Bug#782042: wheezy-pu: package ikiwiki/3.20120629.2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#782042: wheezy-pu: package ikiwiki/3.20120629.2
From: Simon McVittie <smcv@debian.org>
Date: Mon, 6 Apr 2015 21:55:55 +0100
Message-id: <[🔎] 20150406205547.GA23183@perpetual.pseudorandom.co.uk>
Reply-to: Simon McVittie <smcv@debian.org>, 782042@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

Raghav Bisht reported a cross-site-scripting vulnerability in ikiwiki
(#781483, CVE-2015-2793). The security team have asked me to fix it
via wheezy-proposed-updates rather than wheezy-security.

OK to upload?

(As before, the double diff for the changelog is because CHANGELOG is a
symlink to debian/changelog.)

Thanks,
    S

diffstat for ikiwiki-3.20120629.1 ikiwiki-3.20120629.2

 CHANGELOG                      |    8 ++++++++
 debian/changelog               |    8 ++++++++
 templates/openid-selector.tmpl |    2 +-
 3 files changed, 17 insertions(+), 1 deletion(-)

diff -Nru ikiwiki-3.20120629.1/CHANGELOG ikiwiki-3.20120629.2/CHANGELOG
--- ikiwiki-3.20120629.1/CHANGELOG	2015-01-17 11:53:38.000000000 +0000
+++ ikiwiki-3.20120629.2/CHANGELOG	2015-04-06 21:15:31.000000000 +0100
@@ -1,3 +1,11 @@
+ikiwiki (3.20120629.2) wheezy; urgency=medium
+
+  [ Joey Hess ]
+  * Fix XSS in openid selector. Thanks, Raghav Bisht. (Closes: #781483;
+    CVE-2015-2793)
+
+ -- Simon McVittie <smcv@debian.org>  Mon, 06 Apr 2015 20:34:51 +0100
+
 ikiwiki (3.20120629.1) wheezy; urgency=medium
 
   Backport blogspam plugin from experimental, because the version in
diff -Nru ikiwiki-3.20120629.1/debian/changelog ikiwiki-3.20120629.2/debian/changelog
--- ikiwiki-3.20120629.1/debian/changelog	2015-01-17 11:53:38.000000000 +0000
+++ ikiwiki-3.20120629.2/debian/changelog	2015-04-06 21:15:31.000000000 +0100
@@ -1,3 +1,11 @@
+ikiwiki (3.20120629.2) wheezy; urgency=medium
+
+  [ Joey Hess ]
+  * Fix XSS in openid selector. Thanks, Raghav Bisht. (Closes: #781483;
+    CVE-2015-2793)
+
+ -- Simon McVittie <smcv@debian.org>  Mon, 06 Apr 2015 20:34:51 +0100
+
 ikiwiki (3.20120629.1) wheezy; urgency=medium
 
   Backport blogspam plugin from experimental, because the version in
diff -Nru ikiwiki-3.20120629.1/templates/openid-selector.tmpl ikiwiki-3.20120629.2/templates/openid-selector.tmpl
--- ikiwiki-3.20120629.1/templates/openid-selector.tmpl	2015-01-14 22:06:16.000000000 +0000
+++ ikiwiki-3.20120629.2/templates/openid-selector.tmpl	2015-04-06 21:15:27.000000000 +0100
@@ -23,7 +23,7 @@
 		</div>
 		<div id="openid_input_area">
 			<label for="openid_identifier" class="block">Enter your OpenID:</label>
-			<input id="openid_identifier" name="openid_identifier" type="text" value="<TMPL_VAR OPENID_URL>"/>
+			<input id="openid_identifier" name="openid_identifier" type="text" value="<TMPL_VAR ESCAPE=HTML OPENID_URL>"/>
 			<input id="openid_submit" type="submit" value="Login"/>
 		</div>
 		<TMPL_IF OPENID_ERROR>

Reply to:

Follow-Ups:
- Processed: Re: Bug#782042: wheezy-pu: package ikiwiki/3.20120629.2
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#782042: wheezy-pu: package ikiwiki/3.20120629.2
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#782042: wheezy-pu: package ikiwiki/3.20120629.2
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: NEW changes in stable-new
Next by Date: Uploading linux (3.16.7-ckt9-1)
Previous by thread: Processed (with 2 errors): Re: Bug#781276: pre-approval for mutter/3.14.4-1
Next by thread: Processed: Re: Bug#782042: wheezy-pu: package ikiwiki/3.20120629.2
Index(es):
- Date
- Thread