Hello,
Several security flaws have been recently identified in SPIP
(Thank you to William Farner, Arnault Pachot Silvere Cainaud,
Maxime Pelletier, Anthony and Christopher Cervoise Imberti).
They are corrected in newest versions 1.9.2.o, 2.0.18 and 2.1.13.
Most of them relate to potential XSS injection vulnerabilities.
The use of the updated safety screen protects most flaws:
you are encouraged to download its most recent version
(1.0.10 April 17, 2012) and copy the file in your config/ directory
(cf. http://www.spip.net/en_article4201.html).
However, as all the flaws are not corrected by the safety screen,
we strongly recommend to update SPIP with the newest versions.
Feel free to use the various resources provided by the
community to help in this update:
- List spip-en: http://listes.rezo.net/mailman/listinfo/spip-en
- Forum: http://forum.spip.org/
- IRC: http://spip.net/irc
We remind that the best way to report a security vulnerability is to send an email
to spip-team@rezo.net.
How to update?
-
with spip_loader.php:
if you have already installed SPIP with spip_loader, go to the url
http://YOUR_SITE/spip_loader.php
to install SPIP 2.1.13 -
by copying the files:
SPIP 2.1.13 is available at
http://files.spip.org/spip/stable/spip.zip -
SVN:
if you are in the branch 2.1, just do a « svn up »
svn://trac.rezo.net/spip/branches/spip-2.1
The version 2.1.13 is also available in the branch
svn://trac.rezo.net/spip/branches/spip-2-stable
and in the tag
svn://trac.rezo.net/spip/tags/spip-2.1.13
Versions 2.0.18 and 1.9.2.o are available here:
http://files.spip.org/spip/archives/
Postscript:
How can I be kept informed of these announces? The simplest way is to
subscribe to the mailing list
http://listes.rezo.net/mailman/listinfo/spip-ann
Of course social networks are not left out:
- Twitter: http://twitter.com/spip
- Facebook: http://www.facebook.com/spip.net
- Seenthis: http://seenthis.net/people/spip
.Gilles