From: Simon McVittie Date: Wed, 11 Jan 2017 15:36:04 +0000 (+0000) Subject: Update changelog for backported git plugin and test X-Git-Tag: debian/3.20141016.4~8 X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/02e38ce1479127ee88dcd808ab61e6f34fb23d93 Update changelog for backported git plugin and test --- diff --git a/debian/changelog b/debian/changelog index 60f278b43..96a0121ac 100644 --- a/debian/changelog +++ b/debian/changelog @@ -14,6 +14,33 @@ ikiwiki (3.20141016.4) UNRELEASED; urgency=high po, rename: harden against similar issues that are not believed to be exploitable * t/passwordauth.t: new automated test for OVE-20170111-0001 + * Backport IkiWiki::Plugin::git from 3.20170110 to fix the following + bugs, including one minor security vulnerability: + - Security: try revert operations before approving them. Previously, + automatic rename detection could result in a revert writing outside + the wiki srcdir or altering a file that the reverting user should not + be able to alter, an authorization bypass. + (CVE-2016-10026 represents the original vulnerability.) + The incomplete fix released in 3.20161219 was not effective for git + versions prior to 2.8.0rc0. + (CVE-2016-9645 represents that incomplete solution. Debian stable + was never vulnerable to this one.) + - Fix the warnings "cannot chdir to .../ikiwiki-temp-working: No such + file or directory" seen in the initial fixes for those security issues + - If no committer identity is known, set it to + "IkiWiki " in .git/config. This resolves commit errors + in versions of git that require a non-trivial committer identity. + - Use git log --no-renames to generate recentchanges, fixing the git + test-case with git 2.9 (Closes: #835612) + - Don't issue a warning if the rcsinfo CGI parameter is undefined + - Do not fail to commit changes with a recent git version + and an anonymous committer + - Do not fail on filenames starting with a dash + (patch from Florian Wagner) + - Don't add a redundant "--" and run "git rev-list ... -- -- ..." + * Backport t/git-cgi.t from 3.20170110 to have automated test coverage + for using the CGI with git, including tests for CVE-2016-10026 + - Build-depend on libipc-run-perl for better build-time test coverage * Backport IkiWiki::Plugin::img from 3.20160905 to fix a regression in 3.20141016.3: - img: ignore the case of the extension when detecting image format,