for example to be used in a [[post-commit]] hook by people who cannot write
to the html pages, etc.
-If the wrapper script is made suid, then any bugs in this wrapper would be
+If the wrapper program is made suid, then any bugs in this wrapper would be
security holes. The wrapper is written as securely as I know how, is based
on code that has a history of security use long before ikiwiki, and there's
been no problem yet.
some security notes for them.
* The [[plugins/img]] plugin assumes that imagemagick/perlmagick are secure
- from malformed image attacks. Imagemagick has had security holes in the
+ from malformed image attacks for at least the formats listed in
+ `img_allowed_formats`. Imagemagick has had security holes in the
past. To be able to exploit such a hole, a user would need to be able to
upload images to the wiki.
page as an alternate stylesheet, or replacing the default stylesheet.
This hole was discovered on 28 Mar 2011 and fixed the same hour with
-the release of ikiwiki 3.20110328. An upgrade is recommended for sites
-that have untrusted committers, or have the attachments plugin enabled.
+the release of ikiwiki 3.20110328. A fix was backported to Debian squeeze,
+as version 3.20100815.6. An upgrade is recommended for sites that have
+untrusted committers, or have the attachments plugin enabled.
+([[!cve CVE-2011-1401]])
+
+## tty hijacking via ikiwiki-mass-rebuild
+
+Ludwig Nussel discovered a way for users to hijack root's tty when
+ikiwiki-mass-rebuild was run. Additionally, there was some potential
+for information disclosure via symlinks. ([[!cve CVE-2011-1408]])
+
+This hole was discovered on 8 June 2011 and fixed the same day with
+the release of ikiwiki 3.20110608. Note that the fix is dependant on
+a version of su that has a similar hole fixed. Version 4.1.5 of the shadow
+package contains the fixed su; [[!debbug 628843]] tracks fixing the hole in
+Debian. An upgrade is a must for any sites that have `ikiwiki-update-wikilist`
+installed suid (not the default), and whose admins run `ikiwiki-mass-rebuild`.
+
+## javascript insertion via meta tags
+
+Raúl Benencia discovered an additional XSS exposure in the meta plugin.
+([[!cve CVE-2012-0220]])
+
+This hole was discovered on 16 May 2012 and fixed the same day with
+the release of ikiwiki 3.20120516. A fix was backported to Debian squeeze,
+as version 3.20100815.9. An upgrade is recommended for all sites.
+
+## XSS via openid selector
+
+Raghav Bisht discovered this XSS in the openid selector. ([[!cve CVE-2015-2793]])
+
+The hole was reported on March 24th, a fix was developed on March 27th,
+and the fixed version 3.20150329 was released on the 29th. A fix was backported
+to Debian jessie as version 3.20141016.2 and to Debian wheezy as version
+3.20120629.2. An upgrade is recommended for sites using CGI and openid.
+
+## XSS via error messages
+
+CGI error messages did not escape HTML meta-characters, potentially
+allowing an attacker to carry out cross-site scripting by directing a
+user to a URL that would result in a crafted ikiwiki error message. This
+was discovered on 4 May by the ikiwiki developers, and the fixed version
+3.20160506 was released on 6 May. The same fixes were backported to Debian
+8 "jessie" in version 3.20141016.3. A backport to Debian 7 "wheezy" is
+in progress.
+
+An upgrade is recommended for sites using
+the CGI. ([[!cve CVE-2016-4561]], OVE-20160505-0012)
+
+## ImageMagick CVE-2016–3714 ("ImageTragick")
+
+ikiwiki 3.20160506 and 3.20141016.3 attempt to mitigate
+[[!cve CVE-2016-3714]], and any
+future ImageMagick vulnerabilities that resemble it, by restricting the
+image formats that the [[ikiwiki/directive/img]] directive is willing to
+resize. An upgrade is recommended for sites where an untrusted user is
+able to attach images. Upgrading ImageMagick to a version where
+CVE-2016-3714 has been fixed is also recommended, but at the time of
+writing no such version is available.