Announce 3.20160728
parent
6264e91bac
commit
20e3655a10
|
@ -1,34 +0,0 @@
|
||||||
ikiwiki 3.20150329 released with [[!toggle text="these changes"]]. This is a
|
|
||||||
security update fixing a cross-site scripting vulnerability.
|
|
||||||
|
|
||||||
[[!toggleable text="""
|
|
||||||
[ [[Joey Hess|joey]] ]
|
|
||||||
|
|
||||||
* Fix NULL ptr deref on ENOMEM in wrapper. (Thanks, igli)
|
|
||||||
|
|
||||||
[ [[Simon McVittie|smcv]] ]
|
|
||||||
|
|
||||||
* Really don't double-decode CGI submissions, even on Perl versions that
|
|
||||||
bundle an old enough Encode.pm for that not to be a problem: the
|
|
||||||
system might have a newer Encode.pm installed separately, like Fedora 20.
|
|
||||||
(Closes: [[!debbug 776181]]; thanks, Anders Kaseorg)
|
|
||||||
* If neither timezone nor TZ is set, set both to :/etc/localtime if
|
|
||||||
we're on a GNU system and that file exists, or GMT otherwise
|
|
||||||
* t/inline.t: accept translations of "Add a new post titled:"
|
|
||||||
(Closes: [[!debbug 779365]])
|
|
||||||
* Consistently document command-line options as e.g. --refresh, not -refresh
|
|
||||||
|
|
||||||
[ [[Amitai Schlair|schmonz]] ]
|
|
||||||
|
|
||||||
* In VCS-committed anonymous comments, link to url.
|
|
||||||
|
|
||||||
[ [[Joey Hess|joey]] ]
|
|
||||||
|
|
||||||
* Fix XSS in openid selector. Thanks, Raghav Bisht.
|
|
||||||
(Closes: [[!debbug 781483]])
|
|
||||||
"""]]
|
|
||||||
|
|
||||||
In addition, version 3.20141016.2 was released on the same day to backport
|
|
||||||
the cross-site-scripting fix to Debian 8.
|
|
||||||
|
|
||||||
[[!meta date="2015-03-29 22:46:39 +0100"]]
|
|
|
@ -0,0 +1,9 @@
|
||||||
|
ikiwiki 3.20160728 released with [[!toggle text="these changes"]]
|
||||||
|
[[!toggleable text="""
|
||||||
|
* Explicitly remove current working directory from Perl's library
|
||||||
|
search path, mitigating [[!cve CVE-2016-1238]] (see [[!debbug 588017]])
|
||||||
|
* wrappers: allocate new environment dynamically, so we won't overrun
|
||||||
|
the array if third-party plugins add multiple environment variables.
|
||||||
|
* Standards-Version: 3.9.8 (no changes required)
|
||||||
|
|
||||||
|
--[[smcv]]"""]]
|
|
@ -531,3 +531,13 @@ resize. An upgrade is recommended for sites where an untrusted user is
|
||||||
able to attach images. Upgrading ImageMagick to a version where
|
able to attach images. Upgrading ImageMagick to a version where
|
||||||
CVE-2016-3714 has been fixed is also recommended, but at the time of
|
CVE-2016-3714 has been fixed is also recommended, but at the time of
|
||||||
writing no such version is available.
|
writing no such version is available.
|
||||||
|
|
||||||
|
## Perl CVE-2016-1238 (current working directory in search path)
|
||||||
|
|
||||||
|
ikiwiki 3.20160728 attempts to mitigate [[!cve CVE-2016-1238]] by
|
||||||
|
removing `'.'` from the Perl library search path. An attacker with write
|
||||||
|
access to ikiwiki's current working directory could potentially use this
|
||||||
|
vulnerability to execute arbitrary Perl code. An upgrade is recommended
|
||||||
|
for sites where an untrusted user is able to attach files with arbitrary
|
||||||
|
names and/or run a setuid ikiwiki wrapper with a working directory of
|
||||||
|
their choice.
|
||||||
|
|
Loading…
Reference in New Issue