Date: Sun, 10 Nov 2013 07:23:36 +0100 From: Salvatore Bonaccorso <carnil@...ian.org> To: oss-security@...ts.openwall.com Cc: taffit@...ian.org, team@...urity.debian.org Subject: CVE Request: multiple vulnerabilities in spip Hi (Cc'ing David Prévot, maintainer in Debian for the spip package; I'm not a native french speaker, so he might help get it right) Upstream for SPIP, a website engine for publishing fixed the following issues in their upstream release for 2.1.24 (and 3.0.12): - cross-site request forgery on logout. The patch adds a confirmation button when loggin out. commit for 2.1.24: http://core.spip.org/projects/spip/repository/revisions/20874 3.0.x did not contain the fix, and is probably not affected (David can you confirm?) - cross-site scripting on author page: commit for 2.1.24: http://core.spip.org/projects/spip/repository/revisions/20880 commit for 3.0.12: http://core.spip.org/projects/spip/repository/revisions/20879 - updates the security screen for possible php injection (updates the "Écran de sécurité" to version 1.1.8): commit: http://zone.spip.org/trac/spip-zone/changeset/75105/_core_/securite/ecran_securite.php References: - http://bugs.debian.org/729172 - http://www.spip.net/fr_article5646.html (2.1.24; french) - http://www.spip.net/fr_article5648.html (3.0.12; french) Regards, Salvatore Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.