Commit Graph

15321 Commits (12b4618228008b3c4358a1dc12e80242d6754bf3)

Author SHA1 Message Date
Simon McVittie 12b4618228 Note another Debian 8 backport 2017-01-12 00:31:10 +00:00
Simon McVittie 666d87a50c Fix typo 2017-01-11 19:02:10 +00:00
Simon McVittie 8b54ba7ad1 Release 3.20170111 2017-01-11 18:18:38 +00:00
Simon McVittie 4d0e525e6a Document the security fix soon to be released in 3.20170111 2017-01-11 18:16:42 +00:00
Simon McVittie c7a4d57772 3.20170110 2017-01-10 13:22:13 +00:00
Simon McVittie 7586f5165e news: Use Debian security tracker instead of MITRE for CVE references
The Debian security tracker gets timely updates, whereas the official
CVE pages hosted by MITRE tend to show up as "RESERVED" for several
weeks or months after assignment.
2017-01-09 14:11:18 +00:00
Simon McVittie 9e03c00202 shortcuts: Use security-tracker.debian.org for [[!debcve]]
security.debian.org currently rejects HTTPS connections.
2017-01-09 14:09:35 +00:00
https://anarc.at/openid/ f2b65d0370 add debian security tracker 2016-12-30 16:48:40 -04:00
Simon McVittie a60f837695 Merge remote-tracking branch 'origin/master' 2016-12-29 21:34:10 +00:00
Simon McVittie e0341d0e88 3.20161229.1 2016-12-29 20:47:17 +00:00
smcv 7562350a3a add anchors for use in advisory to oss-security 2016-12-29 16:24:48 -04:00
Simon McVittie 04e322fd6b Clarify which versions of ikiwiki fixed CVE-2016-9645, -9646 2016-12-29 20:08:49 +00:00
Simon McVittie 287bb19883 3.20161229 2016-12-29 17:37:51 +00:00
Simon McVittie cf0166347c Add CVE references for CVE-2016-9646, CVE-2016-9645
Thanks to the Debian security team for allocating these.
2016-12-29 17:36:11 +00:00
Simon McVittie 078d4208ca Prune git remotes that are unreachable or unresponsive 2016-12-29 17:30:56 +00:00
Simon McVittie a8a7462382 Try revert operations (on a branch) before approving them
Otherwise, we have a time-of-check/time-of-use vulnerability:
rcs_preprevert previously looked at what changed in the commit we are
reverting, not at what would result from reverting it now. In
particular, if some files were renamed since the commit we are
reverting, a revert of changes that were within the designated
subdirectory and allowed by check_canchange() might now affect
files that are outside the designated subdirectory or disallowed
by check_canchange().

It is not sufficient to disable rename detection, since git older
than 2.8.0rc0 (in particular the version in Debian stable) silently
accepts and ignores the relevant options.

OVE-20161226-0002
2016-12-28 21:32:12 +00:00
Simon McVittie c1120bbbe8 Force CGI::FormBuilder->field to scalar context where necessary
CGI::FormBuilder->field has behaviour similar to the CGI.pm misfeature
we avoided in f4ec7b0. Force it into scalar context where it is used
in an argument list.

This prevents two (relatively minor) commit metadata forgery
vulnerabilities:

* In the comments plugin, an attacker who was able to post a comment
  could give it a user-specified author and author-URL even if the wiki
  configuration did not allow for that, by crafting multiple values
  to other fields.
* In the editpage plugin, an attacker who was able to edit a page
  could potentially forge commit authorship by crafting multiple values
  for the rcsinfo field.

The remaining plugins changed in this commit appear to have been
protected by use of explicit scalar prototypes for the called functions,
but have been changed anyway to make them more obviously correct.
In particular, checkpassword() in passwordauth has a known prototype,
so an attacker cannot trick it into treating multiple values of the
name field as being the username, password and field to check for.

OVE-20161226-0001
2016-12-28 21:32:12 +00:00
spalax a9b876e1fa Added a comment 2016-12-26 18:03:28 -04:00
smcv 836f165939 Added a comment 2016-12-26 15:26:25 -04:00
spalax 1a73c8d528 Question about default timezone ":/etc/localtime" 2016-12-25 17:05:08 -04:00
Simon McVittie 28409cd358 Add CVE references for CVE-2016-10026 2016-12-21 13:03:36 +00:00
intrigeri bec3047aff Replied. 2016-12-20 10:26:22 +00:00
Simon McVittie fd6b947889 Announce 3.20161219 2016-12-19 21:20:41 +00:00
smcv 7e78712782 mention security contacts here too 2016-12-19 16:33:48 -04:00
Amitai Schleier 952404edaa Opt in to whatever spam this may bring. 2016-12-19 20:23:43 +01:00
Simon McVittie cde2cc1862 Restrict CSS matches on .header to not affect <tr>
Pandoc generates <tr class="header"> to hold <th> elements, and
we don't want to make those be display: block.

Signed-off-by: Simon McVittie <smcv@debian.org>
2016-12-19 18:21:07 +00:00
Simon McVittie 2a9e9f13f6 List security contacts
We still don't have a security@ alias; listing personal emails is
unfortunately the next-best thing.
2016-12-19 18:21:07 +00:00
Simon McVittie 9cada49ed6 Tell `git revert` not to follow renames
Otherwise, we have an authorization bypass vulnerability: rcs_preprevert
looks at what changed in the commit we are reverting, not at what would
result from reverting it now. In particular, if some files were renamed
since the commit we are reverting, a revert of changes that were within
the designated subdirectory and allowed by check_canchange() might now
affect files that are outside the designated subdirectory or disallowed
by check_canchange().

Signed-off-by: Simon McVittie <smcv@debian.org>
2016-12-19 18:21:07 +00:00
smcv 7244b712c1 Added a comment: no, not supported 2016-12-19 13:23:06 -04:00
smcv 32493312c8 rename bugs/img_tag_should_support_relative_size.mdwn to todo/img_tag_should_support_relative_size.mdwn 2016-12-19 12:46:46 -04:00
smcv 8395e43099 Not possible as stated, but could be adapted into a valid feature request 2016-12-19 12:46:22 -04:00
smcv 7d35dc88f3 2016-12-19 09:55:58 -04:00
Simon McVittie bc89021523 cgitemplate: remove dead code
blipvert points out in [[bugs/use of $topurl in cgitemplate]] that this
variable has not been used since commit a052771
"Now that we're always using HTML5, <base href> can be relative".

Signed-off-by: Simon McVittie <smcv@debian.org>
2016-12-19 12:00:34 +00:00
intrigeri 706bf876ea Report authorization bypass via RCS revert. 2016-12-17 11:11:44 +00:00
blipvert@b874dc05477cdc0dc8c9c8d9bbe2e39240253a85 bd46db3fb9 2016-12-14 19:07:00 -04:00
blipvert@b874dc05477cdc0dc8c9c8d9bbe2e39240253a85 85c1fa60b8 2016-12-14 19:06:05 -04:00
blipvert@b874dc05477cdc0dc8c9c8d9bbe2e39240253a85 bd6a4567fd 2016-12-14 19:04:05 -04:00
jeff+ikiwiki@b5854f0ab9935492e3dfefa98419b6530c92b049 9b0e02394b 2016-11-26 23:44:42 -04:00
intrigeri 2e865043d6 pagestats determinism: report bug + patch. 2016-11-20 07:00:20 +00:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 021ae7050a svetlana.nfshost 2016-11-17 07:42:50 -04:00
Juego 3a36009158 Added custom solution 2016-11-16 18:17:48 -04:00
Juego 99e0945732 rename forum/FastCGI_problem_on_Arch.mdwn to forum/__91__Solved__93__FastCGI_problem_on_Arch.mdwn 2016-11-16 18:15:14 -04:00
Amitai Schleier 8e2e61836e Update my personal site URL. 2016-11-12 22:02:58 -05:00
james@2468840dc8f314e837e1fde99a5fb1b884fa993a aeb85c9d82 update my site links. 2016-11-12 20:08:40 -04:00
openmedi 7370816738 Added a comment 2016-11-10 13:09:41 -04:00
openmedi 24573d396f Added a comment 2016-11-10 13:06:23 -04:00
openmedi f7a5c57157 2016-11-10 13:03:00 -04:00
openmedi 4eb8f49209 Added a comment 2016-11-06 15:36:24 -04:00
openmedi 08a500cbb7 Added a comment 2016-11-03 18:13:15 -04:00
vegardv@75ae889e836bda8ce69bc038d8335c398a2f6f40 536f07d9ff 2016-11-03 08:42:03 -04:00