-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 11 Jan 2017 18:18:52 +0000 Source: ikiwiki Binary: ikiwiki Architecture: all source Version: 3.20141016.4 Distribution: jessie-security Urgency: high Maintainer: Simon McVittie <smcv@debian.org> Changed-By: Simon McVittie <smcv@debian.org> Closes: 835612 Description: ikiwiki - a wiki compiler Changes: ikiwiki (3.20141016.4) jessie-security; urgency=high . * Reference CVE-2016-4561 in 3.20141016.3 changelog * Security: force CGI::FormBuilder->field to scalar context where necessary, avoiding unintended function argument injection analogous to CVE-2014-1572. - passwordauth: prevent authentication bypass via multiple name parameters (CVE-2017-0356, OVE-20170111-0001) - passwordauth: prevent userinfo forgery via repeated email parameter (also CVE-2017-0356) - comments, editpage: prevent commit metadata forgery (CVE-2016-9646, OVE-20161226-0001) - CGI, attachment, comments, editpage, notifyemail, passwordauth, po, rename: harden against similar issues that are not believed to be exploitable * t/passwordauth.t: new automated test for CVE-2017-0356 * Backport IkiWiki::Plugin::git from 3.20170110 to fix the following bugs, including one minor security vulnerability: - Security: try revert operations before approving them. Previously, automatic rename detection could result in a revert writing outside the wiki srcdir or altering a file that the reverting user should not be able to alter, an authorization bypass. (CVE-2016-10026 represents the original vulnerability.) The incomplete fix released in 3.20161219 was not effective for git versions prior to 2.8.0rc0. (CVE-2016-9645 represents that incomplete solution. Debian stable was never vulnerable to this one.) - Fix the warnings "cannot chdir to .../ikiwiki-temp-working: No such file or directory" seen in the initial fixes for those security issues - If no committer identity is known, set it to "IkiWiki <ikiwiki.info>" in .git/config. This resolves commit errors in versions of git that require a non-trivial committer identity. - Use git log --no-renames to generate recentchanges, fixing the git test-case with git 2.9 (Closes: #835612) - Don't issue a warning if the rcsinfo CGI parameter is undefined - Do not fail to commit changes with a recent git version and an anonymous committer - Do not fail on filenames starting with a dash (patch from Florian Wagner) - Don't add a redundant "--" and run "git rev-list ... -- -- ..." * Backport t/git-cgi.t from 3.20170110 to have automated test coverage for using the CGI with git, including tests for CVE-2016-10026 - Build-depend on libipc-run-perl for better build-time test coverage * Backport IkiWiki::Plugin::img from 3.20160905 to fix a regression in 3.20141016.3: - img: ignore the case of the extension when detecting image format, fixing the regression that *.JPG etc. would not be displayed (patch from Amitai Schleier) * Backport tests' installed-test (autopkgtest) support from 3.20160121, adjusted for compatibility with the older pkg-perl-autopkgtest in jessie - d/control: add enough build-dependencies to run all tests, except for non-git VCSs Checksums-Sha1: 33858105736a8a9b4a5068bcc210eb32680a1e2b 2117 ikiwiki_3.20141016.4.dsc 33056d7e4cc66858dc16dd33deeded101c3d78db 3355017 ikiwiki_3.20141016.4.tar.gz 833f2c380e6192f4b66292f18d04fc0cbf481380 1431210 ikiwiki_3.20141016.4_all.deb Checksums-Sha256: c000c05af1fb5359fcf4be03cdb8ff3598f8e99648acabc73e06399058fa7cfc 2117 ikiwiki_3.20141016.4.dsc ab571d99f1897492b86bfb42ee625d4d9bf77d1f1024afe833a75499b4ea8609 3355017 ikiwiki_3.20141016.4.tar.gz b774615740192adb9cf0f645a80c428d28634c34e671ff3e2e8d6f659e53b945 1431210 ikiwiki_3.20141016.4_all.deb Files: d9a185f7ee6786538b1ea39f2576dc28 2117 web optional ikiwiki_3.20141016.4.dsc 3ad760018731e99aef77e2456462e9fb 3355017 web optional ikiwiki_3.20141016.4.tar.gz a00680d717ca319e0edf8f99b34e9aa2 1431210 web optional ikiwiki_3.20141016.4_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE2pjyXAhxxJpZ6v8sTej/KmPHzJAFAlh2meIACgkQTej/KmPH zJCLGQ//fH3n1lmWKsdt+ri1wj2lA9pPBA8DPDpMVL+WnbAekhTztfy0xY0W/HGY Zyiq6PSLxKMO8j2vP+wug3XTjo+iNb1ycJMaSwwpxKNZVh3nLqk+5sHDau2HfoHB LrglOKZTx9k65hOj/6Rb+/onXqQSFK0JCi6Un/oibZD9b0C8a/670MQ2CuDeS1UD z7JAurOWfrtpK5Rg1wMxUsaz1NRaxNF+WjxZVsAszugozCoNs0NBQ8q3gWSOe+V/ oRkbeT7DsAEn0YNf449OR2vwt0HiVaG5c8E8zl5vmPk68qBoEKCWoBj67eb134mT k1tSce4DqcK7xme1Km08HF3c4S9GyJu1mdCJUdzQx8txv1PseToUR8AF6Djb25C3 fBrCX84zd6+V1HbPGoFfyPOs/GnPOKOoOohmRAecRsN3bt0Wn1Z+3/rcs6K6A3qy 6lkFw0oAyWEwV/in08jQvwCJ1aJdT+RAo1OVIwtPZK/dY6hZzT3/Cq3OYPrxTL+e D74fj3ItNrMok1/wx1SzxUfYk/DgJ+iEPXKp5svNw6QB9JB1mi25ux3pgVazXy+H DgLQWzOeLcRsfbNrf4sC9uXGttG3AgmYKq5OFf2ck/pb9X8xXxIP3yvPhdGJbxP/ pUo7EyUhnNamz2V2QJf9mO82RB7qwUO8IG4lpTO9fKX+rAZZtbE= =XLAq -----END PGP SIGNATURE-----