Back to ikiwiki PTS page

Accepted ikiwiki 3.20170111.1 (source) into proposed-updates->stable-new, proposed-updates

To: debian-changes@lists.debian.org
Subject: Accepted ikiwiki 3.20170111.1 (source) into proposed-updates->stable-new, proposed-updates
From: Simon McVittie <smcv@debian.org>
Date: Thu, 07 Mar 2019 21:32:08 +0000
Mail-followup-to: debian-devel@lists.debian.org
Message-id: <E1h20ca-000CXA-9s@fasolo.debian.org>
Reply-to: debian-devel@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 26 Feb 2019 22:57:58 +0000
Source: ikiwiki
Binary: ikiwiki
Architecture: source
Version: 3.20170111.1
Distribution: stretch-security
Urgency: high
Maintainer: Simon McVittie <smcv@debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
 ikiwiki    - wiki compiler
Changes:
 ikiwiki (3.20170111.1) stretch-security; urgency=high
 .
   * aggregate: Use LWPx::ParanoidAgent if available.
     Previously blogspam, openid and pinger used this module if available,
     but aggregate did not. This prevents server-side request forgery or
     local file disclosure, and mitigates denial of service when slow
     "tarpit" URLs are accessed.
     (CVE-2019-9187)
   * blogspam, openid, pinger: Use a HTTP proxy if configured, even if
     LWPx::ParanoidAgent is installed.
     Previously, only aggregate would obey proxy configuration. If a proxy
     is used, the proxy (not ikiwiki) is responsible for preventing attacks
     like CVE-2019-9187.
   * aggregate, blogspam, openid, pinger: Do not access non-http, non-https
     URLs.
     Previously, these plugins would have allowed non-HTTP-based requests if
     LWPx::ParanoidAgent was not installed. Preventing file URIs avoids local
     file disclosure, and preventing other rarely-used URI schemes like
     gopher mitigates request forgery attacks.
   * aggregate, openid, pinger: Document LWPx::ParanoidAgent as strongly
     recommended.
     These plugins can request attacker-controlled URLs in some site
     configurations.
   * blogspam: Document LWPx::ParanoidAgent as desirable.
     This plugin doesn't request attacker-controlled URLs, so it's
     non-critical here.
   * blogspam, openid, pinger: Consistently use cookiejar if configured.
     Previously, these plugins would only obey this configuration if
     LWPx::ParanoidAgent was not installed, but this appears to have been
     unintended.
Checksums-Sha1:
 8c7ec3f78150f5c57ddbcc64df5c86cd222bc1ba 2223 ikiwiki_3.20170111.1.dsc
 9b6b95c1da66d4492f5d935db0df73f3b949faa2 2618416 ikiwiki_3.20170111.1.tar.xz
 15e570feae476535dba5b0fe5722cdb5529c255f 5494 ikiwiki_3.20170111.1_source.buildinfo
Checksums-Sha256:
 7ae898ad6564010f968ea260edcc9364110f46b2c3f8152285efd179bd127f01 2223 ikiwiki_3.20170111.1.dsc
 443039c9b0ae748d7cb80543a217ac4074cc32a89d12c52ff5ff39e836b70488 2618416 ikiwiki_3.20170111.1.tar.xz
 a5733c439bc019713e95919c6530e686bad797f3769f445eaf1f981f1528c013 5494 ikiwiki_3.20170111.1_source.buildinfo
Files:
 b7fd75ad3a26cb0d7b38eee430963f03 2223 web optional ikiwiki_3.20170111.1.dsc
 707a04bb99abf54670dfb7f60b76723e 2618416 web optional ikiwiki_3.20170111.1.tar.xz
 1bfe891d16b617d2b4d8d0b32f59819b 5494 web optional ikiwiki_3.20170111.1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAlx4IgQACgkQ4FrhR4+B
TE/bzw/+KAixsYohnQNq0sS4qvdX2aX6ejJ+Hr77w+Qg0LVBA+gTYHSUwpZ+Y3RS
Uqrzr1c5/GWKxrk+FSnhRMXD49E4fatwfT/qbX3wSlBKyR+D1qOiYj+YZeHVGAIn
kDbYsXzj5zmLVsZ4h/RDht3Nf/h3tMrCojvwAzOciByXugM56Fz59CselLCWndiL
L4/xCH4nV6EmAfjBGRqE4RBPsMkIaKMVsoMOWaznPDm4T40ODR2IgTYabDaJ6Pt7
WV+HygWGiPnJ2zKq7SsEr56GA4RtuZzzrAqCKWO0qh1e5Xnb/gJlGi5ksyjeuEqu
kgmmAA+zAr5c0hpr3+gMGxINZLm6kn2syU2Q3C87JXFovjwIqg9WWlFrXyQ1IHqF
1Wn7VUVG93ue/WSDzA9eRbDHafMfU+npItdlclVDIqKpEsqfBPzCA4wMNFFxEgpo
7L7taERl58DFUm2aY7TpuOvJBp2kmcmjCr4g7BELIAtAhapzDcHiZKAF9oMnzO2+
Ir7LOGA0d4JxQBmVAWn/cGQnCKAR84b+c3GqZGPzTgrHwfnlixHmQabr9PAc/IHU
mc+CbK2j5Kkr/Y+hhHxU/DtanHJr0JH8DnC3S+WyYJoxZ4ybFVRgFY8GhOnybiCu
CRu9fAAng856iXdJeMGoU8xFkPofOCitu/mPkF1c5TdilEGRBzQ=
=A7Dm
-----END PGP SIGNATURE-----