Changelog
spip (3.0.17-2+deb8u3) jessie; urgency=medium
* Document CVE in previous changelog entry
* Update security screen to 1.3.0
* Backport security fixes from 3.0.23
- Multiple XSS issues
* Backport security fixes from 3.0.24
- Server side request forgery (SSRF) attacks via the var_url parameter
[CVE-2016-7999]
- Directory traversal vulnerability in ecrire/exec/valider_xml.php
[CVE-2016-7982]
- Execution of arbitrary PHP code by authenticated users [CVE-2016-7998]
- Cross-site request forgery (CSRF) vulnerability in
ecrire/exec/valider_xml.php [CVE-2016-7980]
- Cross-site scripting (XSS) vulnerability in valider_xml.php
[CVE-2016-7981]
* Backport security fixes from 3.2-alpha-1
- Reflected Cross Site Scripting Vulnerabilities in
/ecrire/exec/puce_statut.php and /ecrire/exec/info_plugin.php
[CVE-2016-9997] [CVE-2016-9998] (Closes: #848641)
- Cross-site scripting (XSS) vulnerability in ecrire/exec/plonger.php
[CVE-2016-9152] (Closes: #847156)
* Backport security fix from 3.0.25
- Execution of arbitrary PHP code
-- David Prévot <email address hidden> Wed, 26 Apr 2017 18:02:00 -1000