oss-sec mailing list archives

CVE request - SPIP: 2 vulnerabilities

From: Sébastien Delafond <seb () debian org>
Date: Tue, 15 Mar 2016 13:51:38 +0100

Hello,

on behalf of the Debian Security Team, I'd like to request 2 CVEs for
SPIP. Both are present in 3.x before 3.0.22 and 2.x before 2.1.19:

  * PHP code injection when handling content. This is fixed in
    https://core.spip.net/projects/spip/repository/revisions/22911
    (defining the function itself is enoug, as the global mechanism for
    filters in SPIP automatically tries to lookup and filtre_foo_dist if
    it exists)

  * Objects injection when deserializing untrusted input. This is fixed
    in https://core.spip.net/projects/spip/repository/revisions/22903

Cheers,

--Seb

Current thread:

CVE request - SPIP: 2 vulnerabilities Sébastien Delafond (Mar 15)
- Re: CVE request - SPIP: 2 vulnerabilities cve-assign (Mar 15)