On Sat, 07 May 2016 at 22:59:49 +0200, Thorsten Alteholz wrote: > Hi Simon, > > On Sat, 7 May 2016, Simon McVittie wrote: > > That would probably be best if we're doing the ImageMagick mitigation; > > do you need to change something in ikiwiki to handle the ImageMagick CVEs?
There doesn't seem to be an upstream fix in ImageMagick that fully addresses the recent CVEs, but ikiwiki changes can stop them from being exploited that way. <https://git.pseudorandom.co.uk/smcv/ikiwiki.git/shortlog/refs/heads/debian-jessie> is what I had to backport for my proposed version for jessie (it's less than it looks like - most of that is the regression test). > > I'm not sure how much sense it makes to maintain webapps in LTS by > > backporting individual changes, to be honest. > > The patch for ikiwikis CVE-2016-4561 doesn't look that complicated, so > wouldn't this single change be better for the users of that version? If I can prevent ikiwiki from being used to access the ImageMagick flaw and cause remote arbitrary code execution, it seems desirable to do that. XSS with no known exploit concerns me a lot less than remote code execution! I've asked the security team (again) how they want to handle this. Whatever they want to do for jessie, I'll look into backporting the same to wheezy. S
