Re: Wheezy update of ikiwiki?
On Sat, 07 May 2016 at 22:59:49 +0200, Thorsten Alteholz wrote:
> Hi Simon,
>
> On Sat, 7 May 2016, Simon McVittie wrote:
> > That would probably be best if we're doing the ImageMagick mitigation;
>
> do you need to change something in ikiwiki to handle the ImageMagick CVEs?
There doesn't seem to be an upstream fix in
ImageMagick that fully addresses the recent CVEs, but
ikiwiki changes can stop them from being exploited that way.
<https://git.pseudorandom.co.uk/smcv/ikiwiki.git/shortlog/refs/heads/debian-jessie>
is what I had to backport for my proposed version for jessie (it's less
than it looks like - most of that is the regression test).
> > I'm not sure how much sense it makes to maintain webapps in LTS by
> > backporting individual changes, to be honest.
>
> The patch for ikiwikis CVE-2016-4561 doesn't look that complicated, so
> wouldn't this single change be better for the users of that version?
If I can prevent ikiwiki from being used to access the ImageMagick flaw
and cause remote arbitrary code execution, it seems desirable to do that.
XSS with no known exploit concerns me a lot less than remote code
execution!
I've asked the security team (again) how they want to handle this.
Whatever they want to do for jessie, I'll look into backporting the same
to wheezy.
S
Reply to: