Security Information / 2016 / Security Information -- DSA-3518-1 spip

Debian Security Advisory

DSA-3518-1 spip -- security update

Date Reported:

16 Mar 2016

Affected Packages:

spip

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2016-3153, CVE-2016-3154.

More information:

Several vulnerabilities were found in SPIP, a website engine for publishing, resulting in code injection.

• CVE-2016-3153

  g0uZ et sambecks, from team root-me, discovered that arbitrary PHP code could be injected when adding content.

• CVE-2016-3154

  Gilles Vincent discovered that deserializing untrusted content could result in arbitrary objects injection.

For the oldstable distribution (wheezy), these problems have been fixed in version 2.1.17-1+deb7u5.

For the stable distribution (jessie), these problems have been fixed in version 3.0.17-2+deb8u2.

For the testing (stretch) and unstable (sid) distributions, these problems have been fixed in version 3.0.22-1.

We recommend that you upgrade your spip packages.