Debian Security Advisory
DSA-3890-1 spip -- security update
- Date Reported:
- 21 Jun 2017
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 864921.
In Mitre's CVE dictionary: CVE-2017-9736.
- More information:
Emeric Boit of ANSSI reported that SPIP, a website engine for publishing, insufficiently sanitises the value from the X-Forwarded-Host HTTP header field. An unauthenticated attacker can take advantage of this flaw to cause remote code execution.
For the stable distribution (stretch), this problem has been fixed in version 3.1.4-3~deb9u1.
For the testing distribution (buster), this problem has been fixed in version 3.1.4-3.
For the unstable distribution (sid), this problem has been fixed in version 3.1.4-3.
We recommend that you upgrade your spip packages.