Debian Package Tracker

From: Simon McVittie <smcv@debian.org>
To: <debian-backports-changes@lists.debian.org>
Subject: Accepted ikiwiki 3.20170111~bpo8+1 (all source) into jessie-backports
Date: Thu, 12 Jan 2017 00:33:44 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 11 Jan 2017 18:37:57 +0000
Source: ikiwiki
Binary: ikiwiki
Architecture: all source
Version: 3.20170111~bpo8+1
Distribution: jessie-backports
Urgency: high
Maintainer: Simon McVittie <smcv@debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description: 
 ikiwiki    - wiki compiler
Changes:
 ikiwiki (3.20170111~bpo8+1) jessie-backports; urgency=high
 .
   * Rebuild for jessie-backports
     - debian/tests/control: set INSTALLED_TESTS=1 here,
       pkg-perl-autopkgtest in jessie didn't support
       debian/tests/pkg-perl/smoke-env
   * Not waiting for testing migration due to CVE-2017-0356
 .
 ikiwiki (3.20170111) unstable; urgency=high
 .
   * passwordauth: prevent authentication bypass via multiple name
     parameters (CVE-2017-0356, OVE-20170111-0001)
   * passwordauth: avoid userinfo forgery via repeated email parameter
     (also in the scope of CVE-2017-0356)
   * CGI, attachment, passwordauth: harden against repeated parameters
     (not believed to have been a vulnerability)
   * remove: make it clearer that repeated page parameter is OK here
   * t/passwordauth.t: new automated test for passwordauth
 .
 ikiwiki (3.20170110) unstable; urgency=medium
 .
   [ Amitai Schleier ]
   * wrappers: Correctly escape quotes in git_wrapper_background_command
 .
   [ Simon McVittie ]
   * git: use an explicit function parameter for the directory to work
     in. Previously, we used global state that was not restored correctly
     on catching exceptions, causing an unintended log message
     "cannot chdir to .../ikiwiki-temp-working: No such file or directory"
     with versions >= 3.20161229 when an attempt to revert a change fails
     or is disallowed
   * git: don't run "git rev-list ... -- -- ..." which would select the
     wrong commits if a file named literally "--" is present in the
     repository
   * check_canchange: log "bad file name whatever", not literal string
     "bad file name %s"
   * t/git-cgi.t: fix a race condition that made the test fail
     intermittently
   * t/git-cgi.t: be more careful to provide a syntactically valid
     author/committer name and email, hopefully fixing this test on
     ci.debian.net
   * templates, comments, passwordauth: use rel=nofollow microformat
     for dynamic URLs
   * templates: use rel=nofollow microformat for comment authors
   * news: use Debian security tracker instead of MITRE for security
     references. Thanks, anarcat
   * Set package format to 3.0 (native)
   * d/copyright: re-order to put more specific stanzas later, to get the
     intended interpretation
   * d/source/lintian-overrides: override obsolete-url-in-packaging for
     OpenID Selector, which does not seem to have any more current URL
     (and in any case our version is a fork)
   * docwiki.setup: exclude TourBusStop from offline documentation.
     It does not make much sense there.
   * d/ikiwiki.lintian-overrides: override script-not-executable warnings
   * d/ikiwiki.lintian-overrides: silence false positive spelling warning
     for Moin Moin
   * d/ikiwiki.doc-base: register the documentation with doc-base
   * d/control: set libmagickcore-6.q16-3-extra as preferred
     build-dependency, with virtual package libmagickcore-extra as an
     alternative, to help autopkgtest to do the right thing
 .
 ikiwiki (3.20161229.1) unstable; urgency=medium
 .
   * git: Attribute reverts to the user doing the revert, not the wiki
     itself.
   * git: Do not disable the commit hook while preparing a revert.
 .
 ikiwiki (3.20161229) unstable; urgency=medium
 .
   * Security: force CGI::FormBuilder->field to scalar context where
     necessary, avoiding unintended function argument injection
     analogous to CVE-2014-1572. In ikiwiki this could be used to
     forge commit metadata, but thankfully nothing more serious.
     (CVE-2016-9646)
   * Security: try revert operations in a temporary working tree before
     approving them. Previously, automatic rename detection could result in
     a revert writing outside the wiki srcdir or altering a file that the
     reverting user should not be able to alter, an authorization bypass.
     (CVE-2016-10026 represents the original vulnerability.)
     The incomplete fix released in 3.20161219 was not effective for git
     versions prior to 2.8.0rc0.
     (CVE-2016-9645 represents that incomplete solution.)
   * Add CVE references for CVE-2016-10026
   * Add automated test for using the CGI with git, including
     CVE-2016-10026
     - Build-depend on libipc-run-perl for better build-time test coverage
   * Add missing ikiwiki.setup for the manual test for CVE-2016-10026
   * git: don't issue a warning if the rcsinfo CGI parameter is undefined
   * git: do not fail to commit changes with a recent git version
     and an anonymous committer
 .
 ikiwiki (3.20161219) unstable; urgency=medium
 .
   [ Joey Hess ]
   * inline: Prevent creating a file named ".mdwn" when the
     postform is submitted with an empty title.
 .
   [ Simon McVittie ]
   * Security: tell `git revert` not to follow renames. If it does, then
     renaming a file can result in a revert writing outside the wiki srcdir
     or altering a file that the reverting user should not be able to alter,
     an authorization bypass. Thanks, intrigeri. (CVE-2016-10026)
   * cgitemplate: remove some dead code. Thanks, blipvert
   * Restrict CSS matches against header class to not break
     Pandoc tables with header rows. Thanks, karsk
   * Make pagestats output more deterministic. Thanks, intrigeri
Checksums-Sha1: 
 dd30d7c2651fc528978b8c7b1b8ebe9b3cc86b3b 2256 ikiwiki_3.20170111~bpo8+1.dsc
 7d7b352d31e179f91af51f419c2db165033e8e1e 2621140 ikiwiki_3.20170111~bpo8+1.tar.xz
 969f3415770b6383103bebcb1057084460408e30 1417414 ikiwiki_3.20170111~bpo8+1_all.deb
Checksums-Sha256: 
 36d74521fb87a19e0f9cafa8249f1a17103259dc987d32bacc6898cff778821d 2256 ikiwiki_3.20170111~bpo8+1.dsc
 1a8cf9545ff0b39f57ac4d1a975a492bfeb63c900ba0d7614544446984ef1910 2621140 ikiwiki_3.20170111~bpo8+1.tar.xz
 5699404c6b422ae88f14b4f76a1d5bda08e4ae1b8458aff84462e899bf4dd24e 1417414 ikiwiki_3.20170111~bpo8+1_all.deb
Files: 
 c7c80e210397522eea91c42bd8cdb3c0 2256 web optional ikiwiki_3.20170111~bpo8+1.dsc
 066f6656e183895100079703649c4457 2621140 web optional ikiwiki_3.20170111~bpo8+1.tar.xz
 290e73d8322e11a7df46a73d6a2fcc6b 1417414 web optional ikiwiki_3.20170111~bpo8+1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE2pjyXAhxxJpZ6v8sTej/KmPHzJAFAlh2yu0ACgkQTej/KmPH
zJA21BAAnOafOhi3syViHwR+/2fVPhCuZYzYkvvGLcK6iHH2+wDbMf+k3III2S1N
5BAUWYZvMPuVlAYXMuI7viV9jPe6N8bnoZouFhsygQkNMwhaVUliA/4mhdtdWgx+
yER4SLtmbr+P0GvgZE9cGUjlmdv0kiQbmNWlRi0B9OXYi6fCSIo+8DiTPVFpBg3X
zGSeov4q4MsJZzGdEG+b/YfTZldLsDGBzLFrjJZnFXNAO1JrsVNyiS5UcVN+L9iL
cy8krVsau+EVTtiYd2zFTZHUJ2apbSfLyCV8JjqSqhIByMWYRDYUnSmTFljKTF/P
34YtqoAQ2WVkmDUcG+2tuHKkPkct6xImSXjeM0ipQuMO5t+kTZAUjt/cuOcfYGX3
DsHFWaa6ffVwHZ2TD0m+TiZGLmDjlDCyNEJyVNStQDD+ioMlSD735F2NKJOBlKab
4tDWn6tgISnGz+JO3FPA+UHCpdUyj++k+1VSW0BP+WsmfZ/9EIV1pJu11Fc6pMnK
AVGRajIEAFMLm7EVOJkSFwytx4E5gVMsvhdvM2R04YxDqEs2OZKa6mNBNnzymjmH
/7dHxUV1k9sOB9/z96G7eVxR/AyN77Dfr+nUIOhsJMK1TqUlYcTzElHJOzCcvtOt
9loKAkaP8dDEYnVCNW1LUaOyCbp/X2pPcYmEHs7a+9M8ht4ZOiY=
=o7xm
-----END PGP SIGNATURE-----
News for package ikiwiki
