The following Debian 7 LTS updates has been released:
[DLA 737-1] roundcube security update
[DLA 738-1] spip security update
[DLA 737-1] roundcube security update
[DLA 738-1] spip security update
[DLA 737-1] roundcube security update
Package : roundcube
Version : 0.7.2-9+deb7u5
Debian Bug : 847287
It was discovered that there was a vulnerability where a remote user could
execute arbitrary commands in Roundcube, a webmail solution for IMAP
servers, by sending a specially crafted email.
This was due to lack of sanitisation of the arguments to PHP's "mail"
function.
For Debian 7 "Wheezy", this issue has been fixed in roundcube version
0.7.2-9+deb7u5.
We recommend that you upgrade your roundcube packages.
spip security update
Package : spip
Version : 2.1.17-1+deb7u7
CVE ID : CVE-2016-9152
Debian Bug : 847156
It was discovered that there was a cross-site scripting (XSS) vulnerability in
spip, a website publishing engine, which allowed remote attackers to inject
arbitrary web script or HTML via the "rac" parameter.
For Debian 7 "Wheezy", this issue has been fixed in spip version
2.1.17-1+deb7u7.
We recommend that you upgrade your spip packages.