>> until the maintainer can respond ("[[!wikipedia responsible disclosure]]").
>> In this particular case, I was away from my computer for a few days
>> and was unable to make a release until I got back. --[[smcv]]
+
+> Are versions `3.20120629` or `3.20130904.1~bpo70+1` vulnerable? (`wheezy` and
+> `wheezy-backports`, respectively) — [[Jon]]
+
+>> 3.20120629 is vulnerable; fixed in 3.20120629.2, which is in the proposed-updates
+>> queue (the security team declined to issue a DSA). The blogspam plugin doesn't
+>> work in wheezy either; again, a fix is in the proposed-updates queue.
+>>
+>> 3.20130904.1~bpo70+1 is almost certainly vulnerable, it looks as though someone
+>> has done a drive-by backport but not kept it updated. None of ikiwiki's Debian
+>> maintainers are involved in that backport; the .deb from jessie (or even from
+>> experimental) works fine on wheezy without recompilation. I use the latest
+>> upstream release from experimental on my otherwise-Debian-7 server. --[[smcv]]
## XSS via openid selector
-Raghav Bisht discovered this XSS in the openid selector.
+Raghav Bisht discovered this XSS in the openid selector. ([[!cve CVE-2015-2793]])
The hole was reported on March 24th, a fix was developed on March 27th,
-and the fixed version was released on the 29th. A fix was backported
-to Debian wheezy as version 3.20141016.2. An upgrade is recommended for
-sites using CGI and openid.
+and the fixed version 3.20150329 was released on the 29th. A fix was backported
+to Debian jessie as version 3.20141016.2 and to Debian wheezy as version
+3.20120629.2. An upgrade is recommended for sites using CGI and openid.