[SECURITY] [DLA 760-1] spip security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Package : spip
Version : 2.1.17-1+deb7u8
CVE ID : CVE-2016-9997 CVE-2016-9998
Debian Bug : 848641
Multiple reflected cross-site scripting (XSS) vulnerabilities have been
discovered in SPIP, a website publishing engine written in PHP.
CVE-2016-9997
It was discovered that the 'id' parameter to the puce_statut action
isn't sanitized properly. An attacker could inject arbitrary HTML
code by tricking an authenticated SPIP user to open a specially
crafted URL.
CVE-2016-9998
It was discovered that the 'plugin' parameter to the info_plugin
action isn't sanitized properly. An attacker could inject arbitrary
HTML code by tricking an authenticated SPIP user to open a specially
crafted URL.
For Debian 7 "Wheezy", these problems have been fixed in version
2.1.17-1+deb7u8.
We recommend that you upgrade your spip packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- --
Jonas Meurer
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEELIzSg9Pv30M4kOeDUmLn/0kQSf4FAlhfAIEQHG1lam9AZGVi
aWFuLm9yZwAKCRBSYuf/SRBJ/q2hD/9s3hx3LyloQrd04fayenUi/gbSulVPyFAc
Xa/Z4Au9CeXvrVJUWxa20kFVuHJEJc0W/CoHCfhU7bHjvD+5qvyLDW3tLwFcPyUE
JDqL0fugbeARalEr6r6rkY2J8kyr7AgALWkGTVt+ekRmPgAUv3mXziqmylBKAJMn
yP65fmO1w5fnx3qxpdQcT2I2OnXtpxxCrngK4y2rwsgy6KZgVZnHfzs1T1lmY/UZ
olH6dzOov3QkR5zPCdMSNVgt6jsXPQeaQOq5WWkA6t+cQIjTuPcLOZmPCsGvFWEx
dq0MTRkgQA1i359+m02HMAzs3CE0EeOp3VR7Blyq49cTDG7t5aaBOT8MIuj4vTKi
PcOQdC3vPz4PWzMPA0rslYcTtx7vja6Kr47HVuJrQNu6pl4awNOosUhSYPzMTxyt
FRgEr41UUpFIz4d6L1MFz7/IXLLkG7PGRIF93PUtwwGLCPHsFx9lkVO4CyjBFiRx
OMOkVkLquW4sMTLd6Q73S0YmlKKa5SXq+ek3KP9mZ+8Og/IK1TSjwE3xi3Amqxc7
PdmHL+CoK80UiMMIZP2rp91C3Ad5Hu6qoDzaF6BeVz7ZM/hfvyxxUnC5xnIJhaNK
l3YRdQ4/Ncvfn1y1Kj3W0aD646vBjgOtnawh4qUI3j6lLblShQn7Et1SfIhrwf1f
af92DxhOBA==
=W2BU
-----END PGP SIGNATURE-----
Reply to: