X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/32f3b4de00b1d2c4e3bfd7eca63f5ebbd4501ae7..f197136df81d8f2f1e18c737304fcfb9423072d3:/debian/changelog diff --git a/debian/changelog b/debian/changelog index 9a73f1084..1f4471a4d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,129 @@ +ikiwiki (3.20120629.2+deb7u2) wheezy-security; urgency=medium + + [ Simon McVittie ] + * Security: force CGI::FormBuilder->field to scalar context where + necessary, avoiding unintended function argument injection + analogous to CVE-2014-1572. + - passwordauth: prevent authentication bypass via multiple name + parameters (CVE-2017-0356, OVE-20170111-0001) + - passwordauth: prevent userinfo forgery via repeated email + parameter (also CVE-2017-0356) + - comments, editpage: prevent commit metadata forgery + (CVE-2016-9646, OVE-20161226-0001) + - CGI, attachment, comments, editpage, notifyemail, passwordauth, + po, rename: harden against similar issues that are not believed + to be exploitable + * t/passwordauth.t: new automated test for CVE-2017-0356 + * Backport IkiWiki::Plugin::git from 3.20170110 to fix the following + bugs, including one minor security vulnerability: + - Security: try revert operations before approving them. Previously, + automatic rename detection could result in a revert writing outside + the wiki srcdir or altering a file that the reverting user should not + be able to alter, an authorization bypass. + (CVE-2016-10026 represents the original vulnerability.) + The incomplete fix released in 3.20161219 was not effective for git + versions prior to 2.8.0rc0. + (CVE-2016-9645 represents that incomplete solution. Debian stable + was never vulnerable to this one.) + - Fix the warnings "cannot chdir to .../ikiwiki-temp-working: No such + file or directory" seen in the initial fixes for those security issues + - If no committer identity is known, set it to + "IkiWiki " in .git/config. This resolves commit errors + in versions of git that require a non-trivial committer identity. + - Use git log --no-renames to generate recentchanges, fixing the git + test-case with git 2.9 (Closes: #835612) + - Don't issue a warning if the rcsinfo CGI parameter is undefined + - Do not fail to commit changes with a recent git version + and an anonymous committer + - Do not fail on filenames starting with a dash + (patch from Florian Wagner) + - Don't add a redundant "--" and run "git rev-list ... -- -- ..." + * Backport t/git-cgi.t from 3.20170110 to have automated test coverage + for using the CGI with git, including tests for CVE-2016-10026 + - Build-depend on libipc-run-perl for better build-time test coverage + * Backport tests' installed-test (autopkgtest) support from 3.20160121, + adjusted for compatibility with the older pkg-perl-autopkgtest in jessie + - d/control: add enough build-dependencies to run all tests, except for + non-git VCSs + * Split CFLAGS into words when building wrapper, fixing build-time test + failure. Closes: #682237 (patch from Joey Hess, backported from + 3.20120630) + * In the CGI wrapper, incorporate $config{ENV} into the environment + before executing Perl code, so that PERL5LIB can point to a + non-system-wide installation of IkiWiki. Some build-time tests rely + on this, in particular t/git-cgi.t. + (patch from Lafayette Chamber Singers Webmaster, backported from + 3.20140916) + + [ Emilio Pozuelo Monfort ] + * Upload to wheezy-security. + + -- Emilio Pozuelo Monfort Tue, 31 Jan 2017 19:00:50 +0100 + +ikiwiki (3.20120629.2+deb7u1) wheezy-security; urgency=medium + + * HTML-escape error messages, in one case avoiding potential cross-site + scripting (CVE-2016-4561, OVE-20160505-0012) + * Update img plugin to version 3.20160509 to mitigate ImageMagick + vulnerabilities, including remote code execution (CVE-2016-3714): + - Never convert SVG images to PNG; simply pass them through to the + browser. This prevents exploitation of any ImageMagick SVG coder + vulnerabilities. (joeyh) + - Do not resize image formats other than JPEG, PNG, GIF unless + specifically configured to do so. This prevents exploitation + of any vulnerabilities in less common coders, such as MVG. + (schmonz, smcv) + - Do not resize JPEG, PNG, GIF, PDF images if their extensions do + not match their "magic numbers", because wiki admins might try to + restrict attachments by extension, but ImageMagick can base its + choice of coder on the magic number. Explicitly force the + obvious ImageMagick coder to be used. (smcv) + * Minor non-security changes resulting from that update, since + reverting them seems higher-risk than keeping them: + - Add PDF support, disabled by the above changes unless specifically + configured (chrysn) + - Only render one frame or page from animated GIF or multi-page PDF + (chrysn) + - Do not distort aspect ratio when resizing small images (chrysn) + - Use data: URLs to embed images in page previews (chrysn) + - Raise an error if the image's size cannot be determined (chrysn) + - Handle filenames containing a colon correctly (smcv) + * Add t/img.t regression test also taken from version 3.20160506 + (chrysn, joeyh, schmonz, smcv) + * debian/tests: add metadata to run the img test as an autopkgtest + + -- Simon McVittie Mon, 09 May 2016 22:38:35 +0100 + +ikiwiki (3.20120629.2) wheezy; urgency=medium + + [ Joey Hess ] + * Fix XSS in openid selector. Thanks, Raghav Bisht. (Closes: #781483; + CVE-2015-2793) + + -- Simon McVittie Mon, 06 Apr 2015 20:34:51 +0100 + +ikiwiki (3.20120629.1) wheezy; urgency=medium + + Backport blogspam plugin from experimental, because the version in + wheezy is no longer usable: + + [ Joey Hess ] + * Set Debian package maintainer to Simon McVittie as I'm retiring from + Debian. + + [ Amitai Schlair ] + * blogspam: use the 2.0 JSON API (the 1.0 XML-RPC API has been EOL'd). + Closes: #774441 + + -- Simon McVittie Sat, 17 Jan 2015 11:53:33 +0000 + +ikiwiki (3.20120629) unstable; urgency=low + + * mirrorlist: Add mirrorlist_use_cgi setting that avoids usedirs or + other config differences by linking to the mirror's CGI. (intrigeri) + + -- Joey Hess Fri, 29 Jun 2012 10:16:08 -0400 + ikiwiki (3.20120516) unstable; urgency=high * meta: Security fix; add missing sanitization of author and authorurl.