CRITICAL security update: SPIP 3.1.6 and SPIP 3.2 Beta 3

A CRITICAL flaw was discovered recently in SPIP, allowing the execution of arbitrary code.

It affects SPIP 3.1.x and 3.2 versions (alpha & beta), and impacts all websites using these versions.
SPIP 3.0.x and earlier versions are not affected by this issue.

It is imperative to update your SPIP website as soon as possible.

In the meantime, the security screen version 1.3.2 will block possible exploitations of the vulnerability. Updating the security screen remains a transitional measure that should not prevent you from updating SPIP as soon as possible.

The team thanks Emeric Boit and ANSSI for identifying and reporting the issue.

— The team

The following updates are available:

Version 3.1.6
https://files.spip.net/spip/archives/SPIP-v3.1.6.zip

Version 3.2 Beta 3
For people who want to test the future version of SPIP , we’re taking the opportunity to release SPIP 3.2 Beta 3.
https://files.spip.net/spip/archives/SPIP-vtrois.2.0-beta-3.zip

Warning: this is a beta version, it can still contain bugs.
Do not update to this version on a production website without knowing what you’re doing.

The security screen

People unable to update should install version 1.3.2 of the security screen.
https://www.spip.net/fr_article4200.html

Update using spip_loader

You can also upgrade by downloading the latest version of spip_loader (version 2.5.9) which will install SPIP 3.1 by default.
https://www.spip.net/spip-dev/INSTALL/spip_loader.php

Summary of SPIP versions

Branch Version Status
SPIP 3.1 SPIP 3.1.6 Stable
SPIP 3.0 SPIP 3.0.26 Maintained
SPIP 2.1 SPIP 2.1.30 Maintained (security updates only)

SPIP 2.0 and earlier versions are no longer supported. It is strongly recommended that you upgrade to a higher version to avoid security issues.

How to be kept informed about these announcements?

It’s simple, sign up on the mailing list http://listes.rezo.net/mailman/listinfo/spip-en .

And follow us on social networks:

A question, in need of help?

In case of problems or difficulties, go to https://forum.spip.net
We remind you that to report a flaw, just send an email to spip-team@rezo.net

Discussion

No discussion

Add a comment

Avant de faire part d’un problème sur un plugin X, merci de lire ce qui suit :

  • Désactiver tous les plugins que vous ne voulez pas tester afin de vous assurer que le bug vient bien du plugin X. Cela vous évitera d’écrire sur le forum d’une contribution qui n’est finalement pas en cause.
  • Cherchez et notez les numéros de version de tout ce qui est en place au moment du test :
    • version de SPIP, en bas de la partie privée
    • version du plugin testé et des éventuels plugins nécessités
    • version de PHP (exec=info en partie privée)
    • version de MySQL / SQLite / PostgreSQL
  • Si votre problème concerne la partie publique de votre site, donnez une URL où le bug est visible, pour que les gens puissent voir par eux-mêmes.
  • En cas de page blanche, merci d’activer l’affichage des erreurs, et d’indiquer ensuite l’erreur qui apparait.

Merci d’avance pour les personnes qui vous aideront !

Par ailleurs, n’oubliez pas que les contributeurs et contributrices ont une vie en dehors de SPIP.

Who are you?
[Log in]

To show your avatar with your message, register it first on gravatar.com (free et painless) and don’t forget to indicate your Email addresse here.

Enter your comment here

This form accepts SPIP shortcuts {{bold}} {italic} -*list [text->url] <quote> <code> and HTML code <q> <del> <ins>. To create paragraphs, just leave empty lines.

Add a document

Follow the comments: RSS 2.0 | Atom