Debian Package Tracker

general

source: dokuwiki (main)
version: 0.0.20160626.a-2.1
maintainer: Tanguy Ortolo [DMD]
uploaders: Mohammed Adnène Trojette [DMD] – Tanguy Ortolo [DMD]
arch: all
std-ver: 3.9.8
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.0.20120125b-2+deb7u1
o-o-sec: 0.0.20120125b-2+deb7u2
oldstable: 0.0.20140505.a+dfsg-4
old-sec: 0.0.20140505.a+dfsg-4+deb8u1
testing: 0.0.20160626.a-2.1
unstable: 0.0.20160626.a-2.1

versioned links

0.0.20120125b-2+deb7u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.0.20120125b-2+deb7u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.0.20140505.a+dfsg-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.0.20140505.a+dfsg-4+deb8u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.0.20160626.a-2.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

dokuwiki

action needed

A new upstream version is available: 0.0.20180422.a high

A new upstream version 0.0.20180422.a is available, you should consider packaging it.

Created: 2017-11-21 Last update: 2018-08-20 01:51

5 security issues in sid high

There are 5 open security issues in sid.

5 important issues:

CVE-2016-7964: The sendRequest method in HTTPClient Class in file /inc/HTTPClient.php in DokuWiki 2016-06-26a and older, when media file fetching is enabled, has no way to restrict access to private networks. This allows users to scan ports of internal networks via SSRF, such as 10.0.0.1/8, 172.16.0.0/12, and 192.168.0.0/16.
CVE-2017-12980: DokuWiki through 2017-02-19c has stored XSS when rendering a malicious RSS or Atom feed, in /inc/parser/xhtml.php. An attacker can create or edit a wiki that uses RSS or Atom data from an attacker-controlled server to trigger JavaScript execution. The JavaScript can be in an author field, as demonstrated by the dc:creator element.
CVE-2017-12583: DokuWiki through 2017-02-19b has XSS in the at parameter (aka the DATE_AT variable) to doku.php.
CVE-2016-7965: DokuWiki 2016-06-26a and older uses $_SERVER[HTTP_HOST] instead of the baseurl setting as part of the password-reset URL. This can lead to phishing attacks. (A remote unauthenticated attacker can change the URL's hostname via the HTTP Host header.) The vulnerability can be triggered only if the Host header is not part of the web server routing process (e.g., if several domains are served by the same web server).
CVE-2017-12979: DokuWiki through 2017-02-19c has stored XSS when rendering a malicious language name in a code element, in /inc/parser/xhtml.php. An attacker can create or edit a wiki with this element to trigger JavaScript execution.

Please fix them.

Created: 2016-11-01 Last update: 2018-07-18 08:10

5 security issues in buster high

There are 5 open security issues in buster.

5 important issues:

CVE-2016-7964: The sendRequest method in HTTPClient Class in file /inc/HTTPClient.php in DokuWiki 2016-06-26a and older, when media file fetching is enabled, has no way to restrict access to private networks. This allows users to scan ports of internal networks via SSRF, such as 10.0.0.1/8, 172.16.0.0/12, and 192.168.0.0/16.
CVE-2017-12980: DokuWiki through 2017-02-19c has stored XSS when rendering a malicious RSS or Atom feed, in /inc/parser/xhtml.php. An attacker can create or edit a wiki that uses RSS or Atom data from an attacker-controlled server to trigger JavaScript execution. The JavaScript can be in an author field, as demonstrated by the dc:creator element.
CVE-2017-12583: DokuWiki through 2017-02-19b has XSS in the at parameter (aka the DATE_AT variable) to doku.php.
CVE-2016-7965: DokuWiki 2016-06-26a and older uses $_SERVER[HTTP_HOST] instead of the baseurl setting as part of the password-reset URL. This can lead to phishing attacks. (A remote unauthenticated attacker can change the URL's hostname via the HTTP Host header.) The vulnerability can be triggered only if the Host header is not part of the web server routing process (e.g., if several domains are served by the same web server).
CVE-2017-12979: DokuWiki through 2017-02-19c has stored XSS when rendering a malicious language name in a code element, in /inc/parser/xhtml.php. An attacker can create or edit a wiki with this element to trigger JavaScript execution.

Please fix them.

Created: 2018-07-18 Last update: 2018-07-18 08:10

Standards version of the package is outdated. high

The package is severely out of date with respect to the Debian Policy. The package should be updated to follow the last version of Debian Policy (Standards-Version 4.1.5 instead of 3.9.8).

Created: 2018-02-04 Last update: 2018-07-13 19:43

Error while accessing the VCS repository. Please troubleshoot and fix the issue. high

vcswatch reports that there is an error with this package's VCS, or the debian/changelog file inside it. Please check the error shown below and try to fix it. You might have to update the VCS URL in the debian/control file to point to the correct repository.

fatal: repository 'https://anonscm.debian.org/git/collab-maint/dokuwiki.git/' not found

Created: 2017-12-03 Last update: 2018-07-03 15:57

Depends on packages which need a new maintainer normal

The packages that dokuwiki depends on which need a new maintainer are:

geshi (#895843)
- Depends: php-geshi

Created: 2018-04-16 Last update: 2018-08-20 02:02

4 bugs tagged patch in the BTS normal

The BTS contains patches fixing 4 bugs (5 if counting merged bugs), consider including or untagging them.

Created: 2017-11-21 Last update: 2018-08-20 01:25

lintian reports 2 warnings normal

Lintian reports 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2018-04-14 Last update: 2018-04-14 07:47

The URL(s) for this package had some recent persistent issues low

DUCK reports some issues concerning upstream URLs defined for this package.

Created: 2018-06-14 Last update: 2018-08-20 01:58

6 ignored security issues in jessie low

There are 6 open security issues in jessie.

6 issues skipped by the security teams:

CVE-2017-12980: DokuWiki through 2017-02-19c has stored XSS when rendering a malicious RSS or Atom feed, in /inc/parser/xhtml.php. An attacker can create or edit a wiki that uses RSS or Atom data from an attacker-controlled server to trigger JavaScript execution. The JavaScript can be in an author field, as demonstrated by the dc:creator element.
CVE-2014-9253: The default file type whitelist configuration in conf/mime.conf in the Media Manager in DokuWiki before 2014-09-29b allows remote attackers to execute arbitrary web script or HTML by uploading an SWF file, then accessing it via the media parameter to lib/exe/fetch.php.
TEMP-0780817-7C5137:
CVE-2016-7965: DokuWiki 2016-06-26a and older uses $_SERVER[HTTP_HOST] instead of the baseurl setting as part of the password-reset URL. This can lead to phishing attacks. (A remote unauthenticated attacker can change the URL's hostname via the HTTP Host header.) The vulnerability can be triggered only if the Host header is not part of the web server routing process (e.g., if several domains are served by the same web server).
CVE-2017-12979: DokuWiki through 2017-02-19c has stored XSS when rendering a malicious language name in a code element, in /inc/parser/xhtml.php. An attacker can create or edit a wiki with this element to trigger JavaScript execution.
CVE-2016-7964: The sendRequest method in HTTPClient Class in file /inc/HTTPClient.php in DokuWiki 2016-06-26a and older, when media file fetching is enabled, has no way to restrict access to private networks. This allows users to scan ports of internal networks via SSRF, such as 10.0.0.1/8, 172.16.0.0/12, and 192.168.0.0/16.

Please fix them.

Created: 2015-07-12 Last update: 2018-07-18 08:10

news

[rss feed]

[2018-07-18] dokuwiki 0.0.20160626.a-2.1 MIGRATED to testing (Debian testing watch)
[2018-07-13] Accepted dokuwiki 0.0.20160626.a-2.1 (source) into unstable (Reinhard Tartler)
[2018-07-05] Accepted dokuwiki 0.0.20140505.a+dfsg-4+deb8u1 (source all) into oldstable (Antoine Beaupré)
[2018-05-23] dokuwiki REMOVED from testing (Debian testing watch)
[2018-02-04] Accepted dokuwiki 0.0.20120125b-2+deb7u2 (source all) into oldoldstable (Chris Lamb)
[2017-06-20] dokuwiki 0.0.20160626.a-2 MIGRATED to testing (Debian testing watch)
[2017-04-14] Accepted dokuwiki 0.0.20160626.a-2 (source all) into unstable (Tanguy Ortolo) (signed by: Tanguy Pierre Charles Philippe Ortolo)
[2017-04-04] dokuwiki REMOVED from testing (Debian testing watch)
[2016-08-20] dokuwiki 0.0.20160626.a-1 MIGRATED to testing (Debian testing watch)
[2016-08-14] Accepted dokuwiki 0.0.20160626.a-1 (source all) into unstable (Tanguy Ortolo) (signed by: Tanguy Pierre Charles Philippe Ortolo)
[2016-05-15] dokuwiki 0.0.20150810.a-2 MIGRATED to testing (Debian testing watch)
[2016-05-09] Accepted dokuwiki 0.0.20150810.a-2 (source all) into unstable (Tanguy Ortolo) (signed by: Tanguy Pierre Charles Philippe Ortolo)
[2016-03-05] dokuwiki 0.0.20150810.a-1 MIGRATED to testing (Debian testing watch)
[2016-02-28] Accepted dokuwiki 0.0.20150810.a-1 (source all) into unstable (Tanguy Ortolo) (signed by: Tanguy Pierre Charles Philippe Ortolo)
[2015-04-27] dokuwiki 0.0.20140929.d-1 MIGRATED to testing (Britney)
[2015-03-23] dokuwiki 0.0.20140505.a+dfsg-4 MIGRATED to testing (Britney)
[2015-03-22] Accepted dokuwiki 0.0.20140929.d-1 (source all) into unstable (Tanguy Ortolo) (signed by: Tanguy Pierre Charles Philippe Ortolo)
[2015-03-22] Accepted dokuwiki 0.0.20140505.a+dfsg-4 (source all) into testing-proposed-updates (Tanguy Ortolo) (signed by: Tanguy Pierre Charles Philippe Ortolo)
[2014-11-03] Accepted dokuwiki 0.0.20120125b-2+deb7u1 (source all) into proposed-updates->stable-new, proposed-updates (Tanguy Ortolo) (signed by: Tanguy Pierre Charles Philippe Ortolo)
[2014-10-29] Accepted dokuwiki 0.0.20091225c-10+squeeze3 (source all) into squeeze-lts (Tanguy Ortolo) (signed by: Tanguy Pierre Charles Philippe Ortolo)
[2014-10-28] Accepted dokuwiki 0.0.20140929.a-1 (source all) into unstable (Tanguy Ortolo) (signed by: Tanguy Pierre Charles Philippe Ortolo)
[2014-10-16] dokuwiki 0.0.20140505.a+dfsg-3 MIGRATED to testing (Britney)
[2014-10-05] Accepted dokuwiki 0.0.20140505.a+dfsg-3 (source all) into unstable (Tanguy Ortolo) (signed by: Tanguy Pierre Charles Philippe Ortolo)
[2014-09-01] dokuwiki 0.0.20140505.a+dfsg-2 MIGRATED to testing (Britney)
[2014-08-26] Accepted dokuwiki 0.0.20140505.a+dfsg-2 (source all) into unstable (Tanguy Ortolo) (signed by: Tanguy Pierre Charles Philippe Ortolo)
[2014-08-25] Accepted dokuwiki 0.0.20140505.a+dfsg-1 (source all) into experimental (Tanguy Ortolo) (signed by: Tanguy Pierre Charles Philippe Ortolo)
[2014-06-14] dokuwiki 0.0.20140505+dfsg-1 MIGRATED to testing (Debian testing watch)
[2014-06-08] Accepted dokuwiki 0.0.20140505+dfsg-1 (source all) (Tanguy Ortolo) (signed by: Tanguy Pierre Charles Philippe Ortolo)
[2014-04-24] dokuwiki 0.0.20131208-2 MIGRATED to testing (Debian testing watch)
[2014-04-18] Accepted dokuwiki 0.0.20131208-2 (source all) (Tanguy Ortolo) (signed by: Tanguy Pierre Charles Philippe Ortolo)

bugs [bug history graph]

all: 16 18
RC: 0
I&N: 9
M&W: 2 3
F&P: 1
patch: 4 5

links

homepage
lintian (0, 2)
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.0.20160626.a-2.1
12 bugs