[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of ikiwiki?

On Wed, 11 Jan 2017 at 01:46:32 +0000, Simon McVittie wrote:
> Subsequent manual testing of the fixes for all those revealed some tricky
> issues in error recovery code paths which I fixed in 3.20170110. We'll
> see whether that's the final version...

While preparing the backport of this whole mess for jessie, I found
another security issue which *is* serious (CVE-2017-0356, an authentication

> I suspect the diff resulting from all this is going to be larger than the
> rest of the differences between git.pm in wheezy and git.pm in sid, which
> makes me very tempted to recommend backporting the entire git.pm from sid

That is my recommendation, and is what went into jessie-security
(a DSA should follow soon).

Here is a rather large patch stack which pulls in all the fixes from
jessie-security (including autopkgtest support and enough build-dependencies
to run most of the tests at build-time), plus a couple of unrelated backports
from jessie to get the tests to pass:

git clone git://git.ikiwiki.info/ -b debian-wheezy

It builds for wheezy in sbuild, and passes autopkgtests on a wheezy VM
if you parachute in pkg-perl-autopkgtest_0.19_all.deb from jessie (sorry,
making it work without that jessie package is a yak-shave too far). I
have not installed it on an actual web server because I don't run
oldstable anywhere, but there is a test for CVE-2017-0356, which passes.

Alternatively, if you want to abandon the backport approach for this package,
I expect that the jessie-security version (the debian-jessie branch in the
same git repository) would work fine in wheezy.

If you release an updated package for wheezy using git, please let me know
where I can fetch the git commits (or I'll use git-import-dsc if necessary).


Reply to: