[SECURITY] [DLA 1716-1] ikiwiki security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Package : ikiwiki
Version : 3.20141016.4+deb8u1
CVE ID : CVE-2019-9187
The ikiwiki maintainers discovered that the aggregate plugin did not use
LWPx::ParanoidAgent. On sites where the aggregate plugin is enabled, authorized
wiki editors could tell ikiwiki to fetch potentially undesired URIs even if
LWPx::ParanoidAgent was installed:
local files via file: URIs
other URI schemes that might be misused by attackers, such as gopher:
hosts that resolve to loopback IP addresses (127.x.x.x)
hosts that resolve to RFC 1918 IP addresses (192.168.x.x etc.)
This could be used by an attacker to publish information that should not have
been accessible, cause denial of service by requesting "tarpit" URIs that are
slow to respond, or cause undesired side-effects if local web servers implement
"unsafe" GET requests. (CVE-2019-9187)
Additionally, if liblwpx-paranoidagent-perl is not installed, the
blogspam, openid and pinger plugins would fall back to LWP, which is
susceptible to similar attacks. This is unlikely to be a practical problem for
the blogspam plugin because the URL it requests is under the control of the
wiki administrator, but the openid plugin can request URLs controlled by
unauthenticated remote users, and the pinger plugin can request URLs controlled
by authorized wiki editors.
This is addressed in ikiwiki 3.20190228 as follows, with the same fixes
backported to Debian 9 in version 3.20170111.1:
* URI schemes other than http: and https: are not accepted, preventing access
to file:, gopher:, etc.
* If a proxy is configured in the ikiwiki setup file, it is used for all
outgoing http: and https: requests. In this case the proxy is responsible for
blocking any requests that are undesired, including loopback or RFC 1918
addresses.
* If a proxy is not configured, and liblwpx-paranoidagent-perl is installed, it
will be used. This prevents loopback and RFC 1918 IP addresses, and sets a
timeout to avoid denial of service via "tarpit" URIs.
* Otherwise, the ordinary LWP user-agent will be used. This allows requests to
loopback and RFC 1918 IP addresses, and has less robust timeout behaviour.
We are not treating this as a vulnerability: if this behaviour is not
acceptable for your site, please make sure to install LWPx::ParanoidAgent or
disable the affected plugins.
For Debian 8 "Jessie", this problem has been fixed in version
3.20141016.4+deb8u1.
We recommend that you upgrade your ikiwiki packages. In addition it is also
recommended that you have liblwpx-paranoidagent-perl installed, which listed in
the recommends field of ikiwiki.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlyPOxMACgkQKpJZkldk
SvoxIhAAhHxmfgAqOieaGfoB/CvszocV3l43v/W8AWdgKfwp83RE8bf+gzR7Jzp6
mgrItSHBBZebCSPwRoJgLAYD2gtwvt+rWimURA+nDHbKsgcyM6Vv9MWAKDzWweJQ
WlLr5AlPzA85WKAN5+N2yD2MH4jX8CodQWEITf2Y1eJNftm/Ld7hc/+I3Ec1VbPW
JQXqB+JBPKB1KTM2b15/N+lPoczOikHEEZEFzcIfavKE28KiQjvFPgscn69K5/t5
838GqRjIpMHGFUg+KI+UsvArpWuNIKe3f2PZurnBNZ6mcrFDMHHGeYmHFvoMNvZG
OtOmxe6lbwVWnvaj5PjaLiKQjJrt+F//qIqA44kCqOqHhCIuGMy1MYHvq2XYvlC2
nMIKN1wZcRfR8s4zi5+42g4EZdExCatTFZWS2H/CqxSHLGp/jIIftrNMdl1IyQX2
TQdfYi503ve6pe9suiQ/ldyAX9RbPHiQEhloZQ22xbv8Mqwd/icksCAiZINPL5dO
s/1wXPL5p/Mvg8g1lNwUdwcBGV9p8FG+lUnfVXEtyn3/bBIX7zQKpIqp8tT4FqHV
wnai5YzLSR6G8yrpUG5PTEKQiEyzEG5sZn9lCR/xp90OXROadgtrAyY++i5LbRyk
iobz4vRAp5b0JD913B+wpaCWztSaH8g4e7scdTY6737xPI24A7k=
=kwVR
-----END PGP SIGNATURE-----
Reply to: