Re: Bug#426069: ITP: spip -- website engine for publishing
Le Saturday 26 May 2007 14:19:04 Romain Beauxis, vous avez écrit :
> I've been trought the previous spip bugs, and it seems that missing
> security support was mostly because of MIA maintainer that anything else.
> As for what I've seen from SPIP devel activities, they seem very active and
> responsive, and they provide a track system for bug report and etc..
> However, I'll contact them and ask for their commitment to solving seciruty
> issues, but I'm quite sure that the main issue remains in the hand of the
> maintainer, to be able to update the package as soon as they fix anything..
i started to work on SPIP some time ago and due to lack of time to properly
package and maintain, i stopped. I completely agree with you, upstream is
very responsive and SPIP have a proper security support.
my changelog if it can save you some minutes:
* New upstream release (Closes: #322343)
* CVE-2006-0517: Multiple SQL injection vulnerabilities (Closes: #351334)
* CVE-2006-0518: Cross-site scripting (XSS) vulnerability (Closes:#351335)
* CVE-2006-0519: allows remote attackers to obtain sensitive
information via a request (Closes: #351336)
* CVE-2006-0625: SQL injection vulnerability in Spip_acces_doc.PHP
* CVE-2006-0626: SQL injection vulnerability in Spip_acces_doc.PHP
* CVE-2005-4494: XSS in spip_login.php3 and spip_pass.php3 (Closes:
* Added apache2 to Depends (Closes: #281118)
* Added mysql-server to Depends (Closes: #310116)
* Added debconf-2.0 to Depends (Closes: #332100)
* Fixed typo in long description (Closes: #277249)
Thanks to put this nice piece of software in Debian.
totaly agree with you.