Re: Wheezy update of ikiwiki?
On Fri, 23 Dec 2016 at 23:39:09 +0000, Simon McVittie wrote:
> On Thu, 22 Dec 2016 at 23:09:38 +0100, Ola Lundqvist wrote:
> > the Debian LTS team would like to fix the security issues which are
> > currently open in the Wheezy version of ikiwiki:
> > https://security-tracker.debian.org/tracker/CVE-2016-10026
> I requested a CVE ID because this is technically a security vulnerability,
> but I don't think it's a particularly urgent one - the circumstances for
> it to be a problem are really quite specific, and if those circumstances
> apply then the unwanted change is necessarily easy to revert.
While testing the first attempt at a fix for CVE-2016-10026 I discovered
that it didn't actually fix jessie (CVE-2016-9645 was allocated for this
incomplete fix), and also discovered an unrelated minor vulnerability
that the automated test happened to expose (CVE-2016-9646). So I'm glad
we didn't rush into preparing something for wheezy that later turned out
to be broken.
Subsequent manual testing of the fixes for all those revealed some tricky
issues in error recovery code paths which I fixed in 3.20170110. We'll
see whether that's the final version...
I suspect the diff resulting from all this is going to be larger than the
rest of the differences between git.pm in wheezy and git.pm in sid, which
makes me very tempted to recommend backporting the entire git.pm from sid
(I think the only thing in there that's incompatible with older ikiwiki
is one call to IkiWiki::cloak(), which didn't exist in wheezy/jessie).
But please don't do so until I've had an opinion from the SRMs
on what they'd accept in jessie - it would be perverse for the version
of ikiwiki in oldstable LTS to have more backporting than the version
> Please de-prioritize it while I talk to the security team about
> whether they want to bother releasing a DSA.
As expected, the security team are not interested in releasing a DSA
> There were some trivial git conflicts when cherry-picking the change
> from master to debian-jessie, so you'll probably want to use my
> cherry-pick to debian-jessie as the basis for backporting:
This is not sufficient. Please do not use it alone.