scripting
[…]
> [0] https://security-tracker.debian.org/tracker/CVE-2016-9152
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9152
I was about to ask where did you find the link between the CVE entry and
the commit, but my search engine was quicker to answer ;).
FYI, a few other security-oriented commits are being staged for the next
upstream release (coming soon), and the previous fixes that already made
it in a “recent” DLA are still waiting for an upstream ack (they
recently acknowledge on IRC that they have to reply to us).
Regards
David
[signature.asc (application/pgp-signature, attachment)]
Added tag(s) pending.
Request was from David Prévot <taffit@debian.org>
to control@bugs.debian.org.
(Sat, 11 Mar 2017 18:42:05 GMT) (full text, mbox, link).
Reply sent
to David Prévot <taffit@debian.org>:
You have taken responsibility.
(Sat, 11 Mar 2017 20:51:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 11 Mar 2017 20:51:08 GMT) (full text, mbox, link).
Message #17 received at 847156-close@bugs.debian.org (full text, mbox, reply):
Source: spip
Source-Version: 3.1.4-1
We believe that the bug you reported is fixed in the latest version of
spip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 847156@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <taffit@debian.org> (supplier of updated spip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 11 Mar 2017 08:24:16 -1000
Source: spip
Binary: spip
Architecture: source
Version: 3.1.4-1
Distribution: unstable
Urgency: high
Maintainer: SPIP packaging team <spip-maintainers@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Description:
spip - website engine for publishing
Closes: 829339 847156 848641
Changes:
spip (3.1.4-1) unstable; urgency=high
.
[ Adriano Rafael Gomes ]
* Add Brazilian Portuguese debconf templates translation (Closes: #829339)
.
[ David Prévot ]
* New upstream version 3.1.4, with security fixes:
- Arbitrary PHP execution code
- Reflected Cross Site Scripting (XSS) Vulnerabilities
[CVE-2016-9997] [CVE-2016-9998] (Closes: #848641)
- Cross-site scripting (XSS) vulnerability
[CVE-2016-9152] (Closes: #847156)
* Update mutualisation to 1.3.5
* Update copyright
Checksums-Sha1:
341a39cea255844fd58861c73870ac3dfcd55953 1576 spip_3.1.4-1.dsc
5c11a4ba509364298fda7e5e6838c7caead8d091 5848656 spip_3.1.4.orig.tar.xz
5a698a3ed5e780085d2e0a44f05f09e807f3dd8d 78996 spip_3.1.4-1.debian.tar.xz
Checksums-Sha256:
9d112364039b9d90f1b49ab31f2a5cb155949d4634333c16b6dd8a761310ee36 1576 spip_3.1.4-1.dsc
884778eca338242da714641727b9acaa8ec10a5aefeefc1dbe1d38ad379d8318 5848656 spip_3.1.4.orig.tar.xz
9264bf0befda7f806efa4bffa7db789890910445cd20b1e66a6a9af85359adb1 78996 spip_3.1.4-1.debian.tar.xz
Files:
4927e5d910f7c1fd0f8d34216b7fcdeb 1576 web extra spip_3.1.4-1.dsc
773ba92d20896200e8301361cbc814f6 5848656 web extra spip_3.1.4.orig.tar.xz
385b52c4a3a628e4d032a8ca85af1e8f 78996 web extra spip_3.1.4-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAljEVwUACgkQBYwc+UT2
vTwO0wf/f3psiw/lNmWCv10k+4jb7SoIvDiHmVNJj0x43gb3oS/duLRyFdEQBWxJ
0bXmTWQa2ZbIjnEYXfltEC53nG2FZgW+znLJRtD6AQv/Dh4jn1MmYrfQEu3RGpE6
+Aw//d4+Lu1o48pOI/kpDP+NCFd17whV8HCVE8JRUBhGGHIx1eOBCoIn/boYRx9K
/6WSwjmOivt5F/vM2cEAsAQtL+fW2Eqvj/c7heqSXd2l5tz3I75yVjHEoS5pRkhO
w+FAYGZzZY8El3TzUIlHY3fPLMuMRoN/sf9APwNh4PAbshhPJtdtcsbcad3r4+KM
r125qSzeJNuxUAVqc+xPCGCgC1ecvA==
=TnLj
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 11 Apr 2017 07:28:23 GMT) (full text, mbox, link).
Bug unarchived.
Request was from David Prévot <taffit@debian.org>
to control@bugs.debian.org.
(Thu, 27 Apr 2017 05:03:11 GMT) (full text, mbox, link).
Bug reopened
Request was from David Prévot <taffit@debian.org>
to control@bugs.debian.org.
(Thu, 27 Apr 2017 05:03:12 GMT) (full text, mbox, link).
No longer marked as fixed in versions spip/3.1.4-1.
Request was from David Prévot <taffit@debian.org>
to control@bugs.debian.org.
(Thu, 27 Apr 2017 05:03:12 GMT) (full text, mbox, link).
Marked as fixed in versions spip/3.1.4-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 27 Apr 2017 05:30:03 GMT) (full text, mbox, link).
No longer marked as fixed in versions spip/3.1.4-1.
Request was from David Prévot <taffit@debian.org>
to control@bugs.debian.org.
(Thu, 27 Apr 2017 06:12:05 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from David Prévot <taffit@debian.org>
to control@bugs.debian.org.
(Thu, 27 Apr 2017 06:39:08 GMT) (full text, mbox, link).
Reply sent
to David Prévot <taffit@debian.org>:
You have taken responsibility.
(Thu, 27 Apr 2017 09:09:10 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 27 Apr 2017 09:09:10 GMT) (full text, mbox, link).
Message #36 received at 847156-close@bugs.debian.org (full text, mbox, reply):
Source: spip
Source-Version: 3.1.4-2
We believe that the bug you reported is fixed in the latest version of
spip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 847156@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <taffit@debian.org> (supplier of updated spip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 26 Apr 2017 20:51:45 -1000
Source: spip
Binary: spip
Architecture: source
Version: 3.1.4-2
Distribution: unstable
Urgency: medium
Maintainer: SPIP packaging team <spip-maintainers@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Description:
spip - website engine for publishing
Closes: 847156 848641 857818
Changes:
spip (3.1.4-2) unstable; urgency=medium
.
* Fix broken symlink with recent libjs-jquery-ui.
Thanks to Andreas Beckman (Closes: #857818)
* Backport security fixes from 3.2-alpha-1
- Reflected Cross Site Scripting Vulnerabilities in
/ecrire/exec/puce_statut.php and /ecrire/exec/info_plugin.php
[CVE-2016-9997] [CVE-2016-9998] (Closes: #848641)
- Cross-site scripting (XSS) vulnerability in ecrire/exec/plonger.php
[CVE-2016-9152] (Closes: #847156)
* Remove incorrect statement that those security issues had been fixed from
the previous changelog entry
* Remove incorrect execution bit for ecrire/inc/idna_convert.class.php
Checksums-Sha1:
4d0e001a04014d4ef63ef085204930af98d6d2e9 1576 spip_3.1.4-2.dsc
a0eff9b3b020705a85b1c038cdd0c05c6e402f8a 79940 spip_3.1.4-2.debian.tar.xz
Checksums-Sha256:
b7a41c642872af188d0cdefc9a97cb3e2ec57f8a417e0c4cef651cc4f2a82092 1576 spip_3.1.4-2.dsc
3381fc4b19a05adc56f9cc3ebc4c759c36be337fbe3afac3183834145b299e5e 79940 spip_3.1.4-2.debian.tar.xz
Files:
b25848c7c98746d42ea140134c86a4d6 1576 web extra spip_3.1.4-2.dsc
02d976a181e2107f2906acaacb3a0039 79940 web extra spip_3.1.4-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAlkBoiEACgkQBYwc+UT2
vTzqeQgAsTcdbAJodRcfSid46eDNZhuRv+x5fqjGK/pToaPG288WBmFC/VflAoBW
rlq4F7XUWj3OAAQj2uzWCj5fXB0MBJkTyBAyV4RqWaZ/2CPQkPheCUNjABviHIhq
5LyJ4nzB/BCYT67g0asWyGwJrBdH0zk4hQMN7NJhMAGLz1i2ZOAS/a9hYZOAEfl3
M1xtz5vcIOiUTlPA9xVx6QVp1LNrei9AStAWrce9BLkhqlOtVxosRtSHWnz0jppu
q9SgoBfyM74hPkaVy8fHbz0DrtjjUdLqHUG3Sr3MA+0NJ0q67Rrvge+RcvcmpdAX
cpt9jg7wyv2GECsYG40iZfgw9RyPQQ==
=P8ir
-----END PGP SIGNATURE-----
Reply sent
to David Prévot <taffit@debian.org>:
You have taken responsibility.
(Fri, 28 Apr 2017 21:36:13 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 28 Apr 2017 21:36:13 GMT) (full text, mbox, link).
Message #41 received at 847156-close@bugs.debian.org (full text, mbox, reply):
Source: spip
Source-Version: 3.0.17-2+deb8u3
We believe that the bug you reported is fixed in the latest version of
spip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 847156@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <taffit@debian.org> (supplier of updated spip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 26 Apr 2017 18:02:00 -1000
Source: spip
Binary: spip
Architecture: source all
Version: 3.0.17-2+deb8u3
Distribution: jessie
Urgency: medium
Maintainer: SPIP packaging team <spip-maintainers@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Description:
spip - website engine for publishing
Closes: 847156 848641
Changes:
spip (3.0.17-2+deb8u3) jessie; urgency=medium
.
* Document CVE in previous changelog entry
* Update security screen to 1.3.0
* Backport security fixes from 3.0.23
- Multiple XSS issues
* Backport security fixes from 3.0.24
- Server side request forgery (SSRF) attacks via the var_url parameter
[CVE-2016-7999]
- Directory traversal vulnerability in ecrire/exec/valider_xml.php
[CVE-2016-7982]
- Execution of arbitrary PHP code by authenticated users [CVE-2016-7998]
- Cross-site request forgery (CSRF) vulnerability in
ecrire/exec/valider_xml.php [CVE-2016-7980]
- Cross-site scripting (XSS) vulnerability in valider_xml.php
[CVE-2016-7981]
* Backport security fixes from 3.2-alpha-1
- Reflected Cross Site Scripting Vulnerabilities in
/ecrire/exec/puce_statut.php and /ecrire/exec/info_plugin.php
[CVE-2016-9997] [CVE-2016-9998] (Closes: #848641)
- Cross-site scripting (XSS) vulnerability in ecrire/exec/plonger.php
[CVE-2016-9152] (Closes: #847156)
* Backport security fix from 3.0.25
- Execution of arbitrary PHP code
Checksums-Sha1:
ddc9a01e1c5919fc83d867a986bff44c5fc98ba8 1610 spip_3.0.17-2+deb8u3.dsc
45e661b38a07c0c2adb41aa0e34a4860df5f9531 86352 spip_3.0.17-2+deb8u3.debian.tar.xz
87538f8a0bf06c55fb6b1a9d4a564541071963f1 4825086 spip_3.0.17-2+deb8u3_all.deb
Checksums-Sha256:
443b826d5a735020ce5d98a006693e08fca0d0493a91e182429f2f8e68a1920e 1610 spip_3.0.17-2+deb8u3.dsc
9d933ba9881693cff92a71bae79116ac133d7efbc9f8ec21d2c625d99114c52e 86352 spip_3.0.17-2+deb8u3.debian.tar.xz
0bda8755a4ded2a3cac04d73edac4804bb8c4ad38441d4e2adf9e0a7da52b3a0 4825086 spip_3.0.17-2+deb8u3_all.deb
Files:
3828708c9bde3500237b1a2cb570e5f7 1610 web extra spip_3.0.17-2+deb8u3.dsc
4c5a7ee1255836c0cf7383aba2e89dd2 86352 web extra spip_3.0.17-2+deb8u3.debian.tar.xz
208d0cf72236acf2de8399dc2ed93087 4825086 web extra spip_3.0.17-2+deb8u3_all.deb
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAlkCtUUACgkQBYwc+UT2
vTxD+wgAlEXPjl3C4kW6lcvonIasXdDPOjFLfHZJti16MkYi8iI84H1b6Lm33nGz
08GFnVSbSx7U0bzy2U6U5ZlrWKljCNiOAAj7uTutut2p6v/far9b8aE3UT9GK9Pk
huS/JtwzZaVT8Cboj9CZpTM2s/X1ukuL0S50o6duiT0A5L7K3WcIxRwGXV4g1Hj0
7f7DDlSKDNnPY5T2ewkuB/QQK80V/+a/hhe7U08yMtwTFQZs49Vi3SKuxPxMzTut
ortjvdvsy3QpH2WnP7+6L52UL1XXW7sCogan4n+sZ07PfsXyKIFLAMbENOJuktq6
CdE5Mlk5ndtEW2mZnf8sf4Bi1wSDmg==
=y48c
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 30 May 2017 07:27:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:50:48 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon