Bug#682808: pu: package spip/2.1.1-3squeeze4
Control: tags 682808 + pending On Sat, 2012-07-28 at 16:53 -0400, David Prévot wrote: Le 28/07/2012 15:40, Adam D. Barratt a écrit : On Wed, 2012-07-25 at 16:16 -0400, David Prévot wrote: The spip package currently in stable is vulnerable to some security issues (#677290, #672961, #680118), the last one being pretty nasty… […] Please go ahead; thanks. Uploaded. Flagged for acceptance; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1343584457.18013.117.ca...@jacala.jungle.funky-badger.org
Processed: Re: Bug#682808: pu: package spip/2.1.1-3squeeze4
Processing control commands: tags 682808 + pending Bug #682808 [release.debian.org] pu: package spip/2.1.1-3squeeze4 Added tag(s) pending. -- 682808: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=682808 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.b682808.134358454618858.transcr...@bugs.debian.org
Bug#682808: pu: package spip/2.1.1-3squeeze4
Control: tags 682808 + squeeze confirmed On Wed, 2012-07-25 at 16:16 -0400, David Prévot wrote: The spip package currently in stable is vulnerable to some security issues (#677290, #672961, #680118), the last one being pretty nasty… Having no answer from the security team, I hereby propose this update via the upcoming point release. As in #680381, the attached debdiff is pretty thin: most of the changes, in the security screen file, are due to rewritten comments. +spip (2.1.1-3squeeze4) stable-security; urgency=low + + * Non-maintainer upload by the Security Team. Please s/-security// and drop the NMU comment. + * Updated security screen to 1.1.3. Prevent cross site scripting on referer +(addresses missing bits of [CVE-2012-2151]), cross site scripting and PHP +injections in internal functions. + Closes: #680118 The alignment of the Closes: item here looks slightly odd, imho (as do the others). Please go ahead; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1343504430.18013.101.ca...@jacala.jungle.funky-badger.org
Processed: Re: Bug#682808: pu: package spip/2.1.1-3squeeze4
Processing control commands: tags 682808 + squeeze confirmed Bug #682808 [release.debian.org] pu: package spip/2.1.1-3squeeze4 Added tag(s) squeeze and confirmed. -- 682808: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=682808 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.b682808.134350451724350.transcr...@bugs.debian.org
Bug#682808: pu: package spip/2.1.1-3squeeze4
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Le 28/07/2012 15:40, Adam D. Barratt a écrit : Control: tags 682808 + squeeze confirmed On Wed, 2012-07-25 at 16:16 -0400, David Prévot wrote: The spip package currently in stable is vulnerable to some security issues (#677290, #672961, #680118), the last one being pretty nasty… […] Please s/-security// and drop the NMU comment. […] The alignment of the Closes: item here looks slightly odd, imho (as do the others). Changelog fixed according to your feedback, thanks. Please go ahead; thanks. Uploaded. Regards David -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJQFFFfAAoJELgqIXr9/gny+MgQAIhFrw6ry5xsfnBHch24sr+d 5NpL49y3JAFiIgstU58PR6XU26XwByVRxKcBCQz79OwN63TKN5VDXNCf320T38mM f7zybN2X8Nj1KMSjBfY7Id39QsIYqRElJo3xbOafqQmIzVEBQ/dodvIPawWgkDJy rgXZzhPts9ogdhWSEkRiCoN4tjOaZN1i/mC2RAOGpr0ngnRJ+AOYcMFWd0tMCp/P aTkF9nrgM/dzLK28mUCW1DrfPqq9Dl8KNdeC9+GvYutw+dsNxnon8ZDFcg/tA4E5 /vM36PBjnL1jt8MAu4acD5WajsoMgCzTm4nMu0IhKRBKH4x24fdVGB8yOvUhuHrB nS/sgTw8hDvTbmFxLdsjU8RhgCexnTUD94y7J4msLPyxD9EhsQK5gSA4yMaZrO71 4CLe53HkZMgfBMfM3GB0KCiS3uRa+Iyjzxh2h95uZl6xUSSRIvM7ll6BnyMIuAqO RCGxmqFRGu0Ff5F/bDqbEqs+wwPGt0ieKWN8ZG6Gttmm8HzLg3bVP71f2dd3Z7mP gjSRyF3YcNdULwp42QTLJFvK6/rK3fOpqESj8e2AQVAUNM6O/HOB67Pvs/FwNjSh faPi5EiuomK651vYImgpWN36sSL5qwrQw4cAQ2wO/Up1l/BQbl+KJT0NJyr1bpXF S7BhaAj/LUPc0AOW0ovO =bKMF -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5014515f.1090...@debian.org
Bug#682808: pu: package spip/2.1.1-3squeeze4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi release team, The spip package currently in stable is vulnerable to some security issues (#677290, #672961, #680118), the last one being pretty nasty… Having no answer from the security team, I hereby propose this update via the upcoming point release. As in #680381, the attached debdiff is pretty thin: most of the changes, in the security screen file, are due to rewritten comments. The package is available on ravel: http://people.debian.org/~taffit/spip/spip_2.1.1-3squeeze4.dsc Cheers David - -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJQEFQeAAoJELgqIXr9/gnyQrcP+gIjpnsZTxWkN1UDMOXOFAea nr/zymlRiB+t0HyktX6dC77pL0332f8txkGETysfwMJnMtnTCe6fnEzjspwiw75w nxDTd2u162ehSndQpkgSxy+Es4hOdlRU1qVBOx1oD2yfFBn3kOnzB3ZqUwOdyxO7 6A0Ps19srY7rivASnDGs4DH+8zbDnsVkVyXwZ3n+OmcalZyZrW7o0AnatmpZSe78 /vNaIwXK1mHb3uVGsM55XpxidJCsiJmQS47j7DYS+aRu2xAgfPhtYf/treTwzce+ H81rc0tjfQbeJRTrIEX7n31zEZvkmeh2Wnc6U5zRc/ZtImhu7/DCSMwH6u+TKxvo LYYHisW8VdPG2bmbalIflTB8y3oyOodsAfb3qGOzmHAVk1YjWX+iG23dnJGpu5zP XQEu/O5B1+JY+p7zyoOARbNXtMo4bXB8MnXH0OuLpCjl9LPtoGKscxmGrkyeNn63 RVVmhZql+G2JTtWiVFJreRgsLiBDEP3QqyeWQvduYwCtQt7sTmZPJBgLi3Ak7dCU 3gmr+4fcPP0TOfOHI2aSyMA7p8T+f+q/M7rlel4BZg1ZZQJztKAFxZpDnmsqgNyL PTN3Flkb8c2dBRhFBcoxaLvbhmd93aYlkTLgNDcsr8r3oCPDp2IfSHVeU8+fOvsD ccKkAvjkZh0+zRl+/1JH =1vsI -END PGP SIGNATURE- diffstat for spip_2.1.1-3squeeze3 spip_2.1.1-3squeeze4 debian/patches/fix_XSS_in_password.patch | 18 +++ debian/patches/fix_XSS_in_variable_name.patch | 19 +++ spip-2.1.1/debian/changelog | 16 +++ spip-2.1.1/debian/patches/series |2 spip-2.1.1/debian/security/ecran_securite.php | 130 -- 5 files changed, 137 insertions(+), 48 deletions(-) diff -u spip-2.1.1/debian/changelog spip-2.1.1/debian/changelog --- spip-2.1.1/debian/changelog +++ spip-2.1.1/debian/changelog @@ -1,3 +1,19 @@ +spip (2.1.1-3squeeze4) stable-security; urgency=low + + * Non-maintainer upload by the Security Team. + * Updated security screen to 1.1.3. Prevent cross site scripting on referer +(addresses missing bits of [CVE-2012-2151]), cross site scripting and PHP +injections in internal functions. + Closes: #680118 + * Backport patch from 2.1.14: +- fix XSS on password. + Closes: #672961 + * Backport patch from 2.1.15: +- fix XSS injection in variable name. + Closes: #677290 + + -- David Prévot taf...@debian.org Tue, 03 Jul 2012 14:24:23 -0400 + spip (2.1.1-3squeeze3) stable-security; urgency=high * Non-maintainer upload by the Security Team. diff -u spip-2.1.1/debian/security/ecran_securite.php spip-2.1.1/debian/security/ecran_securite.php --- spip-2.1.1/debian/security/ecran_securite.php +++ spip-2.1.1/debian/security/ecran_securite.php @@ -5,21 +5,20 @@ * -- */ -define('_ECRAN_SECURITE', '1.0.10'); // 17 avril 2012 +define('_ECRAN_SECURITE', '1.1.3'); // 3 juillet 2012 /* * Documentation : http://www.spip.net/fr_article4200.html - * */ /* - * test utilisateur + * Test utilisateur */ if (isset($_GET['test_ecran_securite'])) $ecran_securite_raison = 'test '._ECRAN_SECURITE; /* - * detecteur de robot d'indexation + * Détecteur de robot d'indexation */ if (!defined('_IS_BOT')) define('_IS_BOT', @@ -28,10 +27,11 @@ (string) $_SERVER['HTTP_USER_AGENT']) ); -/* - interdit de passer une variable id_article (ou id_xxx) qui ne - * soit pas numerique (ce qui bloque l'exploitation de divers trous - * de securite, dont celui de toutes les versions 1.8.2f) - * (sauf pour id_table, qui n'est pas numerique jusqu'a [5743]) +/* + * Interdit de passer une variable id_article (ou id_xxx) qui ne + * soit pas numérique (ce qui bloque l'exploitation de divers trous + * de sécurité, dont celui de toutes les versions 1.8.2f) + * (sauf pour id_table, qui n'est pas numérique jusqu'à [5743]) */ foreach ($_GET as $var = $val) if ($_GET[$var] AND strncmp($var,id_,3)==0 AND $var!='id_table') @@ -43,32 +43,31 @@ if ($GLOBALS[$var] AND strncmp($var,id_,3)==0 AND $var!='id_table') $GLOBALS[$var] = is_array($GLOBALS[$var])?@array_map('intval',$GLOBALS[$var]):intval($GLOBALS[$var]); - -/* - interdit la variable $cjpeg_command, qui etait utilisee sans - * precaution dans certaines versions de dev (1.8b2 - 1.8b5) - * +/* + * Interdit la variable $cjpeg_command, qui était utilisée sans + * précaution dans certaines versions de dev