Emeric Boit of ANSSI reported that SPIP, a website engine for publishing, insufficiently sanitises the value from the X-Forwarded-Host HTTP header field. An unauthenticated attacker can take advantage of this flaw to cause remote code execution. For the stable distribution (stretch), this problem has been fixed in version 3.1.4-3~deb9u1. For the testing distribution (buster), this problem has been fixed in version 3.1.4-3. For the unstable distribution (sid), this problem has been fixed in version 3.1.4-3. We recommend that you upgrade your spip packages.
Emeric Boit of ANSSI reported that SPIP, a website engine for publishing, insufficiently sanitises the value from the X-Forwarded-Host HTTP header field. An unauthenticated attacker can take advantage of this flaw to cause remote code execution.
For the stable distribution (stretch), this problem has been fixed in version 3.1.4-3~deb9u1.
For the testing distribution (buster), this problem has been fixed in version 3.1.4-3.
For the unstable distribution (sid), this problem has been fixed in version 3.1.4-3.
We recommend that you upgrade your spip packages.