Commit Graph

15371 Commits (886610d85bc77de5a1da50f54ac156c4eb1846f8)

Author SHA1 Message Date
Simon McVittie 12b4618228 Note another Debian 8 backport 2017-01-12 00:31:10 +00:00
Simon McVittie 666d87a50c Fix typo 2017-01-11 19:02:10 +00:00
Simon McVittie 8b54ba7ad1 Release 3.20170111 2017-01-11 18:18:38 +00:00
Simon McVittie 4d0e525e6a Document the security fix soon to be released in 3.20170111 2017-01-11 18:16:42 +00:00
Simon McVittie c7a4d57772 3.20170110 2017-01-10 13:22:13 +00:00
Simon McVittie 7586f5165e news: Use Debian security tracker instead of MITRE for CVE references
The Debian security tracker gets timely updates, whereas the official
CVE pages hosted by MITRE tend to show up as "RESERVED" for several
weeks or months after assignment.
2017-01-09 14:11:18 +00:00
Simon McVittie 9e03c00202 shortcuts: Use security-tracker.debian.org for [[!debcve]]
security.debian.org currently rejects HTTPS connections.
2017-01-09 14:09:35 +00:00
https://anarc.at/openid/ f2b65d0370 add debian security tracker 2016-12-30 16:48:40 -04:00
Simon McVittie a60f837695 Merge remote-tracking branch 'origin/master' 2016-12-29 21:34:10 +00:00
Simon McVittie e0341d0e88 3.20161229.1 2016-12-29 20:47:17 +00:00
smcv 7562350a3a add anchors for use in advisory to oss-security 2016-12-29 16:24:48 -04:00
Simon McVittie 04e322fd6b Clarify which versions of ikiwiki fixed CVE-2016-9645, -9646 2016-12-29 20:08:49 +00:00
Simon McVittie 287bb19883 3.20161229 2016-12-29 17:37:51 +00:00
Simon McVittie cf0166347c Add CVE references for CVE-2016-9646, CVE-2016-9645
Thanks to the Debian security team for allocating these.
2016-12-29 17:36:11 +00:00
Simon McVittie 078d4208ca Prune git remotes that are unreachable or unresponsive 2016-12-29 17:30:56 +00:00
Simon McVittie a8a7462382 Try revert operations (on a branch) before approving them
Otherwise, we have a time-of-check/time-of-use vulnerability:
rcs_preprevert previously looked at what changed in the commit we are
reverting, not at what would result from reverting it now. In
particular, if some files were renamed since the commit we are
reverting, a revert of changes that were within the designated
subdirectory and allowed by check_canchange() might now affect
files that are outside the designated subdirectory or disallowed
by check_canchange().

It is not sufficient to disable rename detection, since git older
than 2.8.0rc0 (in particular the version in Debian stable) silently
accepts and ignores the relevant options.

OVE-20161226-0002
2016-12-28 21:32:12 +00:00
Simon McVittie c1120bbbe8 Force CGI::FormBuilder->field to scalar context where necessary
CGI::FormBuilder->field has behaviour similar to the CGI.pm misfeature
we avoided in f4ec7b0. Force it into scalar context where it is used
in an argument list.

This prevents two (relatively minor) commit metadata forgery
vulnerabilities:

* In the comments plugin, an attacker who was able to post a comment
  could give it a user-specified author and author-URL even if the wiki
  configuration did not allow for that, by crafting multiple values
  to other fields.
* In the editpage plugin, an attacker who was able to edit a page
  could potentially forge commit authorship by crafting multiple values
  for the rcsinfo field.

The remaining plugins changed in this commit appear to have been
protected by use of explicit scalar prototypes for the called functions,
but have been changed anyway to make them more obviously correct.
In particular, checkpassword() in passwordauth has a known prototype,
so an attacker cannot trick it into treating multiple values of the
name field as being the username, password and field to check for.

OVE-20161226-0001
2016-12-28 21:32:12 +00:00
spalax a9b876e1fa Added a comment 2016-12-26 18:03:28 -04:00
smcv 836f165939 Added a comment 2016-12-26 15:26:25 -04:00
spalax 1a73c8d528 Question about default timezone ":/etc/localtime" 2016-12-25 17:05:08 -04:00
Simon McVittie 28409cd358 Add CVE references for CVE-2016-10026 2016-12-21 13:03:36 +00:00
intrigeri bec3047aff Replied. 2016-12-20 10:26:22 +00:00
Simon McVittie fd6b947889 Announce 3.20161219 2016-12-19 21:20:41 +00:00
smcv 7e78712782 mention security contacts here too 2016-12-19 16:33:48 -04:00
Amitai Schleier 952404edaa Opt in to whatever spam this may bring. 2016-12-19 20:23:43 +01:00
Simon McVittie cde2cc1862 Restrict CSS matches on .header to not affect <tr>
Pandoc generates <tr class="header"> to hold <th> elements, and
we don't want to make those be display: block.

Signed-off-by: Simon McVittie <smcv@debian.org>
2016-12-19 18:21:07 +00:00
Simon McVittie 2a9e9f13f6 List security contacts
We still don't have a security@ alias; listing personal emails is
unfortunately the next-best thing.
2016-12-19 18:21:07 +00:00
Simon McVittie 9cada49ed6 Tell `git revert` not to follow renames
Otherwise, we have an authorization bypass vulnerability: rcs_preprevert
looks at what changed in the commit we are reverting, not at what would
result from reverting it now. In particular, if some files were renamed
since the commit we are reverting, a revert of changes that were within
the designated subdirectory and allowed by check_canchange() might now
affect files that are outside the designated subdirectory or disallowed
by check_canchange().

Signed-off-by: Simon McVittie <smcv@debian.org>
2016-12-19 18:21:07 +00:00
smcv 7244b712c1 Added a comment: no, not supported 2016-12-19 13:23:06 -04:00
smcv 32493312c8 rename bugs/img_tag_should_support_relative_size.mdwn to todo/img_tag_should_support_relative_size.mdwn 2016-12-19 12:46:46 -04:00
smcv 8395e43099 Not possible as stated, but could be adapted into a valid feature request 2016-12-19 12:46:22 -04:00
smcv 7d35dc88f3 2016-12-19 09:55:58 -04:00
Simon McVittie bc89021523 cgitemplate: remove dead code
blipvert points out in [[bugs/use of $topurl in cgitemplate]] that this
variable has not been used since commit a052771
"Now that we're always using HTML5, <base href> can be relative".

Signed-off-by: Simon McVittie <smcv@debian.org>
2016-12-19 12:00:34 +00:00
intrigeri 706bf876ea Report authorization bypass via RCS revert. 2016-12-17 11:11:44 +00:00
blipvert@b874dc05477cdc0dc8c9c8d9bbe2e39240253a85 bd46db3fb9 2016-12-14 19:07:00 -04:00
blipvert@b874dc05477cdc0dc8c9c8d9bbe2e39240253a85 85c1fa60b8 2016-12-14 19:06:05 -04:00
blipvert@b874dc05477cdc0dc8c9c8d9bbe2e39240253a85 bd6a4567fd 2016-12-14 19:04:05 -04:00
jeff+ikiwiki@b5854f0ab9935492e3dfefa98419b6530c92b049 9b0e02394b 2016-11-26 23:44:42 -04:00
intrigeri 2e865043d6 pagestats determinism: report bug + patch. 2016-11-20 07:00:20 +00:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 021ae7050a svetlana.nfshost 2016-11-17 07:42:50 -04:00
Juego 3a36009158 Added custom solution 2016-11-16 18:17:48 -04:00
Juego 99e0945732 rename forum/FastCGI_problem_on_Arch.mdwn to forum/__91__Solved__93__FastCGI_problem_on_Arch.mdwn 2016-11-16 18:15:14 -04:00
Amitai Schleier 8e2e61836e Update my personal site URL. 2016-11-12 22:02:58 -05:00
james@2468840dc8f314e837e1fde99a5fb1b884fa993a aeb85c9d82 update my site links. 2016-11-12 20:08:40 -04:00
openmedi 7370816738 Added a comment 2016-11-10 13:09:41 -04:00
openmedi 24573d396f Added a comment 2016-11-10 13:06:23 -04:00
openmedi f7a5c57157 2016-11-10 13:03:00 -04:00
openmedi 4eb8f49209 Added a comment 2016-11-06 15:36:24 -04:00
openmedi 08a500cbb7 Added a comment 2016-11-03 18:13:15 -04:00
vegardv@75ae889e836bda8ce69bc038d8335c398a2f6f40 536f07d9ff 2016-11-03 08:42:03 -04:00
vegardv@75ae889e836bda8ce69bc038d8335c398a2f6f40 2f922120a1 2016-11-03 08:37:19 -04:00
https://id.koumbit.net/anarcat 705ad6d9d7 consider portier as a successor to OpenID? 2016-11-01 11:56:18 -04:00
https://id.koumbit.net/anarcat 1e6faf00b1 introduce portier here as well, while i'm here 2016-11-01 11:55:46 -04:00
https://id.koumbit.net/anarcat 596f723bb3 nextgen persona? 2016-11-01 11:49:48 -04:00
https://id.koumbit.net/anarcat e7cd4ac40b another look at bootstrap and packaging strategies 2016-11-01 11:45:31 -04:00
Amitai Schleier 7d48b885c9 The C2 wiki appears to have moved. 2016-10-23 21:00:36 -04:00
openmedi b6e7e54e0c 2016-10-16 12:38:47 -04:00
icydee 9892c426a1 2016-10-07 07:08:35 -04:00
karsk a9aa7c1c08 That was a (curious) mistake.
This reverts commit 1bfe2e2e19
2016-09-30 04:10:10 -04:00
karsk 1bfe2e2e19 removed 2016-09-30 04:09:12 -04:00
spalax 9833f0b7bd Added a comment: Translating "Last edited" 2016-09-27 15:08:30 -04:00
karsk 7ebb4cd3c5 2016-09-27 09:56:51 -04:00
karsk 0d5d26defa 2016-09-27 09:22:47 -04:00
karsk ae8862d087 2016-09-27 08:41:28 -04:00
alexjj 52f83112ed added actual progress bar 2016-09-25 00:51:03 -04:00
alexjj c5e4e781ad 2016-09-24 02:42:34 -04:00
alexjj 851d556d5b 2016-09-24 02:39:10 -04:00
alexjj 425685b7ef removed 2016-09-24 01:58:07 -04:00
alexjj e0b9749e3d 2016-09-24 01:53:46 -04:00
alexjj 9eb445c145 Created 2016-09-24 00:48:51 -04:00
alexjj 1e203ac71b 2016-09-24 00:22:08 -04:00
alexjj 8bc6d48dae formatting 2016-09-24 00:17:05 -04:00
alexjj 7f879de0d0 modern nginx settings suggestion 2016-09-24 00:16:00 -04:00
Joey Hess 68e2320696
inline: Prevent creating a file named ".mdwn" when the postform is submitted with an empty title. 2016-09-21 13:51:42 -04:00
Joey Hess 8a638d6b53
bug 2016-09-21 13:44:57 -04:00
alexjj@97b75209148c043997fe05b4341a629090820035 acd014e988 Added a comment: ever fix this? 2016-09-20 12:59:27 -04:00
alexjj@97b75209148c043997fe05b4341a629090820035 78984dd5d5 added remark to nginx 2016-09-20 12:05:54 -04:00
alexjj@97b75209148c043997fe05b4341a629090820035 800e3f0dab Created 2016-09-20 12:04:29 -04:00
http://pnijjar.livejournal.com/ e4a65526b7 2016-09-18 01:40:20 -04:00
Amitai Schlair fd8993ca44 Rename this redirect page, missed in previous. 2016-09-14 14:32:03 -04:00
Amitai Schlair 85c10d149b Update my surname to its new legal spelling. 2016-09-14 14:28:01 -04:00
simonmic 8eb09a4704 sign comment 2016-09-11 14:35:37 -04:00
simonmic e95a7d5654 fix link 2016-09-11 14:34:33 -04:00
simonmic 0c78a3fd84 update 2016-09-11 13:39:32 -04:00
simonmic 26878fb4c7 minor edit 2016-09-11 13:33:23 -04:00
simonmic 7519c206bf 2016-09-11 13:32:39 -04:00
holger 20e2f80ad4 2016-09-07 08:20:55 -04:00
holger afa4274604 cleaned up, updated and submitted for patch 2016-09-07 08:17:16 -04:00
Simon McVittie cf772113c4 Belatedly announce yesterday's release 2016-09-06 18:12:54 +01:00
https://id.koumbit.net/anarcat 8dd46cc2ae guh, then i mess up the markdown, how ironic... btw, commonmark parsed my original version correctly :p 2016-08-29 23:51:53 -04:00
https://id.koumbit.net/anarcat 9d4a0aa31b clarify and more links 2016-08-29 23:50:26 -04:00
https://id.koumbit.net/anarcat 4f8d45bfde some response 2016-08-29 23:44:59 -04:00
anna19 cb30df8e71 2016-08-24 10:40:03 -04:00
anna19 761b4383d1 2016-08-24 08:57:12 -04:00
anna19 a5709a3740 2016-08-24 08:55:38 -04:00
anna19 751c06faba 2016-08-24 08:55:20 -04:00
anna19 049be436d0 2016-08-24 08:55:07 -04:00
anna19 ae8bddf338 added username 2016-08-24 08:54:47 -04:00
anna19 f55e5e0794 2016-08-24 08:54:13 -04:00
https://me.yahoo.com/zoredache#d4929 8fbb8cacfa Added a comment: I have narrowed this problem down. 2016-08-23 16:51:52 -04:00