Bug#609212: marked as done (spip: Cross-Site Scripting and other security issues)

[Debian Bug Tracking System]

Your message dated Tue, 18 Jan 2011 20:47:42 +0000
with message-id <e1pfiss-0004dd...@franck.debian.org>
and subject line Bug#609212: fixed in spip 2.1.1-3
has caused the Debian Bug report #609212,
regarding spip: Cross-Site Scripting and other security issues
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
609212: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609212
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: spip
Version: 2.1.1-2
Severity: grave
Tags: security upstream patch
Justification: user security hole

Hi,

Version 2.1.6 released Monday correct various security issues [1].
According to the changelog [2], these should be addressed by r16879 [3],
r16880 [4] and r16884 [5].

  1: 
http://archives.rezo.net/archives/spip-ann.mbox/GLOR4XJWY2W46N7PVXDF6YYOZGYF427P/
  2: 
http://core.spip.org/projects/spip/repository/entry/branches/spip-2.1/CHANGELOG.txt
  3: 
http://core.spip.org/projects/spip/repository/revisions/16879/diff/branches/spip-2.1/
  4: 
http://core.spip.org/projects/spip/repository/revisions/16880/diff/branches/spip-2.1/
  5: 
http://core.spip.org/projects/spip/repository/revisions/16884/diff/branches/spip-2.1/

Regards

David

-- System Information:
Debian Release: 6.0
  APT prefers unstable
  APT policy: (600, 'unstable'), (500, 'testing'), (500, 'stable'), (150, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.36-trunk-amd64 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages spip depends on:
ii  apache2-mpm-prefork [httpd]   2.2.16-6   Apache HTTP Server - traditional n
ii  debconf [debconf-2.0]         1.5.37     Debian configuration management sy
ii  libjs-jquery                  1.4.2-2    JavaScript library for dynamic web
ii  lighttpd [httpd]              1.4.28-2   A fast webserver with minimal memo
ii  php-html-safe                 0.10.0-1   strip down all potentially dangero
ii  php5                          5.3.3-7    server-side, HTML-embedded scripti
ii  php5-mysql                    5.3.3-7    MySQL module for php5

Versions of packages spip recommends:
ii  imagemagick               8:6.6.0.4-3    image manipulation programs
ii  mysql-server              5.1.49-3       MySQL database server (metapackage
ii  mysql-server-5.1 [mysql-s 5.1.49-3       MySQL database server binaries and
ii  netpbm                    2:10.0-12.2+b1 Graphics conversion tools between 

spip suggests no packages.

-- debconf information excluded

--- End Message ---

--- Begin Message ---

Source: spip
Source-Version: 2.1.1-3

We believe that the bug you reported is fixed in the latest version of
spip, which is due to be installed in the Debian FTP archive:

spip_2.1.1-3.diff.gz
  to main/s/spip/spip_2.1.1-3.diff.gz
spip_2.1.1-3.dsc
  to main/s/spip/spip_2.1.1-3.dsc
spip_2.1.1-3_all.deb
  to main/s/spip/spip_2.1.1-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 609...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Romain Beauxis <to...@rastageeks.org> (supplier of updated spip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 18 Jan 2011 14:01:35 -0600
Source: spip
Binary: spip
Architecture: source all
Version: 2.1.1-3
Distribution: unstable
Urgency: high
Maintainer: SPIP packaging team <spip-maintain...@lists.alioth.debian.org>
Changed-By: Romain Beauxis <to...@rastageeks.org>
Description: 
 spip       - website engine for publishing
Closes: 609212 610016
Changes: 
 spip (2.1.1-3) unstable; urgency=high
 .
   * Added security screen file (ecran_securite.php).
   Fixes all known security issues in spip.
   Closes: #609212, Closes: #610016
Checksums-Sha1: 
 66c48f6d1cd6f8a3d0d53ce5c28f556463a910a4 1392 spip_2.1.1-3.dsc
 e238ca2e7583edb2d3b2a9fbf027b97d77817c98 15686 spip_2.1.1-3.diff.gz
 bed552ee7ecd877742250aeb523822a7ced26d03 3842542 spip_2.1.1-3_all.deb
Checksums-Sha256: 
 47cd6be3ed0251e001a44a8fb3803abe64ce7572ced66f6313981945e7abd0ba 1392 
spip_2.1.1-3.dsc
 e18e6942abbcfe60909e6998641cb9ecdf0fc6f6348d9b447cfe379dccff8409 15686 
spip_2.1.1-3.diff.gz
 d86ccdfd18a4f9a4b11be5df35a2299ef84e3bfc626a3af1a9beee53f2693a17 3842542 
spip_2.1.1-3_all.deb
Files: 
 700732bb29fc81034db159db4bff5a22 1392 web extra spip_2.1.1-3.dsc
 82999d9e7318ff1212e84e6a1fb62129 15686 web extra spip_2.1.1-3.diff.gz
 01040046f7576dd2b336bd967961ab03 3842542 web extra spip_2.1.1-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBCAAGBQJNNfKXAAoJEAC5aaocqV0ZvoUH+gKGxvu6RjP3KsUbno6XCee4
Lpg9lKmajFHCx2gACGueNnw5h6gpTRwGpyDKSie8ADve8j9UM4NHeueUfsDZC8dF
cm1RnqMRj/dNZ/fsWa/ETn8/3s7+SsKsUhyLTooUYJtskhi2ACwY6ffTAmGBbezt
pb5X5CaDGoyK7KxJNSxgCmQWgXREMp3F+zUsxsX1EbOe/OaDLLMjc0Y8T+Ka2MB1
wAucVHUTe2ysKT4f5YHU+cVbwx5+EwosrIaNKPlJpX0wA/j3UJVLsrlaxU67S0dQ
l7gafwQGvPctm2TpgOIN2fYiToZmAcHR1tiw54tVm1ETVQPnWsxN2LJadwQhBKQ=
=6Zju
-----END PGP SIGNATURE-----

--- End Message ---