It affects SPIP 3.1.x and 3.2 versions (alpha & beta), and impacts all websites using these versions.
SPIP 3.0.x and earlier versions are not affected by this issue.
It is imperative to update your SPIP website as soon as possible.
In the meantime, the security screen version 1.3.2 will block possible exploitations of the vulnerability. Updating the security screen remains a transitional measure that should not prevent you from updating SPIP as soon as possible.
The team thanks Emeric Boit and ANSSI for identifying and reporting the issue.
— The team
The following updates are available:
Version 3.2 Beta 3
For people who want to test the future version of SPIP , we’re taking the opportunity to release SPIP 3.2 Beta 3.
Warning: this is a beta version, it can still contain bugs.
Do not update to this version on a production website without knowing what you’re doing.
The security screen
People unable to update should install version 1.3.2 of the security screen.
Update using spip_loader
You can also upgrade by downloading the latest version of spip_loader (version 2.5.9) which will install SPIP 3.1 by default.
Summary of SPIP versions
|SPIP 3.1||SPIP 3.1.6||Stable|
|SPIP 3.0||SPIP 3.0.26||Maintained|
|SPIP 2.1||SPIP 2.1.30||Maintained (security updates only)|
SPIP 2.0 and earlier versions are no longer supported. It is strongly recommended that you upgrade to a higher version to avoid security issues.
How to be kept informed about these announcements?
It’s simple, sign up on the mailing list http://listes.rezo.net/mailman/listinfo/spip-en .
And follow us on social networks:
- Seenthis: https://seenthis.net/people/spip
- Twitter: https://twitter.com/spip
- Facebook: https://www.facebook.com/spip.net
- Mamot: https://mamot.fr/@spip
A question, in need of help?
In case of problems or difficulties, go to https://forum.spip.net
We remind you that to report a flaw, just send an email to firstname.lastname@example.org