Package "spip"

  spip (3.2.7-1ubuntu0.1) focal-security; urgency=medium

  * SECURITY UPDATE: Cross Site Scripting (XSS)
    - debian/patches/CVE-2021-44118-1.patch: validate URLs
      before making a copy of a remote document.
    - debian/patches/CVE-2021-44118-2.patch: improve and
      add several checks over the domain.
    - debian/patches/CVE-2021-44120-1.patch: fix escaping
      SQL function query_echappe_textes.
    - debian/patches/CVE-2021-44120-2.patch: simply and fix
      regex in query_echappe_textes.
    - debian/patches/CVE-2021-44120-3.patch: only escape
      text on the first call of _mysql_traite_query.
    - debian/patches/CVE-2021-44120-4.patch: protect nom_site
      and bio from being modified by using safehtml.
    - CVE-2021-44120
    - CVE-2021-44118
  * SECURITY UPDATE: Cross Site Request Forgery (CSRF)
    - debian/patches/CVE-2021-44122-1.patch: refactor and
      add signature to form fields.
    - debian/patches/CVE-2021-44122-2.patch: replace function
      when handling signatures.
    - debian/patches/CVE-2021-44122-3.patch: increment
      spip_version_code, needed to regenerate forms.
    - debian/patches/CVE-2021-44122-4.patch: fix comment,
      reenable deprecated function.
    - CVE-2021-44122
  * SECURITY UPDATE: Remote code execution
    - debian/patches/CVE-2021-44123.patch: handle multiple
      file extensions and remove the ones that are not allowed.
    - CVE-2021-44123

 -- David Fernandez Gonzalez <email address hidden> Wed, 01 Mar 2023 12:07:07 +0100