Debian-LTS alert DLA-760-1 (spip)
| From: | Jonas Meurer <mejo@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 760-1] spip security update | |
| Date: | Sun, 25 Dec 2016 00:10:57 +0100 | |
| Message-ID: | <fdaec002-5fe2-be16-7f9f-4d0e4144299a@debian.org> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : spip Version : 2.1.17-1+deb7u8 CVE ID : CVE-2016-9997 CVE-2016-9998 Debian Bug : 848641 Multiple reflected cross-site scripting (XSS) vulnerabilities have been discovered in SPIP, a website publishing engine written in PHP. CVE-2016-9997 It was discovered that the 'id' parameter to the puce_statut action isn't sanitized properly. An attacker could inject arbitrary HTML code by tricking an authenticated SPIP user to open a specially crafted URL. CVE-2016-9998 It was discovered that the 'plugin' parameter to the info_plugin action isn't sanitized properly. An attacker could inject arbitrary HTML code by tricking an authenticated SPIP user to open a specially crafted URL. For Debian 7 "Wheezy", these problems have been fixed in version 2.1.17-1+deb7u8. We recommend that you upgrade your spip packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- Jonas Meurer -----BEGIN PGP SIGNATURE----- iQJEBAEBCAAuFiEELIzSg9Pv30M4kOeDUmLn/0kQSf4FAlhfAIEQHG1lam9AZGVi aWFuLm9yZwAKCRBSYuf/SRBJ/q2hD/9s3hx3LyloQrd04fayenUi/gbSulVPyFAc Xa/Z4Au9CeXvrVJUWxa20kFVuHJEJc0W/CoHCfhU7bHjvD+5qvyLDW3tLwFcPyUE JDqL0fugbeARalEr6r6rkY2J8kyr7AgALWkGTVt+ekRmPgAUv3mXziqmylBKAJMn yP65fmO1w5fnx3qxpdQcT2I2OnXtpxxCrngK4y2rwsgy6KZgVZnHfzs1T1lmY/UZ olH6dzOov3QkR5zPCdMSNVgt6jsXPQeaQOq5WWkA6t+cQIjTuPcLOZmPCsGvFWEx dq0MTRkgQA1i359+m02HMAzs3CE0EeOp3VR7Blyq49cTDG7t5aaBOT8MIuj4vTKi PcOQdC3vPz4PWzMPA0rslYcTtx7vja6Kr47HVuJrQNu6pl4awNOosUhSYPzMTxyt FRgEr41UUpFIz4d6L1MFz7/IXLLkG7PGRIF93PUtwwGLCPHsFx9lkVO4CyjBFiRx OMOkVkLquW4sMTLd6Q73S0YmlKKa5SXq+ek3KP9mZ+8Og/IK1TSjwE3xi3Amqxc7 PdmHL+CoK80UiMMIZP2rp91C3Ad5Hu6qoDzaF6BeVz7ZM/hfvyxxUnC5xnIJhaNK l3YRdQ4/Ncvfn1y1Kj3W0aD646vBjgOtnawh4qUI3j6lLblShQn7Et1SfIhrwf1f af92DxhOBA== =W2BU -----END PGP SIGNATURE-----