Le 09/02/2022 à 03:04, David Prévot a écrit :
[x] attach debdiff against the package in (old)stable
For real now…diff --git a/debian/changelog b/debian/changelog
index 5e67ca4afb..1b1f5f6fa7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,18 @@
+spip (3.2.11-3+deb11u2) bullseye; urgency=medium
+
+ * Document CVE fixed previously
+ * Backport security fixes (XSS) from 3.2.13
+
+ -- David Prévot Sat, 05 Feb 2022 09:07:38 -0400
+
spip (3.2.11-3+deb11u1) bullseye-security; urgency=high
* Set up branch debian/bullseye
* Backport security fixes from 3.2.12
-- SQL injections, remote code execution, XSS
+- SQL injections
+- remote code execution [CVE-2021-44123]
+- XSS [CVE-2021-44118] [CVE-2021-44120]
+- CSRF [CVE-2021-44122]
* Don’t ship vcs-control-file
-- David Prévot Wed, 15 Dec 2021 17:11:29 -0400
diff --git a/debian/patches/0006-Utiliser-valider_url_distante-en-plus-de-tester_url_.patch b/debian/patches/0006-Utiliser-valider_url_distante-en-plus-de-tester_url_.patch
index f60bc7beae..7f5f0a6922 100644
--- a/debian/patches/0006-Utiliser-valider_url_distante-en-plus-de-tester_url_.patch
+++ b/debian/patches/0006-Utiliser-valider_url_distante-en-plus-de-tester_url_.patch
@@ -8,6 +8,7 @@ Subject: Utiliser valider_url_distante() en plus de tester_url_absolue()
(cherry picked from commit 9b8d1487ef067b5bdb2ce7365cc65d0e7ec0fa44)
Origin: upstream, https://git.spip.net/spip/medias/commit/1a4b7024cf728ec531658967b374c5ec6f36ee42
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44118
---
plugins-dist/medias/action/copier_local.php | 14 ++
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/debian/patches/0007-Fix-refactoring-query_echappe_textes-qui-ne-detectai.patch b/debian/patches/0007-Fix-refactoring-query_echappe_textes-qui-ne-detectai.patch
index 3200a5c557..1af6bfe4d9 100644
--- a/debian/patches/0007-Fix-refactoring-query_echappe_textes-qui-ne-detectai.patch
+++ b/debian/patches/0007-Fix-refactoring-query_echappe_textes-qui-ne-detectai.patch
@@ -11,6 +11,7 @@ Subject: Fix/refactoring query_echappe_textes() qui ne detectait parfois pas
On modifie aussi l'usage dans req/mysql en privilegiant de garder la requete initiale intacte si il n'y a rien a faire dessus
Origin: upstream, https://git.spip.net/spip/spip/commit/fca83dc95ee279552382eeb5015d5dc3efed9de3
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44120
---
ecrire/base/connect_sql.php | 47 -
ecrire/req/mysql.php| 10 +-
diff --git a/debian/patches/0008-Simplifier-la-regexp-c-est-pas-plus-mal-cfreal.patch b/debian/patches/0008-Simplifier-la-regexp-c-est-pas-plus-mal-cfreal.patch
index e5b01c4190..fd40418ead 100644
--- a/debian/patches/0008-Simplifier-la-regexp-c-est-pas-plus-mal-cfreal.patch
+++ b/debian/patches/0008-Simplifier-la-regexp-c-est-pas-plus-mal-cfreal.patch
@@ -2,6 +2,7 @@ From: Cerdic
Date: Fri, 17 Sep 2021 17:39:04 +0200
Subject: Simplifier la regexp, c'est pas plus mal (cfreal)
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44120
---
ecrire/base/connect_sql.php | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/debian/patches/0009-Complement-de-413ca3cc58-_mysql_traite_query-s-appel.patch b/debian/patches/0009-Complement-de-413ca3cc58-_mysql_traite_query-s-appel.patch
index f3271c3680..8664c37e94 100644
--- a/debian/patches/0009-Complement-de-413ca3cc58-_mysql_traite_query-s-appel.patch
+++ b/debian/patches/0009-Complement-de-413ca3cc58-_mysql_traite_query-s-appel.patch
@@ -7,6 +7,7 @@ Subject: Complement de 413ca3cc58 : _mysql_traite_query() s'appelle
query_reinjecte_textes()
Origin: upstream, https://git.spip.net/spip/spip/commit/a4fdb3b8ec11f067a6d09512c6f31dbda7fd57c6
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44120
---
ecrire/req/mysql.php | 19 +++
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/debian/patches/0010-Balise-FORMULAIRE-nettoyer-du-code-mort-qui-ne-sert-.patch b/debian/patches/0010-Balise-FORMULAIRE-nettoyer-du-code-mort-qui-ne-sert-.patch
index 90dca280de..99516e3a09 100644
--- a/debian/patches/0010-Balise-FORMULAIRE-nettoyer-du-code-mort-qui-ne-sert-.patch
+++ b/debian/patches/0010-Balise-FORMULAIRE-nettoyer-du-code-mort-qui-ne-sert-.patch
@@ -12,6 +12,7 @@ Subject: =?utf-8?q?Balise_=23FORMULAIRE_=3A_nettoyer_du_code_mort_qui_ne_se?=
=?utf-8?q?issue=29?=
Origin: upstream, https://git.spip.net/spip/spip/commit/fea5b5b4507cc9c0b9e91bbfbf34fe40b0bea805
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2021-44122
---
ecrire/balise/formulaire_.php | 13 +
ecrire/public/aiguiller.php | 23 ++-
diff --git a/debian/patches/0011-Nom-nom_site-et-bio-etant-des-champs-librement-modif.patch b/debian/patches/0011-Nom-nom_site-et-bio-etant-des-champs-librement-modif.patch
index