Control: retitle -1 spip: CVE-2017-9736: remote code execution On Sat, Jun 17, 2017 at 08:39:10AM +0200, Salvatore Bonaccorso wrote: > Source: spip > Version: 3.1.4-2 > Severity: grave > Tags: security upstream > Justification: user security hole > Control: fixed -1 3.1.4-2 > > As per > > https://contrib.spip.net/CRITICAL-security-update-SPIP-3-1-6-and-SPIP-3-2-Beta?var_zapl=non > > A CRITICAL flaw was discovered recently in SPIP, allowing the > > execution of arbitrary code. > > > > It affects SPIP 3.1.x and 3.2 versions (alpha & beta), and impacts all > > websites using these versions. > > SPIP 3.0.x and earlier versions are not affected by this issue. > > > > It is imperative to update your SPIP website as soon as possible. > > > > In the meantime, the security screen version 1.3.2 will block possible > > exploitations of the vulnerability. Updating the security screen > > remains a transitional measure that should not prevent you from > > updating SPIP as soon as possible. > > > > The team thanks Emeric Boit and ANSSI for identifying and reporting > > the issue. > > and since there is no CVE to track the issue, filling the bug in the > BTS even though already fixed in unstable.
CVE-2017-9736 was assigned for this issue. Regards, Salvatore
