Security Information / 2017 / Security Information -- DSA-3890-1 spip

Debian Security Advisory

DSA-3890-1 spip -- security update

Date Reported:

21 Jun 2017

Affected Packages:

spip

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 864921.
In Mitre's CVE dictionary: CVE-2017-9736.

More information:

Emeric Boit of ANSSI reported that SPIP, a website engine for publishing, insufficiently sanitises the value from the X-Forwarded-Host HTTP header field. An unauthenticated attacker can take advantage of this flaw to cause remote code execution.

For the stable distribution (stretch), this problem has been fixed in version 3.1.4-3~deb9u1.

For the testing distribution (buster), this problem has been fixed in version 3.1.4-3.

For the unstable distribution (sid), this problem has been fixed in version 3.1.4-3.

We recommend that you upgrade your spip packages.