From: Simon McVittie <smcv@debian.org>
Date: Tue, 26 Feb 2019 21:14:31 +0000 (+0000)
Subject: Release to stretch-security
X-Git-Tag: debian/3.20170111.1~1
X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/461a5e5c4787b43cfe88d1459c4647a463deb297

Release to stretch-security
---

diff --git a/debian/changelog b/debian/changelog
index 14045a961..c354c81ae 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,36 @@
+ikiwiki (3.20170111.1) stretch-security; urgency=high
+
+  * aggregate: Use LWPx::ParanoidAgent if available.
+    Previously blogspam, openid and pinger used this module if available,
+    but aggregate did not. This prevents server-side request forgery or
+    local file disclosure, and mitigates denial of service when slow
+    "tarpit" URLs are accessed.
+    (CVE-2019-9187)
+  * blogspam, openid, pinger: Use a HTTP proxy if configured, even if
+    LWPx::ParanoidAgent is installed.
+    Previously, only aggregate would obey proxy configuration. If a proxy
+    is used, the proxy (not ikiwiki) is responsible for preventing attacks
+    like CVE-2019-9187.
+  * aggregate, blogspam, openid, pinger: Do not access non-http, non-https
+    URLs.
+    Previously, these plugins would have allowed non-HTTP-based requests if
+    LWPx::ParanoidAgent was not installed. Preventing file URIs avoids local
+    file disclosure, and preventing other rarely-used URI schemes like
+    gopher mitigates request forgery attacks.
+  * aggregate, openid, pinger: Document LWPx::ParanoidAgent as strongly
+    recommended.
+    These plugins can request attacker-controlled URLs in some site
+    configurations.
+  * blogspam: Document LWPx::ParanoidAgent as desirable.
+    This plugin doesn't request attacker-controlled URLs, so it's
+    non-critical here.
+  * blogspam, openid, pinger: Consistently use cookiejar if configured.
+    Previously, these plugins would only obey this configuration if
+    LWPx::ParanoidAgent was not installed, but this appears to have been
+    unintended.
+
+ -- Simon McVittie <smcv@debian.org>  Tue, 26 Feb 2019 21:13:51 +0000
+
 ikiwiki (3.20170111) unstable; urgency=high
 
   * passwordauth: prevent authentication bypass via multiple name