[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Updates for dokuwiki

On Thu, 23 Jun 2011 14:41:02 +0200, Tanguy Ortolo wrote:
Following the instructions of the security team, I have recently
uploaded new versions of my package dokuwiki for stable and oldstable, fixing a flaw in the RPC interface that allows to bypass the ACL system in some very specific cases. I am not sure that you are already aware of
my upload.

Your last sentence above confuses me slightly. I approved the uploads, and you should have received "ACCEPTED" mails for them from the archive software indicating that they had moved in to the proposed-updates queues; indeed, the upload to stable will be part of Saturday's point release.

Now, another flaw has been discovered some days ago, allowing to insert arbitrary JavaScript links in the following case: a wiki page references
an RSS feed; this feed contains specially crafted content. These are
only JavaScript links, that require users to click on it, but that can be inserted from an external control over the referenced RSS feed only.
This affects both the stable and oldstable version: can I send an
updated package, fixing both the ACL and the RSS problems?

"Updated" as in a new revision building on those you previously uploaded; the packages containing the ACL fixes are already in {oldstable-,}proposed-updates, so can't be replaced. Please prepare packages for both stable and oldstable and send the debdiffs to debian-release for approval.



Reply to: