Bug#682808: pu: package spip/2.1.1-3squeeze4

To: David Prévot <taffit@debian.org>, 682808@bugs.debian.org
Subject: Bug#682808: pu: package spip/2.1.1-3squeeze4
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sat, 28 Jul 2012 20:40:30 +0100
Message-id: <1343504430.18013.101.camel@jacala.jungle.funky-badger.org>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 682808@bugs.debian.org
In-reply-to: <20120725201634.17380.11187.reportbug@mikado.tilapin.org>
References: <20120725201634.17380.11187.reportbug@mikado.tilapin.org>

Control: tags 682808 + squeeze confirmed

On Wed, 2012-07-25 at 16:16 -0400, David Prévot wrote:
> The spip package currently in stable is vulnerable to some security
> issues (#677290, #672961, #680118), the last one being pretty nasty…
> 
> Having no answer from the security team, I hereby propose this update
> via the upcoming point release. As in #680381, the attached debdiff is
> pretty thin: most of the changes, in the security screen file, are due
> to rewritten comments.

+spip (2.1.1-3squeeze4) stable-security; urgency=low
+
+  * Non-maintainer upload by the Security Team.

Please s/-security// and drop the NMU comment.

+  * Updated security screen to 1.1.3. Prevent cross site scripting on referer
+    (addresses missing bits of [CVE-2012-2151]), cross site scripting and PHP
+    injections in internal functions.
+  Closes: #680118

The alignment of the Closes: item here looks slightly odd, imho (as do
the others).

Please go ahead; thanks.

Regards,

Adam

Reply to:

Follow-Ups:
- Bug#682808: pu: package spip/2.1.1-3squeeze4
  - From: David Prévot <taffit@debian.org>

References:
- Bug#682808: pu: package spip/2.1.1-3squeeze4
  - From: David Prévot <taffit@debian.org>

Prev by Date: Fixing mess involving emacs23, emacs24, and the emacs metapackage
Next by Date: Processed: Re: Bug#682808: pu: package spip/2.1.1-3squeeze4
Previous by thread: Bug#682808: pu: package spip/2.1.1-3squeeze4
Next by thread: Bug#682808: pu: package spip/2.1.1-3squeeze4
Index(es):
- Date
- Thread