Back to ikiwiki PTS page

Accepted ikiwiki 3.20141016.4 (all source) into proposed-updates->stable-new, proposed-updates

To: debian-changes@lists.debian.org
Subject: Accepted ikiwiki 3.20141016.4 (all source) into proposed-updates->stable-new, proposed-updates
From: Simon McVittie <smcv@debian.org>
Date: Sun, 15 Jan 2017 23:02:34 +0000
Mail-followup-to: debian-devel@lists.debian.org
Message-id: <E1cStoo-000EWH-SW@fasolo.debian.org>
Reply-to: debian-devel@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 11 Jan 2017 18:18:52 +0000
Source: ikiwiki
Binary: ikiwiki
Architecture: all source
Version: 3.20141016.4
Distribution: jessie-security
Urgency: high
Maintainer: Simon McVittie <smcv@debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 835612
Description: 
 ikiwiki    - a wiki compiler
Changes:
 ikiwiki (3.20141016.4) jessie-security; urgency=high
 .
   * Reference CVE-2016-4561 in 3.20141016.3 changelog
   * Security: force CGI::FormBuilder->field to scalar context where
     necessary, avoiding unintended function argument injection
     analogous to CVE-2014-1572.
     - passwordauth: prevent authentication bypass via multiple name
       parameters (CVE-2017-0356, OVE-20170111-0001)
     - passwordauth: prevent userinfo forgery via repeated email
       parameter (also CVE-2017-0356)
     - comments, editpage: prevent commit metadata forgery
       (CVE-2016-9646, OVE-20161226-0001)
     - CGI, attachment, comments, editpage, notifyemail, passwordauth,
       po, rename: harden against similar issues that are not believed
       to be exploitable
   * t/passwordauth.t: new automated test for CVE-2017-0356
   * Backport IkiWiki::Plugin::git from 3.20170110 to fix the following
     bugs, including one minor security vulnerability:
     - Security: try revert operations before approving them. Previously,
       automatic rename detection could result in a revert writing outside
       the wiki srcdir or altering a file that the reverting user should not
       be able to alter, an authorization bypass.
       (CVE-2016-10026 represents the original vulnerability.)
       The incomplete fix released in 3.20161219 was not effective for git
       versions prior to 2.8.0rc0.
       (CVE-2016-9645 represents that incomplete solution. Debian stable
       was never vulnerable to this one.)
     - Fix the warnings "cannot chdir to .../ikiwiki-temp-working: No such
       file or directory" seen in the initial fixes for those security issues
     - If no committer identity is known, set it to
       "IkiWiki <ikiwiki.info>" in .git/config. This resolves commit errors
       in versions of git that require a non-trivial committer identity.
     - Use git log --no-renames to generate recentchanges, fixing the git
       test-case with git 2.9 (Closes: #835612)
     - Don't issue a warning if the rcsinfo CGI parameter is undefined
     - Do not fail to commit changes with a recent git version
       and an anonymous committer
     - Do not fail on filenames starting with a dash
       (patch from Florian Wagner)
     - Don't add a redundant "--" and run "git rev-list ... -- -- ..."
   * Backport t/git-cgi.t from 3.20170110 to have automated test coverage
     for using the CGI with git, including tests for CVE-2016-10026
      - Build-depend on libipc-run-perl for better build-time test coverage
   * Backport IkiWiki::Plugin::img from 3.20160905 to fix a regression
     in 3.20141016.3:
     - img: ignore the case of the extension when detecting image format,
       fixing the regression that *.JPG etc. would not be displayed
       (patch from Amitai Schleier)
   * Backport tests' installed-test (autopkgtest) support from 3.20160121,
     adjusted for compatibility with the older pkg-perl-autopkgtest in jessie
     - d/control: add enough build-dependencies to run all tests, except for
       non-git VCSs
Checksums-Sha1: 
 33858105736a8a9b4a5068bcc210eb32680a1e2b 2117 ikiwiki_3.20141016.4.dsc
 33056d7e4cc66858dc16dd33deeded101c3d78db 3355017 ikiwiki_3.20141016.4.tar.gz
 833f2c380e6192f4b66292f18d04fc0cbf481380 1431210 ikiwiki_3.20141016.4_all.deb
Checksums-Sha256: 
 c000c05af1fb5359fcf4be03cdb8ff3598f8e99648acabc73e06399058fa7cfc 2117 ikiwiki_3.20141016.4.dsc
 ab571d99f1897492b86bfb42ee625d4d9bf77d1f1024afe833a75499b4ea8609 3355017 ikiwiki_3.20141016.4.tar.gz
 b774615740192adb9cf0f645a80c428d28634c34e671ff3e2e8d6f659e53b945 1431210 ikiwiki_3.20141016.4_all.deb
Files: 
 d9a185f7ee6786538b1ea39f2576dc28 2117 web optional ikiwiki_3.20141016.4.dsc
 3ad760018731e99aef77e2456462e9fb 3355017 web optional ikiwiki_3.20141016.4.tar.gz
 a00680d717ca319e0edf8f99b34e9aa2 1431210 web optional ikiwiki_3.20141016.4_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE2pjyXAhxxJpZ6v8sTej/KmPHzJAFAlh2meIACgkQTej/KmPH
zJCLGQ//fH3n1lmWKsdt+ri1wj2lA9pPBA8DPDpMVL+WnbAekhTztfy0xY0W/HGY
Zyiq6PSLxKMO8j2vP+wug3XTjo+iNb1ycJMaSwwpxKNZVh3nLqk+5sHDau2HfoHB
LrglOKZTx9k65hOj/6Rb+/onXqQSFK0JCi6Un/oibZD9b0C8a/670MQ2CuDeS1UD
z7JAurOWfrtpK5Rg1wMxUsaz1NRaxNF+WjxZVsAszugozCoNs0NBQ8q3gWSOe+V/
oRkbeT7DsAEn0YNf449OR2vwt0HiVaG5c8E8zl5vmPk68qBoEKCWoBj67eb134mT
k1tSce4DqcK7xme1Km08HF3c4S9GyJu1mdCJUdzQx8txv1PseToUR8AF6Djb25C3
fBrCX84zd6+V1HbPGoFfyPOs/GnPOKOoOohmRAecRsN3bt0Wn1Z+3/rcs6K6A3qy
6lkFw0oAyWEwV/in08jQvwCJ1aJdT+RAo1OVIwtPZK/dY6hZzT3/Cq3OYPrxTL+e
D74fj3ItNrMok1/wx1SzxUfYk/DgJ+iEPXKp5svNw6QB9JB1mi25ux3pgVazXy+H
DgLQWzOeLcRsfbNrf4sC9uXGttG3AgmYKq5OFf2ck/pb9X8xXxIP3yvPhdGJbxP/
pUo7EyUhnNamz2V2QJf9mO82RB7qwUO8IG4lpTO9fKX+rAZZtbE=
=XLAq
-----END PGP SIGNATURE-----