Commit Graph

15343 Commits (e66912e677db394483e38d301606eb44a8ca41d7)

Author SHA1 Message Date
Louis e66912e677 Apology about the poor choice for the name of the sidebar2 plugin 2017-02-18 21:08:48 +01:00
Louis d9f6141cd7 New plugin: verboserpc 2017-02-18 21:08:48 +01:00
Louis 7bb8226987 New plugin: pageversion 2017-02-18 21:08:48 +01:00
Louis d2c4047282 New plugin: redirect 2017-02-18 20:43:52 +01:00
vegardv@75ae889e836bda8ce69bc038d8335c398a2f6f40 c0fcd409fa Added a comment 2017-02-10 04:33:42 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 e748e0016d Added a comment 2017-02-09 17:48:06 -04:00
smcv 8502eb47fa Added a comment 2017-02-09 08:13:03 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 3d177313d6 2017-02-09 07:22:48 -04:00
svetlana 40d3bdac4c +update broken uris 2017-02-07 20:36:02 -04:00
svetlana 139197d823 2017-02-07 19:15:02 -04:00
svetlana 4f9a8d10de Confuses a map 2017-02-07 19:11:17 -04:00
svetlana 7b664f4151 2017-02-06 01:39:02 -04:00
svetlana 7c0292edc5 removed 2017-02-05 22:37:01 -04:00
svetlana@192500fb6a2e2ef8e78d1a08cca64b1bca9833b9 4c96c9decd 2017-02-05 15:31:24 -04:00
smcv 7744b4d849 change `pwd` to $HOME so assumptions are met even if you cd elsewhere 2017-02-03 16:48:48 -04:00
me@4eb1b66f86170ba2ff0690b93ad01f46bfc8eac4 c72fbbe21d No longer using ikiwiki 2017-02-03 12:54:47 -04:00
smcv 47b12458ae 2017-01-26 07:38:48 -04:00
svetlana 2265aef4e6 Does not show up in the setup 2017-01-24 00:59:27 -04:00
svetlana 9581c039e8 * [[guppy|http://guppy.branchable.com]] an internationalized modular Python IRC bot 2017-01-18 19:27:48 -04:00
smcv 1c8c0ccf59 Added a comment 2017-01-18 17:46:14 -04:00
smcv 0acf3b6d0c Added a comment: Do that through your web server, not ikiwiki 2017-01-18 17:45:30 -04:00
openmedi 6d0f460b12 2017-01-17 08:44:20 -04:00
Simon McVittie 12b4618228 Note another Debian 8 backport 2017-01-12 00:31:10 +00:00
Simon McVittie 666d87a50c Fix typo 2017-01-11 19:02:10 +00:00
Simon McVittie 8b54ba7ad1 Release 3.20170111 2017-01-11 18:18:38 +00:00
Simon McVittie 4d0e525e6a Document the security fix soon to be released in 3.20170111 2017-01-11 18:16:42 +00:00
Simon McVittie c7a4d57772 3.20170110 2017-01-10 13:22:13 +00:00
Simon McVittie 7586f5165e news: Use Debian security tracker instead of MITRE for CVE references
The Debian security tracker gets timely updates, whereas the official
CVE pages hosted by MITRE tend to show up as "RESERVED" for several
weeks or months after assignment.
2017-01-09 14:11:18 +00:00
Simon McVittie 9e03c00202 shortcuts: Use security-tracker.debian.org for [[!debcve]]
security.debian.org currently rejects HTTPS connections.
2017-01-09 14:09:35 +00:00
https://anarc.at/openid/ f2b65d0370 add debian security tracker 2016-12-30 16:48:40 -04:00
Simon McVittie a60f837695 Merge remote-tracking branch 'origin/master' 2016-12-29 21:34:10 +00:00
Simon McVittie e0341d0e88 3.20161229.1 2016-12-29 20:47:17 +00:00
smcv 7562350a3a add anchors for use in advisory to oss-security 2016-12-29 16:24:48 -04:00
Simon McVittie 04e322fd6b Clarify which versions of ikiwiki fixed CVE-2016-9645, -9646 2016-12-29 20:08:49 +00:00
Simon McVittie 287bb19883 3.20161229 2016-12-29 17:37:51 +00:00
Simon McVittie cf0166347c Add CVE references for CVE-2016-9646, CVE-2016-9645
Thanks to the Debian security team for allocating these.
2016-12-29 17:36:11 +00:00
Simon McVittie 078d4208ca Prune git remotes that are unreachable or unresponsive 2016-12-29 17:30:56 +00:00
Simon McVittie a8a7462382 Try revert operations (on a branch) before approving them
Otherwise, we have a time-of-check/time-of-use vulnerability:
rcs_preprevert previously looked at what changed in the commit we are
reverting, not at what would result from reverting it now. In
particular, if some files were renamed since the commit we are
reverting, a revert of changes that were within the designated
subdirectory and allowed by check_canchange() might now affect
files that are outside the designated subdirectory or disallowed
by check_canchange().

It is not sufficient to disable rename detection, since git older
than 2.8.0rc0 (in particular the version in Debian stable) silently
accepts and ignores the relevant options.

OVE-20161226-0002
2016-12-28 21:32:12 +00:00
Simon McVittie c1120bbbe8 Force CGI::FormBuilder->field to scalar context where necessary
CGI::FormBuilder->field has behaviour similar to the CGI.pm misfeature
we avoided in f4ec7b0. Force it into scalar context where it is used
in an argument list.

This prevents two (relatively minor) commit metadata forgery
vulnerabilities:

* In the comments plugin, an attacker who was able to post a comment
  could give it a user-specified author and author-URL even if the wiki
  configuration did not allow for that, by crafting multiple values
  to other fields.
* In the editpage plugin, an attacker who was able to edit a page
  could potentially forge commit authorship by crafting multiple values
  for the rcsinfo field.

The remaining plugins changed in this commit appear to have been
protected by use of explicit scalar prototypes for the called functions,
but have been changed anyway to make them more obviously correct.
In particular, checkpassword() in passwordauth has a known prototype,
so an attacker cannot trick it into treating multiple values of the
name field as being the username, password and field to check for.

OVE-20161226-0001
2016-12-28 21:32:12 +00:00
spalax a9b876e1fa Added a comment 2016-12-26 18:03:28 -04:00
smcv 836f165939 Added a comment 2016-12-26 15:26:25 -04:00
spalax 1a73c8d528 Question about default timezone ":/etc/localtime" 2016-12-25 17:05:08 -04:00
Simon McVittie 28409cd358 Add CVE references for CVE-2016-10026 2016-12-21 13:03:36 +00:00
intrigeri bec3047aff Replied. 2016-12-20 10:26:22 +00:00
Simon McVittie fd6b947889 Announce 3.20161219 2016-12-19 21:20:41 +00:00
smcv 7e78712782 mention security contacts here too 2016-12-19 16:33:48 -04:00
Amitai Schleier 952404edaa Opt in to whatever spam this may bring. 2016-12-19 20:23:43 +01:00
Simon McVittie cde2cc1862 Restrict CSS matches on .header to not affect <tr>
Pandoc generates <tr class="header"> to hold <th> elements, and
we don't want to make those be display: block.

Signed-off-by: Simon McVittie <smcv@debian.org>
2016-12-19 18:21:07 +00:00
Simon McVittie 2a9e9f13f6 List security contacts
We still don't have a security@ alias; listing personal emails is
unfortunately the next-best thing.
2016-12-19 18:21:07 +00:00
Simon McVittie 9cada49ed6 Tell `git revert` not to follow renames
Otherwise, we have an authorization bypass vulnerability: rcs_preprevert
looks at what changed in the commit we are reverting, not at what would
result from reverting it now. In particular, if some files were renamed
since the commit we are reverting, a revert of changes that were within
the designated subdirectory and allowed by check_canchange() might now
affect files that are outside the designated subdirectory or disallowed
by check_canchange().

Signed-off-by: Simon McVittie <smcv@debian.org>
2016-12-19 18:21:07 +00:00