Control: fixed -1 4.1.9+dfsg-1+deb12u4 From https://sources.debian.org/src/spip/4.1.9%2Bdfsg-1%2Bdeb12u4/debian/changelog/
spip (4.1.9+dfsg-1+deb12u4) bookworm; urgency=medium
* Backport security fix from 4.1.15
- fix XSS in uploaded files using bigup
-- David Prévot <taf...@debian.org> Fri, 12 Jan 2024 13:42:36 +0100
spip (4.1.9+dfsg-1+deb12u3) bookworm; urgency=medium
* Backport security fix from 4.1.13
- fix XSS when calling some templates
-- David Prévot <taf...@debian.org> Thu, 21 Dec 2023 19:24:13 +0100
The 4.1.13 backport was part of 4.1.9+dfsg-1+deb12u3, but it seems it
was not uploaded.
On Fri, 22 Dec 2023 16:57:40 +0100 Salvatore Bonaccorso <car...@debian.org>
wrote:
> Source: spip
> Version: 4.1.12+dfsg-1
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: car...@debian.org, Debian Security Team
> <t...@security.debian.org>
> Control: fixed -1 4.1.13+dfsg-1
> Control: found -1 4.1.9+dfsg-1+deb12u2
> Control: found -1 3.2.11-3+deb11u9
>
> Filling a bug for tracking (as otherwise beeing a unspecified TEMP
> entry), as the issue has no CVE: 4.1.13 fixes an issue:
>
> * fix: les modèles insérés dans un texte héritent automatiquement du
> contexte, a l'insu des redacteurs. Securiser ce qui proviendrait de
> variables envoyées par l'utilisateur
>
> https://tracker.debian.org/news/1488834/accepted-spip-4113dfsg-1-source-into-unstable/
>
> Regards,
> Salvatore
signature.asc
Description: PGP signature
