Debian Security Advisory
DSA-3518-1 spip -- security update
- Date Reported:
- 16 Mar 2016
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2016-3153, CVE-2016-3154.
- More information:
Several vulnerabilities were found in SPIP, a website engine for publishing, resulting in code injection.
g0uZ et sambecks, from team root-me, discovered that arbitrary PHP code could be injected when adding content.
Gilles Vincent discovered that deserializing untrusted content could result in arbitrary objects injection.
For the oldstable distribution (wheezy), these problems have been fixed in version 2.1.17-1+deb7u5.
For the stable distribution (jessie), these problems have been fixed in version 3.0.17-2+deb8u2.
For the testing (stretch) and unstable (sid) distributions, these problems have been fixed in version 3.0.22-1.
We recommend that you upgrade your spip packages.