upload dokuwiki

Abhijith PA Wed, 04 Jul 2018 00:42:01 -0700

Hello.

I've prepared LTS security update for dokuwiki. Please review and
upload. Debdiff is attached. Patch is forward ported from wheezy. I've
tested by installing in clean jessie machine, created sample wiki pages.


https://mentors.debian.net/debian/pool/main/d/dokuwiki/dokuwiki_0.0.20140505.a+dfsg-4+deb8u1.dsc

--abhijith.

diff -Nru dokuwiki-0.0.20140505.a+dfsg/debian/changelog 
dokuwiki-0.0.20140505.a+dfsg/debian/changelog
--- dokuwiki-0.0.20140505.a+dfsg/debian/changelog       2015-03-22 
18:50:07.000000000 +0100
+++ dokuwiki-0.0.20140505.a+dfsg/debian/changelog       2018-07-03 
06:34:26.000000000 +0200
@@ -1,3 +1,11 @@
+dokuwiki (0.0.20140505.a+dfsg-4+deb8u1) jessie-security; urgency=high
+
+  * Non-maintainer upload by the Debian LTS team.
+  * CVE-2017-18123: An XHR/AJAX call did not properly encode user input,
+    resulting in a reflected file download vulnerability. (Closes: #889281)
+
+ -- Abhijith PA <abhij...@disroot.org>  Tue, 03 Jul 2018 10:04:26 +0530
+
 dokuwiki (0.0.20140505.a+dfsg-4) testing-proposed-updates; urgency=high
 
   * debian/patches: security fix, from upstream hotfix release
diff -Nru dokuwiki-0.0.20140505.a+dfsg/debian/patches/CVE-2017-18123.patch 
dokuwiki-0.0.20140505.a+dfsg/debian/patches/CVE-2017-18123.patch
--- dokuwiki-0.0.20140505.a+dfsg/debian/patches/CVE-2017-18123.patch    
1970-01-01 01:00:00.000000000 +0100
+++ dokuwiki-0.0.20140505.a+dfsg/debian/patches/CVE-2017-18123.patch    
2018-07-03 06:34:26.000000000 +0200
@@ -0,0 +1,23 @@
+Description: CVE-2017-18123
+ The call parameter of /lib/exe/ajax.php in DokuWiki does not properly encode 
+ user input, which leads to a reflected file download vulnerability, and 
allows 
+ remote attackers to run arbitrary programs. This patch forward ported from 
Wheezy.
+
+
+Author: Abhijith PA <abhij...@disroot.org>
+Origin: 
https://github.com/splitbrain/dokuwiki/commit/238b8e878ad48f370903465192b57c2072f65d86
+Bug: https://github.com/splitbrain/dokuwiki/issues/2029
+Bug-Debian: https://bugs.debian.org/889281
+Last-Update: 2018-07-02
+
+--- dokuwiki-0.0.20140505.a+dfsg.orig/lib/exe/ajax.php
++++ dokuwiki-0.0.20140505.a+dfsg/lib/exe/ajax.php
+@@ -28,7 +28,7 @@ if(function_exists($callfn)){
+ }else{
+     $evt = new Doku_Event('AJAX_CALL_UNKNOWN', $call);
+     if ($evt->advise_before()) {
+-        print "AJAX call '".htmlspecialchars($call)."' unknown!\n";
++        print "AJAX call '".urlencode($call)."' unknown!\n";
+         exit;
+     }
+     $evt->advise_after();
diff -Nru dokuwiki-0.0.20140505.a+dfsg/debian/patches/series 
dokuwiki-0.0.20140505.a+dfsg/debian/patches/series
--- dokuwiki-0.0.20140505.a+dfsg/debian/patches/series  2015-03-22 
18:48:40.000000000 +0100
+++ dokuwiki-0.0.20140505.a+dfsg/debian/patches/series  2018-07-03 
06:34:26.000000000 +0200
@@ -5,3 +5,4 @@
 soften_email_validator.diff
 use_packaged_jquery.diff
 cve-2015-2172_check_permissions_in_rpc.patch
+CVE-2017-18123.patch

upload dokuwiki

Reply via email to