Re: Wheezy update of ikiwiki?

To: Simon McVittie <smcv@debian.org>
Cc: ikiwiki@packages.debian.org, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Wheezy update of ikiwiki?
From: Ola Lundqvist <ola@inguza.com>
Date: Sat, 24 Dec 2016 23:34:23 +0100
Message-id: <[🔎] CABY6=0=wUac2dtLPTJf9tQQjQ5YYAwv1Tq=5DEdb7m4kxqfUiA@mail.gmail.com>
In-reply-to: <[🔎] 20161223233909.jhixr2r7gpo43ixu@perpetual.pseudorandom.co.uk>
References: <[🔎] 20161222220934.GA14195@inguza.net> <[🔎] 20161223233909.jhixr2r7gpo43ixu@perpetual.pseudorandom.co.uk>

Hi Simon

Thank you a lot for this information. I have now added a note that you
think we should de-prioritize this one for now.
If you get information from the security team, please let me know.

Generally we do not do LTS uploads unless there is an intention to fix
it in stable.

Best regards

// Ola

On 24 December 2016 at 00:39, Simon McVittie <smcv@debian.org> wrote:
> On Thu, 22 Dec 2016 at 23:09:38 +0100, Ola Lundqvist wrote:
>> the Debian LTS team would like to fix the security issues which are
>> currently open in the Wheezy version of ikiwiki:
>> https://security-tracker.debian.org/tracker/CVE-2016-10026
>
> I requested a CVE ID because this is technically a security vulnerability,
> but I don't think it's a particularly urgent one - the circumstances for
> it to be a problem are really quite specific, and if those circumstances
> apply then the unwanted change is necessarily easy to revert.
>
> Please de-prioritize it while I talk to the security team about
> whether they want to bother releasing a DSA.
>
>> If that workflow is a burden to you, feel free to just prepare an
>> updated source package and send it to debian-lts@lists.debian.org
>> (via a debdiff, or with an URL pointing to the source package,
>> or even with a pointer to your packaging repository), and the members
>> of the LTS team will take care of the rest. Indicate clearly whether you
>> have tested the updated package or not.
>
> I'm going to leave this one to the LTS team.
>
> There were some trivial git conflicts when cherry-picking the change
> from master to debian-jessie, so you'll probably want to use my
> cherry-pick to debian-jessie as the basis for backporting:
>
> http://source.ikiwiki.branchable.com/?p=source.git;a=commit;h=bb5cf4a0940b8fd2750c6175adb15382b84c71e2
>
> There's a manual test for this bug (it's most convenient to test
> using w3m and its support for faking the CGI interface without a
> web server), but I accidentally deleted one of the required files
> due to an overzealous .gitignore, so I'll have to bring that back first.
>
>     S
>



-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

Reply to:

References:
- Wheezy update of ikiwiki?
  - From: Ola Lundqvist <opal@debian.org>
- Re: Wheezy update of ikiwiki?
  - From: Simon McVittie <smcv@debian.org>

Prev by Date: Re: Wheezy update of tarantool?
Next by Date: Re: Call for advice regarding curl CVE-2016-9586
Previous by thread: Re: Wheezy update of ikiwiki?
Next by thread: Wheezy update of spip?
Index(es):
- Date
- Thread