Bug#1005217: bullseye-pu: package spip/3.2.11-3+deb11u2

[Adam D. Barratt]

Control: tags -1 + confirmed

On Wed, 2022-02-09 at 03:30 -0400, David Prévot wrote:
> Le 09/02/2022 à 03:04, David Prévot a écrit :
> 
> >[x] attach debdiff against the package in (old)stable
> 
> For real now…

Please go ahead; thanks.

Regards,

Adam

Bug#1005217: bullseye-pu: package spip/3.2.11-3+deb11u2

[David Prévot]

Le 09/02/2022 à 03:04, David Prévot a écrit :


   [x] attach debdiff against the package in (old)stable


For real now…diff --git a/debian/changelog b/debian/changelog
index 5e67ca4afb..1b1f5f6fa7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,18 @@
+spip (3.2.11-3+deb11u2) bullseye; urgency=medium
+
+  * Document CVE fixed previously
+  * Backport security fixes (XSS) from 3.2.13
+
+ -- David Prévot   Sat, 05 Feb 2022 09:07:38 -0400
+
 spip (3.2.11-3+deb11u1) bullseye-security; urgency=high
 
   * Set up branch debian/bullseye
   * Backport security fixes from 3.2.12
-- SQL injections, remote code execution, XSS
+- SQL injections
+- remote code execution [CVE-2021-44123]
+- XSS [CVE-2021-44118] [CVE-2021-44120]
+- CSRF [CVE-2021-44122]
   * Don’t ship vcs-control-file
 
  -- David Prévot   Wed, 15 Dec 2021 17:11:29 -0400
diff --git a/debian/patches/0006-Utiliser-valider_url_distante-en-plus-de-tester_url_.patch b/debian/patches/0006-Utiliser-valider_url_distante-en-plus-de-tester_url_.patch
index f60bc7beae..7f5f0a6922 100644
--- a/debian/patches/0006-Utiliser-valider_url_distante-en-plus-de-tester_url_.patch
+++ b/debian/patches/0006-Utiliser-valider_url_distante-en-plus-de-tester_url_.patch
@@ -8,6 +8,7 @@ Subject: Utiliser valider_url_distante() en plus de tester_url_absolue()
 (cherry picked from commit 9b8d1487ef067b5bdb2ce7365cc65d0e7ec0fa44)
 
 Origin: upstream, https://git.spip.net/spip/medias/commit/1a4b7024cf728ec531658967b374c5ec6f36ee42
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44118
 ---
  plugins-dist/medias/action/copier_local.php | 14 ++
  1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/debian/patches/0007-Fix-refactoring-query_echappe_textes-qui-ne-detectai.patch b/debian/patches/0007-Fix-refactoring-query_echappe_textes-qui-ne-detectai.patch
index 3200a5c557..1af6bfe4d9 100644
--- a/debian/patches/0007-Fix-refactoring-query_echappe_textes-qui-ne-detectai.patch
+++ b/debian/patches/0007-Fix-refactoring-query_echappe_textes-qui-ne-detectai.patch
@@ -11,6 +11,7 @@ Subject: Fix/refactoring query_echappe_textes() qui ne detectait parfois pas
 On modifie aussi l'usage dans req/mysql en privilegiant de garder la requete initiale intacte si il n'y a rien a faire dessus
 
 Origin: upstream, https://git.spip.net/spip/spip/commit/fca83dc95ee279552382eeb5015d5dc3efed9de3
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44120
 ---
  ecrire/base/connect_sql.php | 47 -
  ecrire/req/mysql.php| 10 +-
diff --git a/debian/patches/0008-Simplifier-la-regexp-c-est-pas-plus-mal-cfreal.patch b/debian/patches/0008-Simplifier-la-regexp-c-est-pas-plus-mal-cfreal.patch
index e5b01c4190..fd40418ead 100644
--- a/debian/patches/0008-Simplifier-la-regexp-c-est-pas-plus-mal-cfreal.patch
+++ b/debian/patches/0008-Simplifier-la-regexp-c-est-pas-plus-mal-cfreal.patch
@@ -2,6 +2,7 @@ From: Cerdic 
 Date: Fri, 17 Sep 2021 17:39:04 +0200
 Subject: Simplifier la regexp, c'est pas plus mal (cfreal)
 
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44120
 ---
  ecrire/base/connect_sql.php | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/debian/patches/0009-Complement-de-413ca3cc58-_mysql_traite_query-s-appel.patch b/debian/patches/0009-Complement-de-413ca3cc58-_mysql_traite_query-s-appel.patch
index f3271c3680..8664c37e94 100644
--- a/debian/patches/0009-Complement-de-413ca3cc58-_mysql_traite_query-s-appel.patch
+++ b/debian/patches/0009-Complement-de-413ca3cc58-_mysql_traite_query-s-appel.patch
@@ -7,6 +7,7 @@ Subject: Complement de 413ca3cc58 : _mysql_traite_query() s'appelle
  query_reinjecte_textes()
 
 Origin: upstream, https://git.spip.net/spip/spip/commit/a4fdb3b8ec11f067a6d09512c6f31dbda7fd57c6
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44120
 ---
  ecrire/req/mysql.php | 19 +++
  1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/debian/patches/0010-Balise-FORMULAIRE-nettoyer-du-code-mort-qui-ne-sert-.patch b/debian/patches/0010-Balise-FORMULAIRE-nettoyer-du-code-mort-qui-ne-sert-.patch
index 90dca280de..99516e3a09 100644
--- a/debian/patches/0010-Balise-FORMULAIRE-nettoyer-du-code-mort-qui-ne-sert-.patch
+++ b/debian/patches/0010-Balise-FORMULAIRE-nettoyer-du-code-mort-qui-ne-sert-.patch
@@ -12,6 +12,7 @@ Subject: =?utf-8?q?Balise_=23FORMULAIRE_=3A_nettoyer_du_code_mort_qui_ne_se?=
  =?utf-8?q?issue=29?=
 
 Origin: upstream, https://git.spip.net/spip/spip/commit/fea5b5b4507cc9c0b9e91bbfbf34fe40b0bea805
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44122
 ---
  ecrire/balise/formulaire_.php | 13 +
  ecrire/public/aiguiller.php   | 23 ++-
diff --git a/debian/patches/0011-Nom-nom_site-et-bio-etant-des-champs-librement-modif.patch b/debian/patches/0011-Nom-nom_site-et-bio-etant-des-champs-librement-modif.patch
index 

Bug#1005217: bullseye-pu: package spip/3.2.11-3+deb11u2

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

Hi,

[ Reason ]
Two security issues (XSS) have been fixed in the latest upstream
version. As agreed with the security team, those are not worth a DSA.

[ Impact ]
Without these fixes, websites are vulnerable to already public XSS
issues.

[ Tests ]
I’ve deployed this version on a production server hosting about 35
websites.

[ Risks ]
Both fixes are pretty small.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Regards

David


signature.asc
Description: PGP signature