Debian Package Tracker

From: David Prévot <taffit@debian.org>
To: <debian-changes@lists.debian.org>
Subject: Accepted spip 3.0.17-2+deb8u3 (source all) into proposed-updates->stable-new, proposed-updates
Date: Fri, 28 Apr 2017 21:32:14 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 26 Apr 2017 18:02:00 -1000
Source: spip
Binary: spip
Architecture: source all
Version: 3.0.17-2+deb8u3
Distribution: jessie
Urgency: medium
Maintainer: SPIP packaging team <spip-maintainers@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Description:
 spip       - website engine for publishing
Closes: 847156 848641
Changes:
 spip (3.0.17-2+deb8u3) jessie; urgency=medium
 .
   * Document CVE in previous changelog entry
   * Update security screen to 1.3.0
   * Backport security fixes from 3.0.23
     - Multiple XSS issues
   * Backport security fixes from 3.0.24
     - Server side request forgery (SSRF) attacks via the var_url parameter
       [CVE-2016-7999]
     - Directory traversal vulnerability in ecrire/exec/valider_xml.php
       [CVE-2016-7982]
     - Execution of arbitrary PHP code by authenticated users [CVE-2016-7998]
     - Cross-site request forgery (CSRF) vulnerability in
       ecrire/exec/valider_xml.php [CVE-2016-7980]
     - Cross-site scripting (XSS) vulnerability in valider_xml.php
       [CVE-2016-7981]
   * Backport security fixes from 3.2-alpha-1
     - Reflected Cross Site Scripting Vulnerabilities in
       /ecrire/exec/puce_statut.php and /ecrire/exec/info_plugin.php
       [CVE-2016-9997] [CVE-2016-9998] (Closes: #848641)
     - Cross-site scripting (XSS) vulnerability in ecrire/exec/plonger.php
       [CVE-2016-9152] (Closes: #847156)
   * Backport security fix from 3.0.25
     - Execution of arbitrary PHP code
Checksums-Sha1:
 ddc9a01e1c5919fc83d867a986bff44c5fc98ba8 1610 spip_3.0.17-2+deb8u3.dsc
 45e661b38a07c0c2adb41aa0e34a4860df5f9531 86352 spip_3.0.17-2+deb8u3.debian.tar.xz
 87538f8a0bf06c55fb6b1a9d4a564541071963f1 4825086 spip_3.0.17-2+deb8u3_all.deb
Checksums-Sha256:
 443b826d5a735020ce5d98a006693e08fca0d0493a91e182429f2f8e68a1920e 1610 spip_3.0.17-2+deb8u3.dsc
 9d933ba9881693cff92a71bae79116ac133d7efbc9f8ec21d2c625d99114c52e 86352 spip_3.0.17-2+deb8u3.debian.tar.xz
 0bda8755a4ded2a3cac04d73edac4804bb8c4ad38441d4e2adf9e0a7da52b3a0 4825086 spip_3.0.17-2+deb8u3_all.deb
Files:
 3828708c9bde3500237b1a2cb570e5f7 1610 web extra spip_3.0.17-2+deb8u3.dsc
 4c5a7ee1255836c0cf7383aba2e89dd2 86352 web extra spip_3.0.17-2+deb8u3.debian.tar.xz
 208d0cf72236acf2de8399dc2ed93087 4825086 web extra spip_3.0.17-2+deb8u3_all.deb

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAlkCtUUACgkQBYwc+UT2
vTxD+wgAlEXPjl3C4kW6lcvonIasXdDPOjFLfHZJti16MkYi8iI84H1b6Lm33nGz
08GFnVSbSx7U0bzy2U6U5ZlrWKljCNiOAAj7uTutut2p6v/far9b8aE3UT9GK9Pk
huS/JtwzZaVT8Cboj9CZpTM2s/X1ukuL0S50o6duiT0A5L7K3WcIxRwGXV4g1Hj0
7f7DDlSKDNnPY5T2ewkuB/QQK80V/+a/hhe7U08yMtwTFQZs49Vi3SKuxPxMzTut
ortjvdvsy3QpH2WnP7+6L52UL1XXW7sCogan4n+sZ07PfsXyKIFLAMbENOJuktq6
CdE5Mlk5ndtEW2mZnf8sf4Bi1wSDmg==
=y48c
-----END PGP SIGNATURE-----
News for package spip
