Announce 3.20160728

master
Simon McVittie 2016-07-28 11:30:30 +01:00
parent 6264e91bac
commit 20e3655a10
3 changed files with 19 additions and 34 deletions

View File

@ -1,34 +0,0 @@
ikiwiki 3.20150329 released with [[!toggle text="these changes"]]. This is a
security update fixing a cross-site scripting vulnerability.
[[!toggleable text="""
[ [[Joey Hess|joey]] ]
* Fix NULL ptr deref on ENOMEM in wrapper. (Thanks, igli)
[ [[Simon McVittie|smcv]] ]
* Really don't double-decode CGI submissions, even on Perl versions that
bundle an old enough Encode.pm for that not to be a problem: the
system might have a newer Encode.pm installed separately, like Fedora 20.
(Closes: [[!debbug 776181]]; thanks, Anders Kaseorg)
* If neither timezone nor TZ is set, set both to :/etc/localtime if
we're on a GNU system and that file exists, or GMT otherwise
* t/inline.t: accept translations of "Add a new post titled:"
(Closes: [[!debbug 779365]])
* Consistently document command-line options as e.g. --refresh, not -refresh
[ [[Amitai Schlair|schmonz]] ]
* In VCS-committed anonymous comments, link to url.
[ [[Joey Hess|joey]] ]
* Fix XSS in openid selector. Thanks, Raghav Bisht.
(Closes: [[!debbug 781483]])
"""]]
In addition, version 3.20141016.2 was released on the same day to backport
the cross-site-scripting fix to Debian 8.
[[!meta date="2015-03-29 22:46:39 +0100"]]

View File

@ -0,0 +1,9 @@
ikiwiki 3.20160728 released with [[!toggle text="these changes"]]
[[!toggleable text="""
* Explicitly remove current working directory from Perl's library
search path, mitigating [[!cve CVE-2016-1238]] (see [[!debbug 588017]])
* wrappers: allocate new environment dynamically, so we won't overrun
the array if third-party plugins add multiple environment variables.
* Standards-Version: 3.9.8 (no changes required)
--[[smcv]]"""]]

View File

@ -531,3 +531,13 @@ resize. An upgrade is recommended for sites where an untrusted user is
able to attach images. Upgrading ImageMagick to a version where able to attach images. Upgrading ImageMagick to a version where
CVE-2016-3714 has been fixed is also recommended, but at the time of CVE-2016-3714 has been fixed is also recommended, but at the time of
writing no such version is available. writing no such version is available.
## Perl CVE-2016-1238 (current working directory in search path)
ikiwiki 3.20160728 attempts to mitigate [[!cve CVE-2016-1238]] by
removing `'.'` from the Perl library search path. An attacker with write
access to ikiwiki's current working directory could potentially use this
vulnerability to execute arbitrary Perl code. An upgrade is recommended
for sites where an untrusted user is able to attach files with arbitrary
names and/or run a setuid ikiwiki wrapper with a working directory of
their choice.