ESB-2017.1558 - [Debian] spip: Execute arbitrary code/commands - Remote/unauthenticated 2017-06-22

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.1558
                           spip security update
                               22 June 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           spip
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-9736  

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-3890

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3890-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 21, 2017                         https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : spip
CVE ID         : CVE-2017-9736
Debian Bug     : 864921

Emeric Boit of ANSSI reported that SPIP, a website engine for
publishing, insufficiently sanitises the value from the X-Forwarded-Host
HTTP header field. An unauthenticated attacker can take advantage of
this flaw to cause remote code execution.

For the stable distribution (stretch), this problem has been fixed in
version 3.1.4-3~deb9u1.

For the testing distribution (buster), this problem has been fixed
in version 3.1.4-3.

For the unstable distribution (sid), this problem has been fixed in
version 3.1.4-3.

We recommend that you upgrade your spip packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllKyx1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QerA/9Ht8bSm1F/5OvmtEKgEr51KO/QO/yLYs53RJ0FC7GY+kIMsgo/oG/30H6
XXHMZqgjt4HqzCUVQAuU4N40LKDdYToiL3sQb5csvwjmG8enAMnmudgpAEc+Hn2R
cevTxpATuBI8hjzUiZ5eoYjNielawb8ttWrBVGc6RvKt0KxMflvL6igDal1QoxA7
/DVGwWwN848T+j+fbHWKFJ40J+eFeBMC15akzObjfCqvGOb46XLNV86CnrFtmxhJ
/OcUwlS5B5Rfp8Aw603cYESiRsUwgUGty+DDpcIYvhPSs0iYHc9fjPOWsQPFwMv8
hcqo1B2EfWynPZJBYKvO2moC+sH2QnnZzl0qjOY8sPdgpPqUpnxUtwzH44yMqsJt
XTkYr/hiSZZHs5OD6/IjSZn4Ul00zeXgRaX18Z/iNSu2Xcnop9x7l2Zxrl7H3xDC
J4b9WlmQNhFMP1eDVAMw5lVodFP59b7fBrHOH0uHGMchJ35Wg4i3cTcVODRkRRR5
Fso+u/SeCzZ3OfEh9OrdLIEEp9thl0f+wgRS/f8nA6XhmAh709T5kb+ymh7hW/di
DLC5hzEfeLi7wy7zwo0gRuxNJyXHb8fdYmfU0dkwKLeVm3Z7bowFTTEx0jtAOo5U
ExvcqyPJOunxWmN+R+DOjsiagCnxt/7kq15TlLXcYxqcjnDFaPU=
=oJxJ
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWUsIyIx+lLeg9Ub1AQgDoxAAisLK7RcPovjVT3JQMpSYeA8mXrve8zdz
uZx7hOzyqk6hOlT7OGWu50UxEUTCba4WypmHttTvpSTCDuwsbwwXWr0m4XC6708+
QVDEZvYh2SIjNKDYQrj42KzF0tp3YkYFMO4PIyMCN6JCD8YIRD3FqLEHps69wUA4
1p2sYk+KevIyhBJ1JNhDRdb++XOlrplFYTWbhzzN6P86wITqzly43elAeeC9h2Oh
NX7tCXi5OJQb0qEQmdBjW6Sf8hv2tMDZqQnjKO8bSFoFiDZnk9IVcMk9Ex4O5TeJ
1xxd91gtUX6Hlwxrw/+rIBwDONe1WHZ2dEDY9tnEKe0v6OWd+rrIauvXH934A6Hn
Ev2QtaT4Wlrk8kpRVx2ENKrP+KNAdhaMBrtP+UAnAb8e8I8B9uXnClr/nSQ0JQ6l
x++ZTBumTYeTOioVDkc79OGvWaAUWQNMpNIEVnopA+JfdwV9wHtlaTgeO5Mldp59
qjek7CXe2OfY3HYigr3Zqds7T85t9KDzN4q7MKDhIXQYjKpZLJkst1MgIwwcKWuR
OljYZCQVps0GZxHrfB2HAHd5twvCOqgwpY2C6I6UWBLQYOhLw7LLKKEPcMizBufD
oGyle9CgA4Xo6+f4e3xg/ZuyrHGMHtBRBe9V8YYTPi2o81tYhpocIcwaSIpmRjz9
6kMva/Mtavo=
=Hi2z
-----END PGP SIGNATURE-----

« Back to bulletins