[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of ikiwiki?

Hi Simon,

On 12/01/17 01:09, Simon McVittie wrote:
> On Wed, 11 Jan 2017 at 01:46:32 +0000, Simon McVittie wrote:
>> Subsequent manual testing of the fixes for all those revealed some tricky
>> issues in error recovery code paths which I fixed in 3.20170110. We'll
>> see whether that's the final version...
> While preparing the backport of this whole mess for jessie, I found
> another security issue which *is* serious (CVE-2017-0356, an authentication
> bypass).
>> I suspect the diff resulting from all this is going to be larger than the
>> rest of the differences between git.pm in wheezy and git.pm in sid, which
>> makes me very tempted to recommend backporting the entire git.pm from sid
> That is my recommendation, and is what went into jessie-security
> (a DSA should follow soon).
> Here is a rather large patch stack which pulls in all the fixes from
> jessie-security (including autopkgtest support and enough build-dependencies
> to run most of the tests at build-time), plus a couple of unrelated backports
> from jessie to get the tests to pass:
> git clone git://git.ikiwiki.info/ -b debian-wheezy
> http://source.ikiwiki.branchable.com/?p=source.git;a=shortlog;h=refs/heads/debian-wheezy
> It builds for wheezy in sbuild, and passes autopkgtests on a wheezy VM
> if you parachute in pkg-perl-autopkgtest_0.19_all.deb from jessie (sorry,
> making it work without that jessie package is a yak-shave too far). I
> have not installed it on an actual web server because I don't run
> oldstable anywhere, but there is a test for CVE-2017-0356, which passes.
> Alternatively, if you want to abandon the backport approach for this package,
> I expect that the jessie-security version (the debian-jessie branch in the
> same git repository) would work fine in wheezy.
> If you release an updated package for wheezy using git, please let me know
> where I can fetch the git commits (or I'll use git-import-dsc if necessary).

Thanks for preparing the update. I have given it some smoke testing and uploaded
it. My only change is attached as a git-format-patch patch.

>From 84e9cf77f0d38ec4e380e696012e2a0e71559b2f Mon Sep 17 00:00:00 2001
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Tue, 31 Jan 2017 21:30:01 +0100
Subject: [PATCH] Release to wheezy-security

 debian/changelog | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 2d0134c49..1f4471a4d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,6 @@
-ikiwiki (3.20120629.2+deb7u2) UNRELEASED; urgency=medium
+ikiwiki (3.20120629.2+deb7u2) wheezy-security; urgency=medium
+  [ Simon McVittie ]
   * Security: force CGI::FormBuilder->field to scalar context where
     necessary, avoiding unintended function argument injection
     analogous to CVE-2014-1572.
@@ -54,7 +55,10 @@ ikiwiki (3.20120629.2+deb7u2) UNRELEASED; urgency=medium
     (patch from Lafayette Chamber Singers Webmaster, backported from
- -- Simon McVittie <smcv@debian.org>  Wed, 11 Jan 2017 15:22:38 +0000
+  [ Emilio Pozuelo Monfort ]
+  * Upload to wheezy-security.
+ -- Emilio Pozuelo Monfort <pochu@debian.org>  Tue, 31 Jan 2017 19:00:50 +0100
 ikiwiki (3.20120629.2+deb7u1) wheezy-security; urgency=medium

Reply to: