[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of ikiwiki?

On Sat, 07 May 2016 at 20:52:16 +0200, Markus Koschany wrote:
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of ikiwiki:
> https://security-tracker.debian.org/tracker/CVE-2016-4561

I'm well aware of that vulnerability, having discovered it myself.

I'm currently waiting for feedback from the security team on how they
want me to deal with the security-related 3.20160506 changes in jessie.
I found CVE-2016-4561 accidentally while mitigating the recent ImageMagick
flaws, which I consider to be much more important - CVE-2016-4561 is
only cross-site scripting (I don't actually know of a specific exploit,
although it can probably be exploited somehow) whereas the ImageMagick
flaws are remote arbitrary code execution in some wiki configurations.

> Would you like to take care of this yourself?

That would probably be best if we're doing the ImageMagick mitigation;
I had to backport a lot of fixes to the img plugin to get that to
apply to jessie. It might make most sense to just drop in the entire
img plugin from jessie, or for that matter a backport of all of
ikiwiki from jessie.

I'm not sure how much sense it makes to maintain webapps in LTS by
backporting individual changes, to be honest.

    S
Reply to: