Re: Wheezy update of ikiwiki?

To: Simon McVittie <smcv@debian.org>
Cc: Josh Triplett <josh@freedesktop.org>, debian-lts@lists.debian.org
Subject: Re: Wheezy update of ikiwiki?
From: Markus Koschany <apo@debian.org>
Date: Sat, 7 May 2016 23:36:36 +0200
Message-id: <[🔎] 572E5FE4.1090302@debian.org>
In-reply-to: <[🔎] 20160507203833.GA3551@perpetual.pseudorandom.co.uk>
References: <[🔎] 20160507185216.GA15826@localhost> <[🔎] 20160507203833.GA3551@perpetual.pseudorandom.co.uk>

Am 07.05.2016 um 22:38 schrieb Simon McVittie:
> On Sat, 07 May 2016 at 20:52:16 +0200, Markus Koschany wrote:
>> the Debian LTS team would like to fix the security issues which are
>> currently open in the Wheezy version of ikiwiki:
>> https://security-tracker.debian.org/tracker/CVE-2016-4561
> 
> I'm well aware of that vulnerability, having discovered it myself.
> 
> I'm currently waiting for feedback from the security team on how they
> want me to deal with the security-related 3.20160506 changes in jessie.
> I found CVE-2016-4561 accidentally while mitigating the recent ImageMagick
> flaws, which I consider to be much more important - CVE-2016-4561 is
> only cross-site scripting (I don't actually know of a specific exploit,
> although it can probably be exploited somehow) whereas the ImageMagick
> flaws are remote arbitrary code execution in some wiki configurations.

You are probably referring to CVE-2016-3714. I'm not sure but wouldn't a
fix for ImageMagick also resolve this for ikiwiki? Or is this another
CVE-worthy issue in ikiwiki?

>> Would you like to take care of this yourself?
> 
> That would probably be best if we're doing the ImageMagick mitigation;
> I had to backport a lot of fixes to the img plugin to get that to
> apply to jessie. It might make most sense to just drop in the entire
> img plugin from jessie, or for that matter a backport of all of
> ikiwiki from jessie.
> 
> I'm not sure how much sense it makes to maintain webapps in LTS by
> backporting individual changes, to be honest.

CVE-2016-4561 would be rather easy to fix in Wheezy but if you think the
ImageMagick mitigation is even more important, it is certainly possible
to fix that too. We usually prefer the same minimal changes as for all
security fixes but depending on the package / webapp in question it does
make sense to consider a backport. Since you are most certainly the one
who knows ikiwiki best, we would leave it to you to make that
assessment. Feel free to send in the debdiff for review or just follow
our procedure that we have outlined at

	https://wiki.debian.org/LTS/Development

Thanks for your help

Markus

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: Wheezy update of ikiwiki?
  - From: Simon McVittie <smcv@debian.org>

References:
- Wheezy update of ikiwiki?
  - From: Markus Koschany <apo@debian.org>
- Re: Wheezy update of ikiwiki?
  - From: Simon McVittie <smcv@debian.org>

Prev by Date: Re: Wheezy update of ikiwiki?
Next by Date: Re: Wheezy update of ikiwiki?
Previous by thread: Re: Wheezy update of ikiwiki?
Next by thread: Re: Wheezy update of ikiwiki?
Index(es):
- Date
- Thread