Several vulnerabilities were found in SPIP, a website engine for publishing, resulting in code injection. CVE-2016-3153 g0uZ et sambecks, from team root-me, discovered that arbitrary PHP code could be injected when adding content. CVE-2016-3154 Gilles Vincent discovered that deserializing untrusted content could result in arbitrary objects injection. For the oldstable distribution (wheezy), these problems have been fixed in version 2.1.17-1+deb7u5. For the stable distribution (jessie), these problems have been fixed in version 3.0.17-2+deb8u2. For the testing (stretch) and unstable (sid) distributions, these problems have been fixed in version 3.0.22-1. We recommend that you upgrade your spip packages.
Several vulnerabilities were found in SPIP, a website engine for publishing, resulting in code injection.
g0uZ et sambecks, from team root-me, discovered that arbitrary PHP code could be injected when adding content.
Gilles Vincent discovered that deserializing untrusted content could result in arbitrary objects injection.
For the oldstable distribution (wheezy), these problems have been fixed in version 2.1.17-1+deb7u5.
For the stable distribution (jessie), these problems have been fixed in version 3.0.17-2+deb8u2.
For the testing (stretch) and unstable (sid) distributions, these problems have been fixed in version 3.0.22-1.
We recommend that you upgrade your spip packages.