Accepted ikiwiki 3.20170111.1 (source) into proposed-updates->stable-new, proposed-updates
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 26 Feb 2019 22:57:58 +0000
Source: ikiwiki
Binary: ikiwiki
Architecture: source
Version: 3.20170111.1
Distribution: stretch-security
Urgency: high
Maintainer: Simon McVittie <smcv@debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
ikiwiki - wiki compiler
Changes:
ikiwiki (3.20170111.1) stretch-security; urgency=high
.
* aggregate: Use LWPx::ParanoidAgent if available.
Previously blogspam, openid and pinger used this module if available,
but aggregate did not. This prevents server-side request forgery or
local file disclosure, and mitigates denial of service when slow
"tarpit" URLs are accessed.
(CVE-2019-9187)
* blogspam, openid, pinger: Use a HTTP proxy if configured, even if
LWPx::ParanoidAgent is installed.
Previously, only aggregate would obey proxy configuration. If a proxy
is used, the proxy (not ikiwiki) is responsible for preventing attacks
like CVE-2019-9187.
* aggregate, blogspam, openid, pinger: Do not access non-http, non-https
URLs.
Previously, these plugins would have allowed non-HTTP-based requests if
LWPx::ParanoidAgent was not installed. Preventing file URIs avoids local
file disclosure, and preventing other rarely-used URI schemes like
gopher mitigates request forgery attacks.
* aggregate, openid, pinger: Document LWPx::ParanoidAgent as strongly
recommended.
These plugins can request attacker-controlled URLs in some site
configurations.
* blogspam: Document LWPx::ParanoidAgent as desirable.
This plugin doesn't request attacker-controlled URLs, so it's
non-critical here.
* blogspam, openid, pinger: Consistently use cookiejar if configured.
Previously, these plugins would only obey this configuration if
LWPx::ParanoidAgent was not installed, but this appears to have been
unintended.
Checksums-Sha1:
8c7ec3f78150f5c57ddbcc64df5c86cd222bc1ba 2223 ikiwiki_3.20170111.1.dsc
9b6b95c1da66d4492f5d935db0df73f3b949faa2 2618416 ikiwiki_3.20170111.1.tar.xz
15e570feae476535dba5b0fe5722cdb5529c255f 5494 ikiwiki_3.20170111.1_source.buildinfo
Checksums-Sha256:
7ae898ad6564010f968ea260edcc9364110f46b2c3f8152285efd179bd127f01 2223 ikiwiki_3.20170111.1.dsc
443039c9b0ae748d7cb80543a217ac4074cc32a89d12c52ff5ff39e836b70488 2618416 ikiwiki_3.20170111.1.tar.xz
a5733c439bc019713e95919c6530e686bad797f3769f445eaf1f981f1528c013 5494 ikiwiki_3.20170111.1_source.buildinfo
Files:
b7fd75ad3a26cb0d7b38eee430963f03 2223 web optional ikiwiki_3.20170111.1.dsc
707a04bb99abf54670dfb7f60b76723e 2618416 web optional ikiwiki_3.20170111.1.tar.xz
1bfe891d16b617d2b4d8d0b32f59819b 5494 web optional ikiwiki_3.20170111.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAlx4IgQACgkQ4FrhR4+B
TE/bzw/+KAixsYohnQNq0sS4qvdX2aX6ejJ+Hr77w+Qg0LVBA+gTYHSUwpZ+Y3RS
Uqrzr1c5/GWKxrk+FSnhRMXD49E4fatwfT/qbX3wSlBKyR+D1qOiYj+YZeHVGAIn
kDbYsXzj5zmLVsZ4h/RDht3Nf/h3tMrCojvwAzOciByXugM56Fz59CselLCWndiL
L4/xCH4nV6EmAfjBGRqE4RBPsMkIaKMVsoMOWaznPDm4T40ODR2IgTYabDaJ6Pt7
WV+HygWGiPnJ2zKq7SsEr56GA4RtuZzzrAqCKWO0qh1e5Xnb/gJlGi5ksyjeuEqu
kgmmAA+zAr5c0hpr3+gMGxINZLm6kn2syU2Q3C87JXFovjwIqg9WWlFrXyQ1IHqF
1Wn7VUVG93ue/WSDzA9eRbDHafMfU+npItdlclVDIqKpEsqfBPzCA4wMNFFxEgpo
7L7taERl58DFUm2aY7TpuOvJBp2kmcmjCr4g7BELIAtAhapzDcHiZKAF9oMnzO2+
Ir7LOGA0d4JxQBmVAWn/cGQnCKAR84b+c3GqZGPzTgrHwfnlixHmQabr9PAc/IHU
mc+CbK2j5Kkr/Y+hhHxU/DtanHJr0JH8DnC3S+WyYJoxZ4ybFVRgFY8GhOnybiCu
CRu9fAAng856iXdJeMGoU8xFkPofOCitu/mPkF1c5TdilEGRBzQ=
=A7Dm
-----END PGP SIGNATURE-----