Back to ikiwiki PTS page

Accepted ikiwiki 3.20161229 (source) into unstable

To: debian-devel-changes@lists.debian.org
Subject: Accepted ikiwiki 3.20161229 (source) into unstable
From: Simon McVittie <smcv@debian.org>
Date: Thu, 29 Dec 2016 21:04:10 +0000
Mail-followup-to: debian-devel@lists.debian.org
Message-id: <E1cMhru-0000fW-I5@fasolo.debian.org>
Reply-to: debian-devel@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 29 Dec 2016 17:36:15 +0000
Source: ikiwiki
Binary: ikiwiki
Architecture: source
Version: 3.20161229
Distribution: unstable
Urgency: medium
Maintainer: Simon McVittie <smcv@debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
 ikiwiki    - wiki compiler
Changes:
 ikiwiki (3.20161229) unstable; urgency=medium
 .
   * Security: force CGI::FormBuilder->field to scalar context where
     necessary, avoiding unintended function argument injection
     analogous to CVE-2014-1572. In ikiwiki this could be used to
     forge commit metadata, but thankfully nothing more serious.
     (CVE-2016-9646)
   * Security: try revert operations in a temporary working tree before
     approving them. Previously, automatic rename detection could result in
     a revert writing outside the wiki srcdir or altering a file that the
     reverting user should not be able to alter, an authorization bypass.
     (CVE-2016-10026 represents the original vulnerability.)
     The incomplete fix released in 3.20161219 was not effective for git
     versions prior to 2.8.0rc0.
     (CVE-2016-9645 represents that incomplete solution.)
   * Add CVE references for CVE-2016-10026
   * Add automated test for using the CGI with git, including
     CVE-2016-10026
     - Build-depend on libipc-run-perl for better build-time test coverage
   * Add missing ikiwiki.setup for the manual test for CVE-2016-10026
   * git: don't issue a warning if the rcsinfo CGI parameter is undefined
   * git: do not fail to commit changes with a recent git version
     and an anonymous committer
Checksums-Sha1:
 00af37eee6c3497093cf54cfa240aa402df864f4 2176 ikiwiki_3.20161229.dsc
 f2727e5594354974c22f83b89388c71d1fa4596f 3477477 ikiwiki_3.20161229.tar.gz
Checksums-Sha256:
 0e2b2ffd2717ccadff8a0d09e91b8a26da375a13504f5ab649b5b16fe2919a61 2176 ikiwiki_3.20161229.dsc
 4ce7ead4cbb10cafbf7eb14f8b96f88d03773bae685ce49c3f66535325768c07 3477477 ikiwiki_3.20161229.tar.gz
Files:
 24e131ba94ef166ad74fe9fae8f4fb4b 2176 web optional ikiwiki_3.20161229.dsc
 39577c69c4071d7d87dc64425bae90ca 3477477 web optional ikiwiki_3.20161229.tar.gz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE2pjyXAhxxJpZ6v8sTej/KmPHzJAFAlhlbD4ACgkQTej/KmPH
zJCdxw//YYzBGlVgBqZIc688QoY9/2pSpPXmOWCfc4adCVZi92m1R5+pmkerPByk
HsvFze19LXAkx8Ot9fwLvI+COM1J4izkGF9XqheWJV4hQyhGPY/lJXOAxcpWSF3H
OQHXLud5u4PGAX61s/xECve5njO6kV0PXrJx6ZeYpiO4lBLWgDcqVAnougixXaHX
oHI/2bKGhrz0jFYxIfSxYNQ/7nP9w8+brCUuAl1RLyHgFXz9NbxZL5ZJuzLabf+A
gydwO7p1SrA0QYwt3wtsVZdZw6YafloC0CXPrk6ipCNbxFIAqZNXtOMtdPrZE6/M
RAq63wl6ZFT0PA3GtTWjVDABtj+YfQuYzp8pxFCeLWh1eLkYO0mazEWyDaKSwDUv
MDXrphCf3wu+HoukuwlzC3/g/AbZBKP2T+4zYuD+T8vQUwQxw+xg/6eTo+rB64Fy
hqPjEO+3i2+IZ6fyFpXyiPfEQD/v2JXpyk4KrfDendTOlqroZhDzcxDUGxfmbqU2
PvD4FuHkr4/w/hInlY8rtMpKonZnKtP2B6Xab7lWTS5XFv6jXoyeYEHZ/rnqwuTf
2HmeWG/iE8Kgzu+K+SKdBCNUd93hcudVjT24l2Z7SPw5ZS8sVXqUtnSWNxj5bDiw
yeQSk3MpAtqnI7X+ggX5Elsiiz00l/cB07WB+2twxgcVgtgpF/Y=
=e3oa
-----END PGP SIGNATURE-----