Ah non, pas vu passer, mais c'est pour deux vieux trucs de la 2.8.2, donc spa grave :-)
Merci pour t'en être inquiété Jean-Michel. 2016-03-08 13:51 GMT+01:00 Jean-Michel Royer <[email protected]>: > C'est passé en spam chez moi, l'avez-vous vu ? > > ---------- Forwarded message ---------- > From: Aymeric (APLU) <[email protected]> > Date: 2016-03-07 11:22 GMT+01:00 > Subject: [Dotclear Dev] Fwd: [oss-security] Re: CVE Request: Dotclear: XSS > vulnerability in comments managment page and media exclusion control > enforcement > To: [email protected] > > > > Bonjour, > > Pour information, deux CVE ont été affecté à Dotclear pour des correctifs > sécurité effectués en 2.8.2. > > Aymeric. > > > -------- Original Message -------- > Subject: [oss-security] Re: CVE Request: Dotclear: XSS vulnerability in > comments managment page and media exclusion control enforcement > Date: 2016-03-07 04:04 > From: [email protected] > To: [email protected] > Cc: [email protected], [email protected] > Reply-To: [email protected] > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Dotclear, a web publishing software, fixed a cross-site scripting > > vulnerability in 2.8.2. Additionally the media exlusion control in the > > media manager was furhter enforced: > > > > https://dotclear.org/blog/post/2015/10/25/Dotclear-2.8.2 > > > > The XSS vulnerability was fixed with > > > > https://hg.dotclear.org/dotclear/rev/65e65154dadf > > > > admin/comments.php > > - form::hidden(array('author'),preg_replace('/%/','%%',$author)). > > + > > > form::hidden(array('author'),html::escapeHTML(preg_replace('/%/','%%',$author))). > > > > Use CVE-2015-8831. > > > The second mentioned issue was addressed with > > > > https://hg.dotclear.org/dotclear/rev/198580bc3d80 > > > > inc/core/class.dc.core.php > > - array('media_exclusion','string','/\.php[0-9]*$/i', > > + array('media_exclusion','string','/\.(phps?|pht(ml)?|phl)[0-9]*$/i', > > > > Use CVE-2015-8832. > > - -- > CVE Assignment Team > M/S M300, 202 Burlington Road, Bedford, MA 01730 USA > [ A PGP key is available for encrypted communications at > http://cve.mitre.org/cve/request_id.html ] > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQIcBAEBCAAGBQJW3O4DAAoJEL54rhJi8gl5MnsQALSILA8PaHLFRRQbrXcz43e/ > PGGgyWrqqZQY5KvfLkDmcTSR7D9JuIFfQa0jU6I88h62PZ0jk8nWwrWdozOchgZW > fyO2Zbdh3BMO3RW+hMnTpKVq66WvSFSs1vFIAG6y44RY7ddWCjVLWYw1r7MJnnNW > gzyqH4QrMUFMr3eki8rWOWXX4gCZ104D25eChC406M08QGBO77xSYn5llK68CraS > 2HRFuVtUleHMgS/JkBS6VWd2dBYNQPaHtIUM+THvDePh9HV+J4jrS24qc6cDEsHR > uFP/8oAn47ob8sJeSfdZp4Rqq8r12aOFsHReCQa69N/gaXtLdEFAuKJSx+yCClAR > v0XcmlWUeum/3zr+/vTBXj+K+IESHPOWZl6YxuW125c1KgSba2rkeuORT/nq4R1l > vraRd479fpA22+s5ii81EjxtEgGMKT/woHdxlJRgJeBCtiuXRYcoanS4QmNfw00C > wasOMNYaaYwJtBOMDEgCLFZlvO3/7EuWPFZidoKTGc58o4fwz3TXEG7Ez8rVL9EF > CaIzjl9wx5MLaLQhj6G8SgM3+mtDPN7/yLfDj0E7nhSsY9Sr98NXdlBIvrEbkNGK > FBOFE/xQxzNKSDQI7+p+7pQ5drpIK/53GwcgVw4dbepNgJNn6DQVzDhiN92o+Kwx > vMgmqdP5oqnZIf7Ya+V7 > =0vja > -----END PGP SIGNATURE----- > -- > Dev mailing list - [email protected] - > http://ml.dotclear.org/listinfo/dev > -- > Dev mailing list - [email protected] - > http://ml.dotclear.org/listinfo/dev > -- Franck — Operating Crocker’s rules (http://sl4.org/crocker.html) -- Dev mailing list - [email protected] - http://ml.dotclear.org/listinfo/dev
