Login
Newsletter
Werbung
Sicherheit: Mehrere Probleme in SPIP
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in SPIP
ID: USN-4536-1
Distribution: Ubuntu
Plattformen: Ubuntu 18.04 LTS
Datum: Do, 24. September 2020, 19:16
Referenzen: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16393
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16394
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11071
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16392
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19830
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16391
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15736
Applikationen: SPIP

Originalnachricht

 
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============2826963776447335829==
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="goHntumdmFiRJeRHARSpqTyTCLxj13iWy"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--goHntumdmFiRJeRHARSpqTyTCLxj13iWy
Content-Type: multipart/mixed;
 boundary="o0dbu4ELJDxAFsGu8Q5I6Y2ZAEFukKXWj"

--o0dbu4ELJDxAFsGu8Q5I6Y2ZAEFukKXWj
Content-Type: text/plain; charset=utf-
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US

==========================================================================
Ubuntu Security Notice USN-4536-1
September 24, 2020

spip vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in SPIP.

Software Description:
- spip: website engine for publishing

Details:

Youssouf Boulouiz discovered that SPIP incorrectly handled login error
messages. A remote attacker could potentially exploit this to conduct
cross-site scripting (XSS) attacks. (CVE-2019-16392)

Gilles Vincent discovered that SPIP incorrectly handled password reset
requests. A remote attacker could possibly use this issue to cause SPIP to
enumerate registered users. (CVE-2019-16394)

Guillaume Fahrner discovered that SPIP did not properly sanitize input. A
remote authenticated attacker could possibly use this issue to execute
arbitrary code on the host server. (CVE-2019-11071)

Sylvain Lefevre discovered that SPIP incorrectly handled user
authorization. A remote attacker could possibly use this issue to modify
and publish content and modify the database. (CVE-2019-16391)

It was discovered that SPIP did not properly sanitize input. A remote
attacker could, through cross-site scripting (XSS) and PHP injection,
exploit this to inject arbitrary web script or HTML. (CVE-2017-15736)

Alexis Zucca discovered that SPIP incorrectly handled the media plugin. A
remote authenticated attacker could possibly use this issue to write to
the database. (CVE-2019-19830)

Christophe Laffont discovered that SPIP incorrectly handled redirect URLs.
An attacker could use this issue to cause SPIP to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2019-16393)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
  spip                            3.1.4-4~deb9u3build0.18.04.1

In general, a standard system update will make all the necessary changes.

References:
  https://usn.ubuntu.com/4536-1
  CVE-2017-15736, CVE-2019-11071, CVE-2019-16391, CVE-2019-16392,
  CVE-2019-16393, CVE-2019-16394, CVE-2019-19830

Package Information:
  https://launchpad.net/ubuntu/+source/spip/3.1.4-4~deb9u3build0.18.04.1



--o0dbu4ELJDxAFsGu8Q5I6Y2ZAEFukKXWj--

--goHntumdmFiRJeRHARSpqTyTCLxj13iWy
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEElnO/d49FoUPK9fwytGdj0GOh2+wFAl9szhUACgkQtGdj0GOh
2+xnowgAqQDixhBjcj27t1GegGg8ZTuegkqUqApaf+G9gcB2ifGugiXmioghtTZ7
WslXlpGsuHkDG1+2TUGGcWcDg2MQ6lY2xJshaSSrd74qAGI/5cgQogG3ukKV2DW2
j6gLmw9hTCMtwKWtOrciGwm4Vp/WoemB26J+3b7T5HlxSbXKGFXkjacJbpqWlOct
Z66L5aBST8y9On3GCa255MvNyXFEP65NydADpiq3ttq3PT1kJqRiQyu98NysYKRG
4FkSeOWpmeYsHkKdq3M9/Qn0NKyjD5pi9S8foxFJQPaM59t4P54dmz/WuUxexcwv
bwo0Hg533d9ovVEDNj86SmMh3TTADw==
=wVf2
-----END PGP SIGNATURE-----

--goHntumdmFiRJeRHARSpqTyTCLxj13iWy--


--===============2826963776447335829==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5
LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl
IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj
dXJpdHktYW5ub3VuY2UK

--===============2826963776447335829==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung