Hello,
our services (thank you again Arnault) have discovered a security hole in SPIP, allowing an injection of cross-site-scripting (XSS).
The error dating back more than five years (it was introduced October 8, 2005), it is clear that ALL versions of SPIP are affected.
To secure your site, simply update the file 404.html, located in the directory:
dist/ in SPIP version 1.9
squelettes-dist/ in SPIP version 2.0 or 2.1
extensions/dist_2007/ in the dev version
If you have customized this template, the fix is simply to remove star and filter to transform the expression
#ENV*{erreur}|propre
into #ENV{erreur}.
We remind everyone that the best way to inform us of vulnerabilities is to send an email to spip-team@rezo.net.
Feel free to use the following means available to get help with this migration:
spip-user list: http://listes.rezo.net/mailman/listinfo/spip (and this list too 
)
Forum: http://forum.spip.org/
irc: http://spip.net/irc
How to upgrade?
------------------------
As usual, several possibilities for the update:
-
security screen : if you do not have time to do it now a full update, you can secure your site in two minutes by downloading the 1.0.1 version of the security screen, and copy it in config/
cf. http://www.spip.net/en_article4201.html -
by spip_loader.php: If you installed spip_loader, go to the address http://YOUR_WEBSITE_URL/spip_loader.php to install SPIP 2.1.9
-
FTP: SPIP 2.1.9 is available at http://files.spip.org/spip/stable/
-
and of course by SVN, just do svn up
in the 2.1 branch: svn://trac.rezo.net/spip/branches/spip-2.1
in the stable branch: svn://trac.rezo.net/spip/branches/spip-2-stable/
on the tag: svn://trac.rezo.net/spip/tags/spip-2.1.9/
For older versions, we did a zip for 1.9.2j and 2.0.14 that can be found on http://files.spip.org/spip/archives/
– news freely translated from the official announcement –