Bug#682808: pu: package spip/2.1.1-3squeeze4
Control: tags 682808 + squeeze confirmed
On Wed, 2012-07-25 at 16:16 -0400, David Prévot wrote:
> The spip package currently in stable is vulnerable to some security
> issues (#677290, #672961, #680118), the last one being pretty nasty…
>
> Having no answer from the security team, I hereby propose this update
> via the upcoming point release. As in #680381, the attached debdiff is
> pretty thin: most of the changes, in the security screen file, are due
> to rewritten comments.
+spip (2.1.1-3squeeze4) stable-security; urgency=low
+
+ * Non-maintainer upload by the Security Team.
Please s/-security// and drop the NMU comment.
+ * Updated security screen to 1.1.3. Prevent cross site scripting on referer
+ (addresses missing bits of [CVE-2012-2151]), cross site scripting and PHP
+ injections in internal functions.
+ Closes: #680118
The alignment of the Closes: item here looks slightly odd, imho (as do
the others).
Please go ahead; thanks.
Regards,
Adam
Reply to: