Bug#649113: marked as done (spip: New version (2.1.12) fixes several security issues)

[Debian Bug Tracking System]

Your message dated Sat, 19 Nov 2011 21:29:58 +0000
with message-id <e1rrsu2-00083j...@franck.debian.org>
and subject line Bug#649113: fixed in spip 2.1.1-3squeeze2
has caused the Debian Bug report #649113,
regarding spip: New version (2.1.12) fixes several security issues
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
649113: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649113
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: spip
Version: 2.1.1-3squeeze1
Severity: important
Tags: security upstream

Hi,

The last SPIP upstream version (2.1.12) fixes several security issues.
The most severe one allows a privilege escalation: an unauthorized
member can become administrator (with full access to the SPIP website).
This version also fixes a cross site scripting (XSS) and a full path
disclosure. [0]

Unfortunately, the security screen file added recently in the package to
fix previous security issues could not be updated by upstream authors
“it was not possible to produce a light code to fix those three
issues”).

  0: 
http://archives.rezo.net/archives/spip-ann.mbox/GFZZLMG4ZO5MA4KWQ77XEHDM27ZRMCQH/

I'm preparing a package for Sid and will upload it ASAP, but I'm not
sure it will be easy to backport the other 2.1.11 to 2.1.12 changes in
the 2.1.1 version currently in Squeeze, I'll update this bug report
after further investigation or get directly in touch with the security
team when ready.

Regards

David

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (600, 'unstable'), (500, 'testing'), (500, 'stable'), (150, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-1-amd64 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages spip depends on:
ii  apache2-mpm-prefork [httpd]  2.2.21-2    
ii  debconf [debconf-2.0]        1.5.41      
ii  libjs-jquery                 1.6.4-1     
ii  lighttpd [httpd]             1.4.29-1    
ii  php-html-safe                0.10.1-1    
ii  php5                         5.3.8.0-1   
ii  php5-mysql                   5.3.8.0-1+b1

Versions of packages spip recommends:
ii  imagemagick                      8:6.6.9.7-5+b2
ii  mysql-server                     5.1.58-1      
ii  mysql-server-5.1 [mysql-server]  5.1.58-1      
ii  netpbm                           2:10.0-15     

spip suggests no packages.

-- debconf information excluded

--- End Message ---

--- Begin Message ---

Source: spip
Source-Version: 2.1.1-3squeeze2

We believe that the bug you reported is fixed in the latest version of
spip, which is due to be installed in the Debian FTP archive:

spip_2.1.1-3squeeze2.diff.gz
  to main/s/spip/spip_2.1.1-3squeeze2.diff.gz
spip_2.1.1-3squeeze2.dsc
  to main/s/spip/spip_2.1.1-3squeeze2.dsc
spip_2.1.1-3squeeze2_all.deb
  to main/s/spip/spip_2.1.1-3squeeze2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 649...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Prévot <taf...@debian.org> (supplier of updated spip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 17 Nov 2011 22:08:36 -0400
Source: spip
Binary: spip
Architecture: source all
Version: 2.1.1-3squeeze2
Distribution: stable-security
Urgency: high
Maintainer: SPIP packaging team <spip-maintain...@lists.alioth.debian.org>
Changed-By: David Prévot <taf...@debian.org>
Description: 
 spip       - website engine for publishing
Closes: 649113
Changes: 
 spip (2.1.1-3squeeze2) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Updated security screen. Prevent a cross site scripting.
   * Backport patches from 2.1.12. Fixes a privilege escalation and a cross
     site scripting.
   Closes: #649113
Checksums-Sha1: 
 08ac936f50bf9911dbd361a249ed49d6e69b8f93 1165 spip_2.1.1-3squeeze2.dsc
 6f9538ea8aeef4b9b6b90c734ce27c9019589220 16985 spip_2.1.1-3squeeze2.diff.gz
 c791d8e96c8559ceea7639d1e98cfcacc6f6ae25 3864328 spip_2.1.1-3squeeze2_all.deb
Checksums-Sha256: 
 53e0ce96ffdda1538f128162a1486de3c4695041f4b3d44cbe7f5c6c60300ead 1165 
spip_2.1.1-3squeeze2.dsc
 75e0394ab653a6496931e3e8712929f3d5dc535316c388003fb5c87537644143 16985 
spip_2.1.1-3squeeze2.diff.gz
 014c1197c9b55269377b488eb045833c2e448bde5c5f6355b583ccf119948e1b 3864328 
spip_2.1.1-3squeeze2_all.deb
Files: 
 374bccfe6cb6269cf0d2485d52d0e11c 1165 web extra spip_2.1.1-3squeeze2.dsc
 deff1ca2d039ae87fe96e7ce75d60fa1 16985 web extra spip_2.1.1-3squeeze2.diff.gz
 32c5be5003339b480eaf8a2cea54f433 3864328 web extra spip_2.1.1-3squeeze2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk7GxJcACgkQXm3vHE4uyloCEgCfQrTSda9G303bNofZjstNqh1L
BXIAn3lL5C5mG+Q5OLDbXXmEbdO7SE5w
=gZgW
-----END PGP SIGNATURE-----

--- End Message ---