On Fri, 23 Dec 2016 at 23:39:09 +0000, Simon McVittie wrote: > On Thu, 22 Dec 2016 at 23:09:38 +0100, Ola Lundqvist wrote: > > the Debian LTS team would like to fix the security issues which are > > currently open in the Wheezy version of ikiwiki: > > https://security-tracker.debian.org/tracker/CVE-2016-10026 > > I requested a CVE ID because this is technically a security vulnerability, > but I don't think it's a particularly urgent one - the circumstances for > it to be a problem are really quite specific, and if those circumstances > apply then the unwanted change is necessarily easy to revert.
While testing the first attempt at a fix for CVE-2016-10026 I discovered that it didn't actually fix jessie (CVE-2016-9645 was allocated for this incomplete fix), and also discovered an unrelated minor vulnerability that the automated test happened to expose (CVE-2016-9646). So I'm glad we didn't rush into preparing something for wheezy that later turned out to be broken. Subsequent manual testing of the fixes for all those revealed some tricky issues in error recovery code paths which I fixed in 3.20170110. We'll see whether that's the final version... I suspect the diff resulting from all this is going to be larger than the rest of the differences between git.pm in wheezy and git.pm in sid, which makes me very tempted to recommend backporting the entire git.pm from sid (I think the only thing in there that's incompatible with older ikiwiki is one call to IkiWiki::cloak(), which didn't exist in wheezy/jessie). But please don't do so until I've had an opinion from the SRMs on what they'd accept in jessie - it would be perverse for the version of ikiwiki in oldstable LTS to have more backporting than the version in stable. > Please de-prioritize it while I talk to the security team about > whether they want to bother releasing a DSA. As expected, the security team are not interested in releasing a DSA for this. > There were some trivial git conflicts when cherry-picking the change > from master to debian-jessie, so you'll probably want to use my > cherry-pick to debian-jessie as the basis for backporting: > > http://source.ikiwiki.branchable.com/?p=source.git;a=commit;h=bb5cf4a0940b8fd2750c6175adb15382b84c71e2 This is not sufficient. Please do not use it alone. S