Re: Wheezy update of ikiwiki?
On Thu, 22 Dec 2016 at 23:09:38 +0100, Ola Lundqvist wrote:
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of ikiwiki:
> https://security-tracker.debian.org/tracker/CVE-2016-10026
I requested a CVE ID because this is technically a security vulnerability,
but I don't think it's a particularly urgent one - the circumstances for
it to be a problem are really quite specific, and if those circumstances
apply then the unwanted change is necessarily easy to revert.
Please de-prioritize it while I talk to the security team about
whether they want to bother releasing a DSA.
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointing to the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.
I'm going to leave this one to the LTS team.
There were some trivial git conflicts when cherry-picking the change
from master to debian-jessie, so you'll probably want to use my
cherry-pick to debian-jessie as the basis for backporting:
http://source.ikiwiki.branchable.com/?p=source.git;a=commit;h=bb5cf4a0940b8fd2750c6175adb15382b84c71e2
There's a manual test for this bug (it's most convenient to test
using w3m and its support for faking the CGI interface without a
web server), but I accidentally deleted one of the required files
due to an overzealous .gitignore, so I'll have to bring that back first.
S
Reply to: