From 20e3655a10ce25fde2e09f65a7f275bd16efb6d3 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Thu, 28 Jul 2016 11:30:30 +0100 Subject: [PATCH] Announce 3.20160728 --- doc/news/version_3.20150329.mdwn | 34 -------------------------------- doc/news/version_3.20160728.mdwn | 9 +++++++++ doc/security.mdwn | 10 ++++++++++ 3 files changed, 19 insertions(+), 34 deletions(-) delete mode 100644 doc/news/version_3.20150329.mdwn create mode 100644 doc/news/version_3.20160728.mdwn diff --git a/doc/news/version_3.20150329.mdwn b/doc/news/version_3.20150329.mdwn deleted file mode 100644 index 7e0d3e0bc..000000000 --- a/doc/news/version_3.20150329.mdwn +++ /dev/null @@ -1,34 +0,0 @@ -ikiwiki 3.20150329 released with [[!toggle text="these changes"]]. This is a -security update fixing a cross-site scripting vulnerability. - -[[!toggleable text=""" - [ [[Joey Hess|joey]] ] - - * Fix NULL ptr deref on ENOMEM in wrapper. (Thanks, igli) - - [ [[Simon McVittie|smcv]] ] - - * Really don't double-decode CGI submissions, even on Perl versions that - bundle an old enough Encode.pm for that not to be a problem: the - system might have a newer Encode.pm installed separately, like Fedora 20. - (Closes: [[!debbug 776181]]; thanks, Anders Kaseorg) - * If neither timezone nor TZ is set, set both to :/etc/localtime if - we're on a GNU system and that file exists, or GMT otherwise - * t/inline.t: accept translations of "Add a new post titled:" - (Closes: [[!debbug 779365]]) - * Consistently document command-line options as e.g. --refresh, not -refresh - - [ [[Amitai Schlair|schmonz]] ] - - * In VCS-committed anonymous comments, link to url. - - [ [[Joey Hess|joey]] ] - - * Fix XSS in openid selector. Thanks, Raghav Bisht. - (Closes: [[!debbug 781483]]) -"""]] - -In addition, version 3.20141016.2 was released on the same day to backport -the cross-site-scripting fix to Debian 8. - -[[!meta date="2015-03-29 22:46:39 +0100"]] diff --git a/doc/news/version_3.20160728.mdwn b/doc/news/version_3.20160728.mdwn new file mode 100644 index 000000000..6836a9b79 --- /dev/null +++ b/doc/news/version_3.20160728.mdwn @@ -0,0 +1,9 @@ +ikiwiki 3.20160728 released with [[!toggle text="these changes"]] +[[!toggleable text=""" + * Explicitly remove current working directory from Perl's library + search path, mitigating [[!cve CVE-2016-1238]] (see [[!debbug 588017]]) + * wrappers: allocate new environment dynamically, so we won't overrun + the array if third-party plugins add multiple environment variables. + * Standards-Version: 3.9.8 (no changes required) + +--[[smcv]]"""]] diff --git a/doc/security.mdwn b/doc/security.mdwn index 055e1d006..6d68fac00 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -531,3 +531,13 @@ resize. An upgrade is recommended for sites where an untrusted user is able to attach images. Upgrading ImageMagick to a version where CVE-2016-3714 has been fixed is also recommended, but at the time of writing no such version is available. + +## Perl CVE-2016-1238 (current working directory in search path) + +ikiwiki 3.20160728 attempts to mitigate [[!cve CVE-2016-1238]] by +removing `'.'` from the Perl library search path. An attacker with write +access to ikiwiki's current working directory could potentially use this +vulnerability to execute arbitrary Perl code. An upgrade is recommended +for sites where an untrusted user is able to attach files with arbitrary +names and/or run a setuid ikiwiki wrapper with a working directory of +their choice. -- 2.39.5