Hi Simon,
On 12/01/17 01:09, Simon McVittie wrote:
> On Wed, 11 Jan 2017 at 01:46:32 +0000, Simon McVittie wrote:
>> Subsequent manual testing of the fixes for all those revealed some tricky
>> issues in error recovery code paths which I fixed in 3.20170110. We'll
>> see whether that's the final version...
>
> While preparing the backport of this whole mess for jessie, I found
> another security issue which *is* serious (CVE-2017-0356, an authentication
> bypass).
>
>> I suspect the diff resulting from all this is going to be larger than the
>> rest of the differences between git.pm in wheezy and git.pm in sid, which
>> makes me very tempted to recommend backporting the entire git.pm from sid
>
> That is my recommendation, and is what went into jessie-security
> (a DSA should follow soon).
>
> Here is a rather large patch stack which pulls in all the fixes from
> jessie-security (including autopkgtest support and enough build-dependencies
> to run most of the tests at build-time), plus a couple of unrelated backports
> from jessie to get the tests to pass:
>
> git clone git://git.ikiwiki.info/ -b debian-wheezy
> http://source.ikiwiki.branchable.com/?p=source.git;a=shortlog;h=refs/heads/debian-wheezy
>
> It builds for wheezy in sbuild, and passes autopkgtests on a wheezy VM
> if you parachute in pkg-perl-autopkgtest_0.19_all.deb from jessie (sorry,
> making it work without that jessie package is a yak-shave too far). I
> have not installed it on an actual web server because I don't run
> oldstable anywhere, but there is a test for CVE-2017-0356, which passes.
>
> Alternatively, if you want to abandon the backport approach for this package,
> I expect that the jessie-security version (the debian-jessie branch in the
> same git repository) would work fine in wheezy.
>
> If you release an updated package for wheezy using git, please let me know
> where I can fetch the git commits (or I'll use git-import-dsc if necessary).
Thanks for preparing the update. I have given it some smoke testing and uploaded
it. My only change is attached as a git-format-patch patch.
Cheers,
Emilio
>From 84e9cf77f0d38ec4e380e696012e2a0e71559b2f Mon Sep 17 00:00:00 2001
From: Emilio Pozuelo Monfort <po...@debian.org>
Date: Tue, 31 Jan 2017 21:30:01 +0100
Subject: [PATCH] Release to wheezy-security
---
debian/changelog | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 2d0134c49..1f4471a4d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,6 @@
-ikiwiki (3.20120629.2+deb7u2) UNRELEASED; urgency=medium
+ikiwiki (3.20120629.2+deb7u2) wheezy-security; urgency=medium
+ [ Simon McVittie ]
* Security: force CGI::FormBuilder->field to scalar context where
necessary, avoiding unintended function argument injection
analogous to CVE-2014-1572.
@@ -54,7 +55,10 @@ ikiwiki (3.20120629.2+deb7u2) UNRELEASED; urgency=medium
(patch from Lafayette Chamber Singers Webmaster, backported from
3.20140916)
- -- Simon McVittie <s...@debian.org> Wed, 11 Jan 2017 15:22:38 +0000
+ [ Emilio Pozuelo Monfort ]
+ * Upload to wheezy-security.
+
+ -- Emilio Pozuelo Monfort <po...@debian.org> Tue, 31 Jan 2017 19:00:50 +0100
ikiwiki (3.20120629.2+deb7u1) wheezy-security; urgency=medium
--
2.11.0
