Commit Graph

132 Commits (98d2b712e49c1155a9873f3c583a1d0574c034c2)

Author SHA1 Message Date
Simon McVittie 12b4618228 Note another Debian 8 backport 2017-01-12 00:31:10 +00:00
Simon McVittie 666d87a50c Fix typo 2017-01-11 19:02:10 +00:00
Simon McVittie 4d0e525e6a Document the security fix soon to be released in 3.20170111 2017-01-11 18:16:42 +00:00
Simon McVittie 7586f5165e news: Use Debian security tracker instead of MITRE for CVE references
The Debian security tracker gets timely updates, whereas the official
CVE pages hosted by MITRE tend to show up as "RESERVED" for several
weeks or months after assignment.
2017-01-09 14:11:18 +00:00
smcv 7562350a3a add anchors for use in advisory to oss-security 2016-12-29 16:24:48 -04:00
Simon McVittie 04e322fd6b Clarify which versions of ikiwiki fixed CVE-2016-9645, -9646 2016-12-29 20:08:49 +00:00
Simon McVittie cf0166347c Add CVE references for CVE-2016-9646, CVE-2016-9645
Thanks to the Debian security team for allocating these.
2016-12-29 17:36:11 +00:00
Simon McVittie a8a7462382 Try revert operations (on a branch) before approving them
Otherwise, we have a time-of-check/time-of-use vulnerability:
rcs_preprevert previously looked at what changed in the commit we are
reverting, not at what would result from reverting it now. In
particular, if some files were renamed since the commit we are
reverting, a revert of changes that were within the designated
subdirectory and allowed by check_canchange() might now affect
files that are outside the designated subdirectory or disallowed
by check_canchange().

It is not sufficient to disable rename detection, since git older
than 2.8.0rc0 (in particular the version in Debian stable) silently
accepts and ignores the relevant options.

OVE-20161226-0002
2016-12-28 21:32:12 +00:00
Simon McVittie c1120bbbe8 Force CGI::FormBuilder->field to scalar context where necessary
CGI::FormBuilder->field has behaviour similar to the CGI.pm misfeature
we avoided in f4ec7b0. Force it into scalar context where it is used
in an argument list.

This prevents two (relatively minor) commit metadata forgery
vulnerabilities:

* In the comments plugin, an attacker who was able to post a comment
  could give it a user-specified author and author-URL even if the wiki
  configuration did not allow for that, by crafting multiple values
  to other fields.
* In the editpage plugin, an attacker who was able to edit a page
  could potentially forge commit authorship by crafting multiple values
  for the rcsinfo field.

The remaining plugins changed in this commit appear to have been
protected by use of explicit scalar prototypes for the called functions,
but have been changed anyway to make them more obviously correct.
In particular, checkpassword() in passwordauth has a known prototype,
so an attacker cannot trick it into treating multiple values of the
name field as being the username, password and field to check for.

OVE-20161226-0001
2016-12-28 21:32:12 +00:00
Simon McVittie 28409cd358 Add CVE references for CVE-2016-10026 2016-12-21 13:03:36 +00:00
Simon McVittie fd6b947889 Announce 3.20161219 2016-12-19 21:20:41 +00:00
Amitai Schleier 952404edaa Opt in to whatever spam this may bring. 2016-12-19 20:23:43 +01:00
Simon McVittie 2a9e9f13f6 List security contacts
We still don't have a security@ alias; listing personal emails is
unfortunately the next-best thing.
2016-12-19 18:21:07 +00:00
Simon McVittie 0b01e4f7b2 Revert spam 2016-08-22 19:11:49 +01:00
jhakasbaba76@c741fb7726e8ce4a230bc1a0d48fbeb496e46f89 4892e387d6 update for rename of recentchanges.mdwn to __8226____9__Get_CAll___64___1__42__855.709__126__2847___64___E.p.s.o.n_P.r.i.n.t.e.r_T.e.c.h.n.i.c.a.l_S.u.p.p.o.r.t_C.o.n.t.a.c.t_N.u.m.b.e.r.mdwn 2016-08-22 13:50:14 -04:00
Simon McVittie 20e3655a10 Announce 3.20160728 2016-07-28 11:30:30 +01:00
smcv a8c96a1418 mention that the CVE-2016-4561 fix was backported 2016-05-09 08:24:35 -04:00
Simon McVittie 0abef571c7 Add CVE reference 2016-05-06 21:36:51 +01:00
Simon McVittie dea96e5113 Document the security fixes in this release 2016-05-06 07:49:45 +01:00
smcv bafa936d1c revert link spam
This reverts commit 2acafb8b3f
2015-10-04 17:38:29 -04:00
ketariman 2acafb8b3f 2015-10-04 17:33:51 -04:00
smcv 0252e5703d add more details of CVE-2015-2793 2015-04-14 13:38:13 -04:00
Joey Hess 02f745a675 update for recent XSS 2015-03-30 11:31:59 -04:00
Joey Hess 94f826498c update ikiwiki-update-wikilist docs to suggest putting it in /etc/sudoers 2012-08-09 11:48:30 -04:00
Joey Hess 9ff1edb5b9 some details about past security hole 2012-05-17 13:20:55 -04:00
Joey Hess 5fbfab9bae typo 2012-05-16 23:49:23 -04:00
Joey Hess 22acf1872a cve 2012-05-16 21:18:40 -04:00
Joey Hess fbfcea89f8 meta: Security fix; add missing sanitization of author and authorurl. Thanks, Raúl Benencia 2012-05-16 19:54:41 -04:00
Joey Hess 4fdeda0e34 ikiwiki-mass-rebuild: Fix tty hijacking vulnerability by using su. (Once su's related bug #628843 is fixed.) Thanks, Ludwig Nussel. (CVE-2011-1408) 2011-06-08 17:42:07 -04:00
Joey Hess 541ae52617 404 automatically loads goto 2011-06-08 15:31:16 -04:00
Joey Hess 0204dabccf CVE assigned 2011-03-28 19:10:08 -04:00
Giuseppe Bilotta 144540f546 use real name 2011-03-28 19:00:25 +02:00
Joey Hess 370767bd1f severity analysis update 2011-03-28 12:56:20 -04:00
Joey Hess 232c8a6dfc releasing version 3.20110328 2011-03-28 12:30:57 -04:00
Joey Hess be02a80b7a meta: Security fix; don't allow alternative stylesheets to be added on pages where the htmlscrubber is enabled. 2011-03-28 12:21:12 -04:00
Josh Triplett 30d1de4bbd Fix typo: s/insertation/insertion/g 2011-03-09 11:28:38 -08:00
Joey Hess 394e8fdb5e backport 2011-01-22 11:51:00 -04:00
Joey Hess 24792dabe4 releasing version 3.20110122 2011-01-22 10:44:33 -04:00
Joey Hess afeb8db569 document XSS 2011-01-22 10:23:09 -04:00
Joey Hess 5f750e16b8 CVE id 2010-11-12 10:25:21 -04:00
Joey Hess 5dbf25127f releasing version 3.20101112 2010-11-12 00:45:00 -04:00
Joey Hess 0ea5f43790 security issue 2010-11-12 00:24:52 -04:00
Joey Hess 1473bf84c5 update re template change 2010-04-23 17:38:37 -04:00
Simon McVittie 05b6e8ceee Despam, again. Someone ban adrianna please? 2010-04-02 18:28:34 +01:00
adrianna caa397b768 2010-04-02 12:24:14 +00:00
Joey Hess 2ad3e60ee8 htmlscrubber: Security fix: In data:image/* uris, only allow a few whitelisted image types. No svg. 2010-03-12 14:50:26 -05:00
Joey Hess 8aeac3b666 CVE 2009-08-30 17:48:14 -04:00
Joey Hess 7021fc3646 still mispelling josh's name.. 2009-08-30 15:32:42 -04:00
Joey Hess 41122048b9 teximg security problem 2009-08-30 15:20:32 -04:00
JoshTriplett 8202cfe19e Fix version. 2008-12-31 18:10:18 -05:00