Bug#682808: pu: package spip/2.1.1-3squeeze4
Control: tags 682808 + pending On Sat, 2012-07-28 at 16:53 -0400, David Prévot wrote: Le 28/07/2012 15:40, Adam D. Barratt a écrit : On Wed, 2012-07-25 at 16:16 -0400, David Prévot wrote: The spip package currently in stable is vulnerable to some security issues (#677290, #672961, #680118), the last one being pretty nasty… […] Please go ahead; thanks. Uploaded. Flagged for acceptance; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1343584457.18013.117.ca...@jacala.jungle.funky-badger.org
Processed: Re: Bug#682808: pu: package spip/2.1.1-3squeeze4
Processing control commands: tags 682808 + pending Bug #682808 [release.debian.org] pu: package spip/2.1.1-3squeeze4 Added tag(s) pending. -- 682808: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=682808 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.b682808.134358454618858.transcr...@bugs.debian.org
Bug#682808: pu: package spip/2.1.1-3squeeze4
Control: tags 682808 + squeeze confirmed On Wed, 2012-07-25 at 16:16 -0400, David Prévot wrote: The spip package currently in stable is vulnerable to some security issues (#677290, #672961, #680118), the last one being pretty nasty… Having no answer from the security team, I hereby propose this update via the upcoming point release. As in #680381, the attached debdiff is pretty thin: most of the changes, in the security screen file, are due to rewritten comments. +spip (2.1.1-3squeeze4) stable-security; urgency=low + + * Non-maintainer upload by the Security Team. Please s/-security// and drop the NMU comment. + * Updated security screen to 1.1.3. Prevent cross site scripting on referer +(addresses missing bits of [CVE-2012-2151]), cross site scripting and PHP +injections in internal functions. + Closes: #680118 The alignment of the Closes: item here looks slightly odd, imho (as do the others). Please go ahead; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1343504430.18013.101.ca...@jacala.jungle.funky-badger.org
Processed: Re: Bug#682808: pu: package spip/2.1.1-3squeeze4
Processing control commands: tags 682808 + squeeze confirmed Bug #682808 [release.debian.org] pu: package spip/2.1.1-3squeeze4 Added tag(s) squeeze and confirmed. -- 682808: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=682808 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.b682808.134350451724350.transcr...@bugs.debian.org
Bug#682808: pu: package spip/2.1.1-3squeeze4
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Le 28/07/2012 15:40, Adam D. Barratt a écrit : Control: tags 682808 + squeeze confirmed On Wed, 2012-07-25 at 16:16 -0400, David Prévot wrote: The spip package currently in stable is vulnerable to some security issues (#677290, #672961, #680118), the last one being pretty nasty… […] Please s/-security// and drop the NMU comment. […] The alignment of the Closes: item here looks slightly odd, imho (as do the others). Changelog fixed according to your feedback, thanks. Please go ahead; thanks. Uploaded. Regards David -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJQFFFfAAoJELgqIXr9/gny+MgQAIhFrw6ry5xsfnBHch24sr+d 5NpL49y3JAFiIgstU58PR6XU26XwByVRxKcBCQz79OwN63TKN5VDXNCf320T38mM f7zybN2X8Nj1KMSjBfY7Id39QsIYqRElJo3xbOafqQmIzVEBQ/dodvIPawWgkDJy rgXZzhPts9ogdhWSEkRiCoN4tjOaZN1i/mC2RAOGpr0ngnRJ+AOYcMFWd0tMCp/P aTkF9nrgM/dzLK28mUCW1DrfPqq9Dl8KNdeC9+GvYutw+dsNxnon8ZDFcg/tA4E5 /vM36PBjnL1jt8MAu4acD5WajsoMgCzTm4nMu0IhKRBKH4x24fdVGB8yOvUhuHrB nS/sgTw8hDvTbmFxLdsjU8RhgCexnTUD94y7J4msLPyxD9EhsQK5gSA4yMaZrO71 4CLe53HkZMgfBMfM3GB0KCiS3uRa+Iyjzxh2h95uZl6xUSSRIvM7ll6BnyMIuAqO RCGxmqFRGu0Ff5F/bDqbEqs+wwPGt0ieKWN8ZG6Gttmm8HzLg3bVP71f2dd3Z7mP gjSRyF3YcNdULwp42QTLJFvK6/rK3fOpqESj8e2AQVAUNM6O/HOB67Pvs/FwNjSh faPi5EiuomK651vYImgpWN36sSL5qwrQw4cAQ2wO/Up1l/BQbl+KJT0NJyr1bpXF S7BhaAj/LUPc0AOW0ovO =bKMF -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5014515f.1090...@debian.org
Bug#682808: pu: package spip/2.1.1-3squeeze4
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: pu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi release team,
The spip package currently in stable is vulnerable to some security
issues (#677290, #672961, #680118), the last one being pretty nasty…
Having no answer from the security team, I hereby propose this update
via the upcoming point release. As in #680381, the attached debdiff is
pretty thin: most of the changes, in the security screen file, are due
to rewritten comments.
The package is available on ravel:
http://people.debian.org/~taffit/spip/spip_2.1.1-3squeeze4.dsc
Cheers
David
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJQEFQeAAoJELgqIXr9/gnyQrcP+gIjpnsZTxWkN1UDMOXOFAea
nr/zymlRiB+t0HyktX6dC77pL0332f8txkGETysfwMJnMtnTCe6fnEzjspwiw75w
nxDTd2u162ehSndQpkgSxy+Es4hOdlRU1qVBOx1oD2yfFBn3kOnzB3ZqUwOdyxO7
6A0Ps19srY7rivASnDGs4DH+8zbDnsVkVyXwZ3n+OmcalZyZrW7o0AnatmpZSe78
/vNaIwXK1mHb3uVGsM55XpxidJCsiJmQS47j7DYS+aRu2xAgfPhtYf/treTwzce+
H81rc0tjfQbeJRTrIEX7n31zEZvkmeh2Wnc6U5zRc/ZtImhu7/DCSMwH6u+TKxvo
LYYHisW8VdPG2bmbalIflTB8y3oyOodsAfb3qGOzmHAVk1YjWX+iG23dnJGpu5zP
XQEu/O5B1+JY+p7zyoOARbNXtMo4bXB8MnXH0OuLpCjl9LPtoGKscxmGrkyeNn63
RVVmhZql+G2JTtWiVFJreRgsLiBDEP3QqyeWQvduYwCtQt7sTmZPJBgLi3Ak7dCU
3gmr+4fcPP0TOfOHI2aSyMA7p8T+f+q/M7rlel4BZg1ZZQJztKAFxZpDnmsqgNyL
PTN3Flkb8c2dBRhFBcoxaLvbhmd93aYlkTLgNDcsr8r3oCPDp2IfSHVeU8+fOvsD
ccKkAvjkZh0+zRl+/1JH
=1vsI
-END PGP SIGNATURE-
diffstat for spip_2.1.1-3squeeze3 spip_2.1.1-3squeeze4
debian/patches/fix_XSS_in_password.patch | 18 +++
debian/patches/fix_XSS_in_variable_name.patch | 19 +++
spip-2.1.1/debian/changelog | 16 +++
spip-2.1.1/debian/patches/series |2
spip-2.1.1/debian/security/ecran_securite.php | 130 --
5 files changed, 137 insertions(+), 48 deletions(-)
diff -u spip-2.1.1/debian/changelog spip-2.1.1/debian/changelog
--- spip-2.1.1/debian/changelog
+++ spip-2.1.1/debian/changelog
@@ -1,3 +1,19 @@
+spip (2.1.1-3squeeze4) stable-security; urgency=low
+
+ * Non-maintainer upload by the Security Team.
+ * Updated security screen to 1.1.3. Prevent cross site scripting on referer
+(addresses missing bits of [CVE-2012-2151]), cross site scripting and PHP
+injections in internal functions.
+ Closes: #680118
+ * Backport patch from 2.1.14:
+- fix XSS on password.
+ Closes: #672961
+ * Backport patch from 2.1.15:
+- fix XSS injection in variable name.
+ Closes: #677290
+
+ -- David Prévot taf...@debian.org Tue, 03 Jul 2012 14:24:23 -0400
+
spip (2.1.1-3squeeze3) stable-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -u spip-2.1.1/debian/security/ecran_securite.php spip-2.1.1/debian/security/ecran_securite.php
--- spip-2.1.1/debian/security/ecran_securite.php
+++ spip-2.1.1/debian/security/ecran_securite.php
@@ -5,21 +5,20 @@
* --
*/
-define('_ECRAN_SECURITE', '1.0.10'); // 17 avril 2012
+define('_ECRAN_SECURITE', '1.1.3'); // 3 juillet 2012
/*
* Documentation : http://www.spip.net/fr_article4200.html
- *
*/
/*
- * test utilisateur
+ * Test utilisateur
*/
if (isset($_GET['test_ecran_securite']))
$ecran_securite_raison = 'test '._ECRAN_SECURITE;
/*
- * detecteur de robot d'indexation
+ * Détecteur de robot d'indexation
*/
if (!defined('_IS_BOT'))
define('_IS_BOT',
@@ -28,10 +27,11 @@
(string) $_SERVER['HTTP_USER_AGENT'])
);
-/* - interdit de passer une variable id_article (ou id_xxx) qui ne
- * soit pas numerique (ce qui bloque l'exploitation de divers trous
- * de securite, dont celui de toutes les versions 1.8.2f)
- * (sauf pour id_table, qui n'est pas numerique jusqu'a [5743])
+/*
+ * Interdit de passer une variable id_article (ou id_xxx) qui ne
+ * soit pas numérique (ce qui bloque l'exploitation de divers trous
+ * de sécurité, dont celui de toutes les versions 1.8.2f)
+ * (sauf pour id_table, qui n'est pas numérique jusqu'à [5743])
*/
foreach ($_GET as $var = $val)
if ($_GET[$var] AND strncmp($var,id_,3)==0 AND $var!='id_table')
@@ -43,32 +43,31 @@
if ($GLOBALS[$var] AND strncmp($var,id_,3)==0 AND $var!='id_table')
$GLOBALS[$var] = is_array($GLOBALS[$var])?@array_map('intval',$GLOBALS[$var]):intval($GLOBALS[$var]);
-
-/* - interdit la variable $cjpeg_command, qui etait utilisee sans
- * precaution dans certaines versions de dev (1.8b2 - 1.8b5)
- *
+/*
+ * Interdit la variable $cjpeg_command, qui était utilisée sans
+ * précaution dans certaines versions de dev
