drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in SPIP
Name: |
Mehrere Probleme in SPIP |
|
ID: |
USN-4536-1 |
|
Distribution: |
Ubuntu |
|
Plattformen: |
Ubuntu 18.04 LTS |
|
Datum: |
Do, 24. September 2020, 19:16 |
|
Referenzen: |
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16393
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16394
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11071
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16392
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19830
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16391
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15736 |
|
Applikationen: |
SPIP |
|
Originalnachricht |
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --===============2826963776447335829== Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="goHntumdmFiRJeRHARSpqTyTCLxj13iWy"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --goHntumdmFiRJeRHARSpqTyTCLxj13iWy Content-Type: multipart/mixed; boundary="o0dbu4ELJDxAFsGu8Q5I6Y2ZAEFukKXWj"
--o0dbu4ELJDxAFsGu8Q5I6Y2ZAEFukKXWj Content-Type: text/plain; charset=utf- Content-Transfer-Encoding: quoted-printable Content-Language: en-US
========================================================================== Ubuntu Security Notice USN-4536-1 September 24, 2020
spip vulnerabilities ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in SPIP.
Software Description: - spip: website engine for publishing
Details:
Youssouf Boulouiz discovered that SPIP incorrectly handled login error messages. A remote attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2019-16392)
Gilles Vincent discovered that SPIP incorrectly handled password reset requests. A remote attacker could possibly use this issue to cause SPIP to enumerate registered users. (CVE-2019-16394)
Guillaume Fahrner discovered that SPIP did not properly sanitize input. A remote authenticated attacker could possibly use this issue to execute arbitrary code on the host server. (CVE-2019-11071)
Sylvain Lefevre discovered that SPIP incorrectly handled user authorization. A remote attacker could possibly use this issue to modify and publish content and modify the database. (CVE-2019-16391)
It was discovered that SPIP did not properly sanitize input. A remote attacker could, through cross-site scripting (XSS) and PHP injection, exploit this to inject arbitrary web script or HTML. (CVE-2017-15736)
Alexis Zucca discovered that SPIP incorrectly handled the media plugin. A remote authenticated attacker could possibly use this issue to write to the database. (CVE-2019-19830)
Christophe Laffont discovered that SPIP incorrectly handled redirect URLs. An attacker could use this issue to cause SPIP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2019-16393)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 18.04 LTS: spip 3.1.4-4~deb9u3build0.18.04.1
In general, a standard system update will make all the necessary changes.
References: https://usn.ubuntu.com/4536-1 CVE-2017-15736, CVE-2019-11071, CVE-2019-16391, CVE-2019-16392, CVE-2019-16393, CVE-2019-16394, CVE-2019-19830
Package Information: https://launchpad.net/ubuntu/+source/spip/3.1.4-4~deb9u3build0.18.04.1
--o0dbu4ELJDxAFsGu8Q5I6Y2ZAEFukKXWj--
--goHntumdmFiRJeRHARSpqTyTCLxj13iWy Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEElnO/d49FoUPK9fwytGdj0GOh2+wFAl9szhUACgkQtGdj0GOh 2+xnowgAqQDixhBjcj27t1GegGg8ZTuegkqUqApaf+G9gcB2ifGugiXmioghtTZ7 WslXlpGsuHkDG1+2TUGGcWcDg2MQ6lY2xJshaSSrd74qAGI/5cgQogG3ukKV2DW2 j6gLmw9hTCMtwKWtOrciGwm4Vp/WoemB26J+3b7T5HlxSbXKGFXkjacJbpqWlOct Z66L5aBST8y9On3GCa255MvNyXFEP65NydADpiq3ttq3PT1kJqRiQyu98NysYKRG 4FkSeOWpmeYsHkKdq3M9/Qn0NKyjD5pi9S8foxFJQPaM59t4P54dmz/WuUxexcwv bwo0Hg533d9ovVEDNj86SmMh3TTADw== =wVf2 -----END PGP SIGNATURE-----
--goHntumdmFiRJeRHARSpqTyTCLxj13iWy--
--===============2826963776447335829== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline
LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5 LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj dXJpdHktYW5ub3VuY2UK
--===============2826963776447335829==--
|
|
|
|