Back to ikiwiki PTS page

Accepted ikiwiki 3.20161229.1 (source) into unstable

To: debian-devel-changes@lists.debian.org
Subject: Accepted ikiwiki 3.20161229.1 (source) into unstable
From: Simon McVittie <smcv@debian.org>
Date: Thu, 29 Dec 2016 22:04:07 +0000
Mail-followup-to: debian-devel@lists.debian.org
Message-id: <E1cMinv-0008iM-93@fasolo.debian.org>
Reply-to: debian-devel@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 29 Dec 2016 20:46:24 +0000
Source: ikiwiki
Binary: ikiwiki
Architecture: source
Version: 3.20161229.1
Distribution: unstable
Urgency: medium
Maintainer: Simon McVittie <smcv@debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
 ikiwiki    - wiki compiler
Changes:
 ikiwiki (3.20161229.1) unstable; urgency=medium
 .
   * git: Attribute reverts to the user doing the revert, not the wiki
     itself.
   * git: Do not disable the commit hook while preparing a revert.
 .
 ikiwiki (3.20161229) unstable; urgency=medium
 .
   * Security: force CGI::FormBuilder->field to scalar context where
     necessary, avoiding unintended function argument injection
     analogous to CVE-2014-1572. In ikiwiki this could be used to
     forge commit metadata, but thankfully nothing more serious.
     (CVE-2016-9646)
   * Security: try revert operations in a temporary working tree before
     approving them. Previously, automatic rename detection could result in
     a revert writing outside the wiki srcdir or altering a file that the
     reverting user should not be able to alter, an authorization bypass.
     (CVE-2016-10026 represents the original vulnerability.)
     The incomplete fix released in 3.20161219 was not effective for git
     versions prior to 2.8.0rc0.
     (CVE-2016-9645 represents that incomplete solution.)
   * Add CVE references for CVE-2016-10026
   * Add automated test for using the CGI with git, including
     CVE-2016-10026
     - Build-depend on libipc-run-perl for better build-time test coverage
   * Add missing ikiwiki.setup for the manual test for CVE-2016-10026
   * git: don't issue a warning if the rcsinfo CGI parameter is undefined
   * git: do not fail to commit changes with a recent git version
     and an anonymous committer
Checksums-Sha1:
 f33435f1ed0e9e944ba36c332e2c619f6ed9a815 2184 ikiwiki_3.20161229.1.dsc
 fee9095d09a3b76721a955f87fe1266362744975 3477558 ikiwiki_3.20161229.1.tar.gz
Checksums-Sha256:
 d25a49f20dda2179054a07098b1f051b78eaae3570c640edbf7200850df4d40b 2184 ikiwiki_3.20161229.1.dsc
 8373a56a187d874d584b41d89c299d834f057017390520464b6d9615baf09650 3477558 ikiwiki_3.20161229.1.tar.gz
Files:
 3c198e9c55d0f668a349c21d4a3c14d6 2184 web optional ikiwiki_3.20161229.1.dsc
 2284c91d9c30752800410d63ccb826e7 3477558 web optional ikiwiki_3.20161229.1.tar.gz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE2pjyXAhxxJpZ6v8sTej/KmPHzJAFAlhlgl0ACgkQTej/KmPH
zJAlew/9GvXYTS5c33KrjWf0ybEFAXef0LaXJT0XvxMBW3dJZeaQrYeWYMMSY7Lr
quA29t7W/pf9e3NxsGUSvVWL/lL/t4TTYIxaRbHqU9ihn9pCIb1cKP0Sc/WiDnPM
CUGe0Rxh0Bic61Yr0SjljsEGQMrfAEUVarv/iV+ZG0gsQh7T5rj7J7Q8mLh9Qcc5
F7uIMjxmDzcwt6S6RDSxJi80CtYVDBXYi985r+dH47mraI0cwv2daZ0hWnIfiHrN
Nq6FKjT+32Vv/43mgpoQHFftiUwZXmVsSchTyckLXhmtNid7SenqJLhfUs42OtLf
vYLhGfxjmY1IGeYcD+XZfl+yujh/ozH90lO4HHZShf83gAidoJdSZwbJ9eVyqd8k
VZbELq8ZtOqFFbvqSOSIotsJiqL6+Y+VzyYnAQc9RS10HUvpUVkc9juerPth9UdY
SltzWDuaXzUbYP11CvmKeLr6yiF8bdStm4ZtsZTna80eCbvUs/ZP/jE52OQDOcn1
V6fR+Pjxx2/p97iog3gp7uXex6zy03lkb0pRzyj9WL9mqS+/nqH3wt44x2BPwrek
OxjlSJjKQKhCRL4F9jnD99i5a1riAPmRcD5UKVQHwlYnHi27+bU3v6U/dDseainO
SSnbEg3TpVfi/GDlGCdnX5AZSXaa2t3mNCEmJHC98h8n7iSZKmQ=
=o+N4
-----END PGP SIGNATURE-----