[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#426069: ITP: spip -- website engine for publishing

Le Saturday 26 May 2007 14:19:04 Romain Beauxis, vous avez écrit :
> I've been trought the previous spip bugs, and it seems that missing
> security support was mostly because of MIA maintainer that anything else.
> As for what I've seen from SPIP devel activities, they seem very active and
> responsive, and they provide a track system for bug report and etc..
> However, I'll contact them and ask for their commitment to solving seciruty
> issues, but I'm quite sure that the main issue remains in the hand of the
> maintainer, to be able to update the package as soon as they fix anything..
> Romain


i started to work on SPIP some time ago and due to lack of time to properly 
package and maintain, i stopped. I completely agree with you, upstream is 
very responsive and SPIP have a proper security support.

my changelog if it can save you some minutes:
  * New upstream release (Closes: #322343)
    * CVE-2006-0517: Multiple SQL injection vulnerabilities (Closes: #351334)
    * CVE-2006-0518: Cross-site scripting (XSS) vulnerability (Closes:#351335)
    * CVE-2006-0519: allows remote attackers to obtain sensitive
      information via a request (Closes: #351336)
    * CVE-2006-0625: SQL injection vulnerability in Spip_acces_doc.PHP
      (Closes: #352076)
    * CVE-2006-0626: SQL injection vulnerability in Spip_acces_doc.PHP
      (Closes: #352077)
    * CVE-2005-4494: XSS in spip_login.php3 and spip_pass.php3 (Closes: 
  * Added apache2 to Depends (Closes: #281118)
  * Added mysql-server to Depends (Closes: #310116)
  * Added debconf-2.0 to Depends (Closes: #332100)
  * Fixed typo in long description (Closes: #277249)

Thanks to put this nice piece of software in Debian.


totaly agree with you.

Reply to: