Bug#782042: wheezy-pu: package ikiwiki/3.20120629.2
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
Raghav Bisht reported a cross-site-scripting vulnerability in ikiwiki
(#781483, CVE-2015-2793). The security team have asked me to fix it
via wheezy-proposed-updates rather than wheezy-security.
OK to upload?
(As before, the double diff for the changelog is because CHANGELOG is a
symlink to debian/changelog.)
Thanks,
S
diffstat for ikiwiki-3.20120629.1 ikiwiki-3.20120629.2
CHANGELOG | 8 ++++++++
debian/changelog | 8 ++++++++
templates/openid-selector.tmpl | 2 +-
3 files changed, 17 insertions(+), 1 deletion(-)
diff -Nru ikiwiki-3.20120629.1/CHANGELOG ikiwiki-3.20120629.2/CHANGELOG
--- ikiwiki-3.20120629.1/CHANGELOG 2015-01-17 11:53:38.000000000 +0000
+++ ikiwiki-3.20120629.2/CHANGELOG 2015-04-06 21:15:31.000000000 +0100
@@ -1,3 +1,11 @@
+ikiwiki (3.20120629.2) wheezy; urgency=medium
+
+ [ Joey Hess ]
+ * Fix XSS in openid selector. Thanks, Raghav Bisht. (Closes: #781483;
+ CVE-2015-2793)
+
+ -- Simon McVittie <smcv@debian.org> Mon, 06 Apr 2015 20:34:51 +0100
+
ikiwiki (3.20120629.1) wheezy; urgency=medium
Backport blogspam plugin from experimental, because the version in
diff -Nru ikiwiki-3.20120629.1/debian/changelog ikiwiki-3.20120629.2/debian/changelog
--- ikiwiki-3.20120629.1/debian/changelog 2015-01-17 11:53:38.000000000 +0000
+++ ikiwiki-3.20120629.2/debian/changelog 2015-04-06 21:15:31.000000000 +0100
@@ -1,3 +1,11 @@
+ikiwiki (3.20120629.2) wheezy; urgency=medium
+
+ [ Joey Hess ]
+ * Fix XSS in openid selector. Thanks, Raghav Bisht. (Closes: #781483;
+ CVE-2015-2793)
+
+ -- Simon McVittie <smcv@debian.org> Mon, 06 Apr 2015 20:34:51 +0100
+
ikiwiki (3.20120629.1) wheezy; urgency=medium
Backport blogspam plugin from experimental, because the version in
diff -Nru ikiwiki-3.20120629.1/templates/openid-selector.tmpl ikiwiki-3.20120629.2/templates/openid-selector.tmpl
--- ikiwiki-3.20120629.1/templates/openid-selector.tmpl 2015-01-14 22:06:16.000000000 +0000
+++ ikiwiki-3.20120629.2/templates/openid-selector.tmpl 2015-04-06 21:15:27.000000000 +0100
@@ -23,7 +23,7 @@
</div>
<div id="openid_input_area">
<label for="openid_identifier" class="block">Enter your OpenID:</label>
- <input id="openid_identifier" name="openid_identifier" type="text" value="<TMPL_VAR OPENID_URL>"/>
+ <input id="openid_identifier" name="openid_identifier" type="text" value="<TMPL_VAR ESCAPE=HTML OPENID_URL>"/>
<input id="openid_submit" type="submit" value="Login"/>
</div>
<TMPL_IF OPENID_ERROR>
Reply to: