[ubuntu/focal-security] spip 3.2.7-1ubuntu0.1 (Accepted)
David Fernandez Gonzalez
david.fernandezgonzalez at canonical.com
Thu Mar 2 10:17:52 UTC 2023
spip (3.2.7-1ubuntu0.1) focal-security; urgency=medium
* SECURITY UPDATE: Cross Site Scripting (XSS)
- debian/patches/CVE-2021-44118-1.patch: validate URLs
before making a copy of a remote document.
- debian/patches/CVE-2021-44118-2.patch: improve and
add several checks over the domain.
- debian/patches/CVE-2021-44120-1.patch: fix escaping
SQL function query_echappe_textes.
- debian/patches/CVE-2021-44120-2.patch: simply and fix
regex in query_echappe_textes.
- debian/patches/CVE-2021-44120-3.patch: only escape
text on the first call of _mysql_traite_query.
- debian/patches/CVE-2021-44120-4.patch: protect nom_site
and bio from being modified by using safehtml.
- CVE-2021-44120
- CVE-2021-44118
* SECURITY UPDATE: Cross Site Request Forgery (CSRF)
- debian/patches/CVE-2021-44122-1.patch: refactor and
add signature to form fields.
- debian/patches/CVE-2021-44122-2.patch: replace function
when handling signatures.
- debian/patches/CVE-2021-44122-3.patch: increment
spip_version_code, needed to regenerate forms.
- debian/patches/CVE-2021-44122-4.patch: fix comment,
reenable deprecated function.
- CVE-2021-44122
* SECURITY UPDATE: Remote code execution
- debian/patches/CVE-2021-44123.patch: handle multiple
file extensions and remove the ones that are not allowed.
- CVE-2021-44123
Date: 2023-03-02 09:12:09.146156+00:00
Changed-By: David Fernandez Gonzalez <david.fernandezgonzalez at canonical.com>
https://launchpad.net/ubuntu/+source/spip/3.2.7-1ubuntu0.1
-------------- next part --------------
Sorry, changesfile not available.
More information about the Focal-changes
mailing list