Debian Package Tracker

From: Emilio Pozuelo Monfort <pochu@debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted ikiwiki 3.20120629.2+deb7u2 (source all) into oldstable
Date: Tue, 31 Jan 2017 18:50:09 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 31 Jan 2017 19:00:50 +0100
Source: ikiwiki
Binary: ikiwiki
Architecture: source all
Version: 3.20120629.2+deb7u2
Distribution: wheezy-security
Urgency: medium
Maintainer: Simon McVittie <smcv@debian.org>
Changed-By: Emilio Pozuelo Monfort <pochu@debian.org>
Description: 
 ikiwiki    - a wiki compiler
Closes: 682237 835612
Changes: 
 ikiwiki (3.20120629.2+deb7u2) wheezy-security; urgency=medium
 .
   [ Simon McVittie ]
   * Security: force CGI::FormBuilder->field to scalar context where
     necessary, avoiding unintended function argument injection
     analogous to CVE-2014-1572.
     - passwordauth: prevent authentication bypass via multiple name
       parameters (CVE-2017-0356, OVE-20170111-0001)
     - passwordauth: prevent userinfo forgery via repeated email
       parameter (also CVE-2017-0356)
     - comments, editpage: prevent commit metadata forgery
       (CVE-2016-9646, OVE-20161226-0001)
     - CGI, attachment, comments, editpage, notifyemail, passwordauth,
       po, rename: harden against similar issues that are not believed
       to be exploitable
   * t/passwordauth.t: new automated test for CVE-2017-0356
   * Backport IkiWiki::Plugin::git from 3.20170110 to fix the following
     bugs, including one minor security vulnerability:
     - Security: try revert operations before approving them. Previously,
       automatic rename detection could result in a revert writing outside
       the wiki srcdir or altering a file that the reverting user should not
       be able to alter, an authorization bypass.
       (CVE-2016-10026 represents the original vulnerability.)
       The incomplete fix released in 3.20161219 was not effective for git
       versions prior to 2.8.0rc0.
       (CVE-2016-9645 represents that incomplete solution. Debian stable
       was never vulnerable to this one.)
     - Fix the warnings "cannot chdir to .../ikiwiki-temp-working: No such
       file or directory" seen in the initial fixes for those security issues
     - If no committer identity is known, set it to
       "IkiWiki <ikiwiki.info>" in .git/config. This resolves commit errors
       in versions of git that require a non-trivial committer identity.
     - Use git log --no-renames to generate recentchanges, fixing the git
       test-case with git 2.9 (Closes: #835612)
     - Don't issue a warning if the rcsinfo CGI parameter is undefined
     - Do not fail to commit changes with a recent git version
       and an anonymous committer
     - Do not fail on filenames starting with a dash
       (patch from Florian Wagner)
     - Don't add a redundant "--" and run "git rev-list ... -- -- ..."
   * Backport t/git-cgi.t from 3.20170110 to have automated test coverage
     for using the CGI with git, including tests for CVE-2016-10026
      - Build-depend on libipc-run-perl for better build-time test coverage
   * Backport tests' installed-test (autopkgtest) support from 3.20160121,
     adjusted for compatibility with the older pkg-perl-autopkgtest in jessie
     - d/control: add enough build-dependencies to run all tests, except for
       non-git VCSs
   * Split CFLAGS into words when building wrapper, fixing build-time test
     failure. Closes: #682237 (patch from Joey Hess, backported from
     3.20120630)
   * In the CGI wrapper, incorporate $config{ENV} into the environment
     before executing Perl code, so that PERL5LIB can point to a
     non-system-wide installation of IkiWiki. Some build-time tests rely
     on this, in particular t/git-cgi.t.
     (patch from Lafayette Chamber Singers Webmaster, backported from
     3.20140916)
 .
   [ Emilio Pozuelo Monfort ]
   * Upload to wheezy-security.
Checksums-Sha1: 
 3a9e3121597b333b76aee80d244f76475b7591b3 2095 ikiwiki_3.20120629.2+deb7u2.dsc
 6b12392969ff8ea2f5a5f34ee0afc093d5753c86 2853725 ikiwiki_3.20120629.2+deb7u2.tar.gz
 27f858b57736b3658fb5595dc2ce12129dc6ede8 1802612 ikiwiki_3.20120629.2+deb7u2_all.deb
Checksums-Sha256: 
 20a1ed49d27581a84a6fe05eaac93767e219d8070aca581fceb37aa42054f9a5 2095 ikiwiki_3.20120629.2+deb7u2.dsc
 b28409b2ed8f1da4daf40e5b803b96ae4e760d2f68b4754b3da27700b92278f5 2853725 ikiwiki_3.20120629.2+deb7u2.tar.gz
 b845aa8800e70774bca7423f37e1618ef62756979322b67e8f98ffee9d6b501a 1802612 ikiwiki_3.20120629.2+deb7u2_all.deb
Files: 
 013df2bd139b40eb321d768a7fec77df 2095 web optional ikiwiki_3.20120629.2+deb7u2.dsc
 3bcf594c3c94cf491a23e4de78a9ba0d 2853725 web optional ikiwiki_3.20120629.2+deb7u2.tar.gz
 625f5aa8475f0031da89840788f9a6c4 1802612 web optional ikiwiki_3.20120629.2+deb7u2_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAliQ2BEACgkQnUbEiOQ2
gwI/5hAAh6GWmjMkIvo1QOzKcuufqZKgeW3FIuzuXtSWfyl/PIm/9N8vapMflo2p
Rd9rzLo5GdczwxZwq9qVIeNj47HC3JhmxKq8AhCFWFvDaGuQIzZDNbRZIb9M6ZZ+
I2ODtz0aO56YsXZ5aGsAQrfOh3x6FkgCXJJVrMGKmBtQxeWzew5B6gIXberMgz90
sYKrglDiYGKwMbgpgfXumHCIJfOaO5RrXZIA40uVLX73TjYwNqvWVUgXualBkmOu
fUiqqpjPVQVVIQ4Zco3UDdCjNNGlDPri153evIsA60tLifjfqI5SxlBvp7c5ikuL
8Ej5hu7PJ6pD+eqYDr7czvqcGvOfObobzRbE554CC0AoxlZkA4g2orjxtLxB4+5D
CrafYK4sVT5XRcwDUhVyqJ3f1r0vSeIZyk/fk7UxRWtLDZlI2NLzT6/OIs7epUQe
LgJ0oq3dfxsWwJFAPM2qN3zquTQ4g7FPbauGozgit3boy8WbmxAC7YRArknStUng
RIpAMfwS1Kwx+pLj8Nzk5bXcTURSwd7XkiBg+Xppp9kgKn0Cj8uUXB2R+qbxzqg+
rRNmJIEUpLEiAxPo6ym0ZjgIzd+WOsGMR1lHRBU5qWmDt5QD+mUpVVkiPfcQvl0h
jgzsPpqrzcWXlwEHPdlmo0W8fM+wMddnVcVXOfLPug4SNCyZL3E=
=qY8c
-----END PGP SIGNATURE-----
News for package ikiwiki
