-ikiwiki (3.20120629.3) UNRELEASED; urgency=medium
+ikiwiki (3.20120629.2+deb7u2) wheezy-security; urgency=medium
+
+ [ Simon McVittie ]
+ * Security: force CGI::FormBuilder->field to scalar context where
+ necessary, avoiding unintended function argument injection
+ analogous to CVE-2014-1572.
+ - passwordauth: prevent authentication bypass via multiple name
+ parameters (CVE-2017-0356, OVE-20170111-0001)
+ - passwordauth: prevent userinfo forgery via repeated email
+ parameter (also CVE-2017-0356)
+ - comments, editpage: prevent commit metadata forgery
+ (CVE-2016-9646, OVE-20161226-0001)
+ - CGI, attachment, comments, editpage, notifyemail, passwordauth,
+ po, rename: harden against similar issues that are not believed
+ to be exploitable
+ * t/passwordauth.t: new automated test for CVE-2017-0356
+ * Backport IkiWiki::Plugin::git from 3.20170110 to fix the following
+ bugs, including one minor security vulnerability:
+ - Security: try revert operations before approving them. Previously,
+ automatic rename detection could result in a revert writing outside
+ the wiki srcdir or altering a file that the reverting user should not
+ be able to alter, an authorization bypass.
+ (CVE-2016-10026 represents the original vulnerability.)
+ The incomplete fix released in 3.20161219 was not effective for git
+ versions prior to 2.8.0rc0.
+ (CVE-2016-9645 represents that incomplete solution. Debian stable
+ was never vulnerable to this one.)
+ - Fix the warnings "cannot chdir to .../ikiwiki-temp-working: No such
+ file or directory" seen in the initial fixes for those security issues
+ - If no committer identity is known, set it to
+ "IkiWiki <ikiwiki.info>" in .git/config. This resolves commit errors
+ in versions of git that require a non-trivial committer identity.
+ - Use git log --no-renames to generate recentchanges, fixing the git
+ test-case with git 2.9 (Closes: #835612)
+ - Don't issue a warning if the rcsinfo CGI parameter is undefined
+ - Do not fail to commit changes with a recent git version
+ and an anonymous committer
+ - Do not fail on filenames starting with a dash
+ (patch from Florian Wagner)
+ - Don't add a redundant "--" and run "git rev-list ... -- -- ..."
+ * Backport t/git-cgi.t from 3.20170110 to have automated test coverage
+ for using the CGI with git, including tests for CVE-2016-10026
+ - Build-depend on libipc-run-perl for better build-time test coverage
+ * Backport tests' installed-test (autopkgtest) support from 3.20160121,
+ adjusted for compatibility with the older pkg-perl-autopkgtest in jessie
+ - d/control: add enough build-dependencies to run all tests, except for
+ non-git VCSs
+ * Split CFLAGS into words when building wrapper, fixing build-time test
+ failure. Closes: #682237 (patch from Joey Hess, backported from
+ 3.20120630)
+ * In the CGI wrapper, incorporate $config{ENV} into the environment
+ before executing Perl code, so that PERL5LIB can point to a
+ non-system-wide installation of IkiWiki. Some build-time tests rely
+ on this, in particular t/git-cgi.t.
+ (patch from Lafayette Chamber Singers Webmaster, backported from
+ 3.20140916)
+
+ [ Emilio Pozuelo Monfort ]
+ * Upload to wheezy-security.
+
+ -- Emilio Pozuelo Monfort <pochu@debian.org> Tue, 31 Jan 2017 19:00:50 +0100
+
+ikiwiki (3.20120629.2+deb7u1) wheezy-security; urgency=medium
* HTML-escape error messages, in one case avoiding potential cross-site
scripting (CVE-2016-4561, OVE-20160505-0012)
- * Update img plugin to version 3.20160506 to mitigate ImageMagick
+ * Update img plugin to version 3.20160509 to mitigate ImageMagick
vulnerabilities, including remote code execution (CVE-2016-3714):
- Never convert SVG images to PNG; simply pass them through to the
browser. This prevents exploitation of any ImageMagick SVG coder
vulnerabilities. (joeyh)
- Do not resize image formats other than JPEG, PNG, GIF unless
specifically configured to do so. This prevents exploitation
- of any vulnerabilities in less common coders, such as MVG. (smcv)
+ of any vulnerabilities in less common coders, such as MVG.
+ (schmonz, smcv)
- Do not resize JPEG, PNG, GIF, PDF images if their extensions do
not match their "magic numbers", because wiki admins might try to
restrict attachments by extension, but ImageMagick can base its
- Handle filenames containing a colon correctly (smcv)
* Add t/img.t regression test also taken from version 3.20160506
(chrysn, joeyh, schmonz, smcv)
+ * debian/tests: add metadata to run the img test as an autopkgtest
- -- Simon McVittie <smcv@debian.org> Sun, 08 May 2016 15:33:51 +0100
+ -- Simon McVittie <smcv@debian.org> Mon, 09 May 2016 22:38:35 +0100
ikiwiki (3.20120629.2) wheezy; urgency=medium