On Thu, 22 Dec 2016 at 23:09:38 +0100, Ola Lundqvist wrote: > the Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of ikiwiki: > https://security-tracker.debian.org/tracker/CVE-2016-10026
I requested a CVE ID because this is technically a security vulnerability, but I don't think it's a particularly urgent one - the circumstances for it to be a problem are really quite specific, and if those circumstances apply then the unwanted change is necessarily easy to revert. Please de-prioritize it while I talk to the security team about whether they want to bother releasing a DSA. > If that workflow is a burden to you, feel free to just prepare an > updated source package and send it to debian-lts@lists.debian.org > (via a debdiff, or with an URL pointing to the source package, > or even with a pointer to your packaging repository), and the members > of the LTS team will take care of the rest. Indicate clearly whether you > have tested the updated package or not. I'm going to leave this one to the LTS team. There were some trivial git conflicts when cherry-picking the change from master to debian-jessie, so you'll probably want to use my cherry-pick to debian-jessie as the basis for backporting: http://source.ikiwiki.branchable.com/?p=source.git;a=commit;h=bb5cf4a0940b8fd2750c6175adb15382b84c71e2 There's a manual test for this bug (it's most convenient to test using w3m and its support for faking the CGI interface without a web server), but I accidentally deleted one of the required files due to an overzealous .gitignore, so I'll have to bring that back first. S
