Your message dated Fri, 18 Nov 2011 03:17:49 +0000
with message-id <[email protected]>
and subject line Bug#649113: fixed in spip 2.1.12-1
has caused the Debian Bug report #649113,
regarding spip: New version (2.1.12) fixes several security issues
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
649113: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649113
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: spip
Version: 2.1.1-3squeeze1
Severity: important
Tags: security upstream
Hi,
The last SPIP upstream version (2.1.12) fixes several security issues.
The most severe one allows a privilege escalation: an unauthorized
member can become administrator (with full access to the SPIP website).
This version also fixes a cross site scripting (XSS) and a full path
disclosure. [0]
Unfortunately, the security screen file added recently in the package to
fix previous security issues could not be updated by upstream authors
“it was not possible to produce a light code to fix those three
issues”).
0:
http://archives.rezo.net/archives/spip-ann.mbox/GFZZLMG4ZO5MA4KWQ77XEHDM27ZRMCQH/
I'm preparing a package for Sid and will upload it ASAP, but I'm not
sure it will be easy to backport the other 2.1.11 to 2.1.12 changes in
the 2.1.1 version currently in Squeeze, I'll update this bug report
after further investigation or get directly in touch with the security
team when ready.
Regards
David
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (600, 'unstable'), (500, 'testing'), (500, 'stable'), (150,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.1.0-1-amd64 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages spip depends on:
ii apache2-mpm-prefork [httpd] 2.2.21-2
ii debconf [debconf-2.0] 1.5.41
ii libjs-jquery 1.6.4-1
ii lighttpd [httpd] 1.4.29-1
ii php-html-safe 0.10.1-1
ii php5 5.3.8.0-1
ii php5-mysql 5.3.8.0-1+b1
Versions of packages spip recommends:
ii imagemagick 8:6.6.9.7-5+b2
ii mysql-server 5.1.58-1
ii mysql-server-5.1 [mysql-server] 5.1.58-1
ii netpbm 2:10.0-15
spip suggests no packages.
-- debconf information excluded
--- End Message ---
--- Begin Message ---
Source: spip
Source-Version: 2.1.12-1
We believe that the bug you reported is fixed in the latest version of
spip, which is due to be installed in the Debian FTP archive:
spip_2.1.12-1.debian.tar.gz
to main/s/spip/spip_2.1.12-1.debian.tar.gz
spip_2.1.12-1.dsc
to main/s/spip/spip_2.1.12-1.dsc
spip_2.1.12-1_all.deb
to main/s/spip/spip_2.1.12-1_all.deb
spip_2.1.12.orig.tar.gz
to main/s/spip/spip_2.1.12.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <[email protected]> (supplier of updated spip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 17 Nov 2011 17:53:48 -0400
Source: spip
Binary: spip
Architecture: source all
Version: 2.1.12-1
Distribution: unstable
Urgency: high
Maintainer: SPIP packaging team <[email protected]>
Changed-By: David Prévot <[email protected]>
Description:
spip - website engine for publishing
Closes: 649113
Changes:
spip (2.1.12-1) unstable; urgency=high
.
* New upstream release, fixes privilege escalation and cross site scripting.
Closes: #649113
* Add self as uploader.
* Bumped standards to 3.9.2.
* Depend on and use fonts-dustin, libjs-jquery-cookie and libjs-jquery-form
instead of shipped ones.
* Use dh 7.
* Update security screen file to 1.0.6.
Checksums-Sha1:
947ad0bfaef9e6a9c8d5969893cc0f612f11d30e 1897 spip_2.1.12-1.dsc
3420d0bf37685b511fafb1a4ca7d64adcf1b58ff 3942634 spip_2.1.12.orig.tar.gz
d396219ffa8e8ff5dcca8babfcbb78ee4b800cb9 57960 spip_2.1.12-1.debian.tar.gz
1761271f3f12906226e1af07536100b704326a9b 3851780 spip_2.1.12-1_all.deb
Checksums-Sha256:
97c6c61b592f78769778718c239bfb366507603c22675434196c6172b3fa3423 1897
spip_2.1.12-1.dsc
da08a94e2706e88c6a78f4419fb4ac88fea53346599df3fd31c52bf001d65d54 3942634
spip_2.1.12.orig.tar.gz
e6d4fae0e947d4a67ccbac8e05fae8298f5ef7371cabcae05f9386e5b50af527 57960
spip_2.1.12-1.debian.tar.gz
a016e93ca959c8646442943d9fe17d172f087703362fd10c67452b79d59e74b8 3851780
spip_2.1.12-1_all.deb
Files:
a770c41265b4288ac50fe9115670b3d0 1897 web extra spip_2.1.12-1.dsc
f99e5dc41df6bfda97b395a15575d9f5 3942634 web extra spip_2.1.12.orig.tar.gz
e2c5a8231476b17d3ddeef19a7cb4058 57960 web extra spip_2.1.12-1.debian.tar.gz
2e3eb27cd2141b8fa532c472839667c0 3851780 web extra spip_2.1.12-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCAAGBQJOxYNkAAoJELgqIXr9/gnypvYQAIvMCGeFvk0tXiHfE3YxAGaD
E+zhHDEHplJvzy2PWY8CuQKWakJoVKYWzKI4CAJ9lo9yhZa9YSpgfCN2OJxRQTnC
twAm+IQEXWuEIwt0bEfqiUyapmxA48edkuinolueWOBdqHFJIVCbds+tGs2AnFXK
pFz+8aDgc/FSt7DYUJOgb8nGE1D74ZvZSOtf5aJOGiP/RB334+/53hIfB5CL20O8
lDn1ynW90/hWFPpkLRDZI3/ihKkNinOw87oPDO349RCpfzBdSFRc6irp5njZLGPF
+cpPyBuT1fxPJzlX97TNHnPxv4H6/VvZsE2iAb8CrT9WndC0WOA1Ozb7+2F1s+we
g4TzEpLPEpkhcYWjxNhS7mZUXNUkbIz6sqXuBvc+eLEv7dKkYWsOfUIcm3O2F26U
kNj9tljcbXfknkWBqxoCRFiNxuOVEI1yW2SumAVMSKz++aqpwRdo8xUXDqx1ZqxR
PSclB3JN8OK4fZqppGdkMEmcQClAWD5XlIJEaJRwOU0tBkPulgE2+2Ce0Ty0TisC
eOADjx0xD0iIvFFuoAUtFPN3PcTs15emljFIkHbxd7W+C71KAAS+LqR8SblLT0fa
6//4rbc6Rt1orgyaJZ8qbmOZnAFY0Yd5SbR3KTcLIpqwhntt7L1Qc+c4SUCEwRuq
HV5yN/dYHs37mLxyubHu
=1sIF
-----END PGP SIGNATURE-----
--- End Message ---
