Debian 10225 Published by

The following Debian 7 LTS updates has been released:

[DLA 737-1] roundcube security update
[DLA 738-1] spip security update



[DLA 737-1] roundcube security update

Package : roundcube
Version : 0.7.2-9+deb7u5
Debian Bug : 847287

It was discovered that there was a vulnerability where a remote user could
execute arbitrary commands in Roundcube, a webmail solution for IMAP
servers, by sending a specially crafted email.

This was due to lack of sanitisation of the arguments to PHP's "mail"
function.

For Debian 7 "Wheezy", this issue has been fixed in roundcube version
0.7.2-9+deb7u5.

We recommend that you upgrade your roundcube packages.

spip security update

Package : spip
Version : 2.1.17-1+deb7u7
CVE ID : CVE-2016-9152
Debian Bug : 847156

It was discovered that there was a cross-site scripting (XSS) vulnerability in
spip, a website publishing engine, which allowed remote attackers to inject
arbitrary web script or HTML via the "rac" parameter.

For Debian 7 "Wheezy", this issue has been fixed in spip version
2.1.17-1+deb7u7.

We recommend that you upgrade your spip packages.