diff options
| author | bsiegert <bsiegert> | 2017-01-19 19:59:56 +0000 |
|---|---|---|
| committer | bsiegert <bsiegert> | 2017-01-19 19:59:56 +0000 |
| commit | d461ffb71e60ca9a0622cf2a5082720ffcd6f6f4 (patch) | |
| tree | 57591a9f7a2bc000d9d3089f895703b2e2fa3903 | |
| parent | dd173af23cc3c75e7356ff80a9b7062624674751 (diff) | |
| download | pkgsrc-d461ffb71e60ca9a0622cf2a5082720ffcd6f6f4.tar.gz | |
Pullup ticket #5192 - requested by schmonz
www/ikiwiki: security fix
Revisions pulled up:
- www/ikiwiki/Makefile 1.145-1.148
- www/ikiwiki/distinfo 1.117-1.120
---
Module Name: pkgsrc
Committed By: schmonz
Date: Fri Dec 30 03:21:11 UTC 2016
Modified Files:
pkgsrc/www/ikiwiki: Makefile distinfo
Log Message:
Update to 3.20161229. From the changelog:
* Security: force CGI::FormBuilder->field to scalar context where
necessary, avoiding unintended function argument injection
analogous to CVE-2014-1572. In ikiwiki this could be used to
forge commit metadata, but thankfully nothing more serious.
(CVE-2016-9646)
* Security: try revert operations in a temporary working tree before
approving them. Previously, automatic rename detection could result in
a revert writing outside the wiki srcdir or altering a file that the
reverting user should not be able to alter, an authorization bypass.
(CVE-2016-10026 represents the original vulnerability.)
The incomplete fix released in 3.20161219 was not effective for git
versions prior to 2.8.0rc0.
(CVE-2016-9645 represents that incomplete solution.)
* Add CVE references for CVE-2016-10026
* Add automated test for using the CGI with git, including
CVE-2016-10026
- Build-depend on libipc-run-perl for better build-time test coverage
* Add missing ikiwiki.setup for the manual test for CVE-2016-10026
* git: don't issue a warning if the rcsinfo CGI parameter is undefined
* git: do not fail to commit changes with a recent git version
and an anonymous committer
---
Module Name: pkgsrc
Committed By: schmonz
Date: Fri Dec 30 13:59:42 UTC 2016
Modified Files:
pkgsrc/www/ikiwiki: Makefile distinfo
Log Message:
Update to 3.20161229.1. From the changelog:
* git: Attribute reverts to the user doing the revert, not the wiki
itself.
* git: Do not disable the commit hook while preparing a revert.
---
Module Name: pkgsrc
Committed By: schmonz
Date: Wed Jan 11 02:15:54 UTC 2017
Modified Files:
pkgsrc/www/ikiwiki: Makefile distinfo
Log Message:
Update to 3.20170110. From the changelog:
[ Amitai Schleier ]
* wrappers: Correctly escape quotes in git_wrapper_background_command
[ Simon McVittie ]
* git: use an explicit function parameter for the directory to work
in. Previously, we used global state that was not restored correctly
on catching exceptions, causing an unintended log message
"cannot chdir to .../ikiwiki-temp-working: No such file or directory"
with versions >= 3.20161229 when an attempt to revert a change fails
or is disallowed
* git: don't run "git rev-list ... -- -- ..." which would select the
wrong commits if a file named literally "--" is present in the
repository
* check_canchange: log "bad file name whatever", not literal string
"bad file name %s"
* t/git-cgi.t: fix a race condition that made the test fail
intermittently
* t/git-cgi.t: be more careful to provide a syntactically valid
author/committer name and email, hopefully fixing this test on
ci.debian.net
* templates, comments, passwordauth: use rel=nofollow microformat
for dynamic URLs
* templates: use rel=nofollow microformat for comment authors
* news: use Debian security tracker instead of MITRE for security
references. Thanks, anarcat
* Set package format to 3.0 (native)
* d/copyright: re-order to put more specific stanzas later, to get the
intended interpretation
* d/source/lintian-overrides: override obsolete-url-in-packaging for
OpenID Selector, which does not seem to have any more current URL
(and in any case our version is a fork)
* docwiki.setup: exclude TourBusStop from offline documentation.
It does not make much sense there.
* d/ikiwiki.lintian-overrides: override script-not-executable warnings
* d/ikiwiki.lintian-overrides: silence false positive spelling warning
for Moin Moin
* d/ikiwiki.doc-base: register the documentation with doc-base
* d/control: set libmagickcore-6.q16-3-extra as preferred
build-dependency, with virtual package libmagickcore-extra as an
alternative, to help autopkgtest to do the right thing
---
Module Name: pkgsrc
Committed By: schmonz
Date: Thu Jan 12 00:44:15 UTC 2017
Modified Files:
pkgsrc/www/ikiwiki: Makefile distinfo
Log Message:
Update to 3.20170111. From the changelog:
* passwordauth: prevent authentication bypass via multiple name
parameters (CVE-2017-0356, OVE-20170111-0001)
* passwordauth: avoid userinfo forgery via repeated email parameter
(also in the scope of CVE-2017-0356)
* CGI, attachment, passwordauth: harden against repeated parameters
(not believed to have been a vulnerability)
* remove: make it clearer that repeated page parameter is OK here
* t/passwordauth.t: new automated test for passwordauth
| -rw-r--r-- | www/ikiwiki/Makefile | 7 | ||||
| -rw-r--r-- | www/ikiwiki/distinfo | 10 |
2 files changed, 9 insertions, 8 deletions
diff --git a/www/ikiwiki/Makefile b/www/ikiwiki/Makefile index e9b2e9fc792..5be18cd037b 100644 --- a/www/ikiwiki/Makefile +++ b/www/ikiwiki/Makefile @@ -1,13 +1,14 @@ -# $NetBSD: Makefile,v 1.144 2016/12/21 00:52:59 schmonz Exp $ +# $NetBSD: Makefile,v 1.144.2.1 2017/01/19 19:59:56 bsiegert Exp $ # -DISTNAME= ikiwiki_3.20161219 +DISTNAME= ikiwiki_3.20170111 PKGNAME= ${DISTNAME:S/_/-/} CATEGORIES= www textproc MASTER_SITES= ${MASTER_SITE_DEBIAN:=pool/main/i/ikiwiki/} +EXTRACT_SUFX= .tar.xz MAINTAINER= schmonz@NetBSD.org -HOMEPAGE= http://ikiwiki.info/ +HOMEPAGE= https://ikiwiki.info/ COMMENT= Flexible static site generator with dynamic features LICENSE= gnu-gpl-v2 diff --git a/www/ikiwiki/distinfo b/www/ikiwiki/distinfo index eb5713cd59a..0be5be6fcd4 100644 --- a/www/ikiwiki/distinfo +++ b/www/ikiwiki/distinfo @@ -1,6 +1,6 @@ -$NetBSD: distinfo,v 1.116 2016/12/21 00:52:59 schmonz Exp $ +$NetBSD: distinfo,v 1.116.2.1 2017/01/19 19:59:56 bsiegert Exp $ -SHA1 (ikiwiki_3.20161219.tar.gz) = b4ea2d1f162290aca7e6e658462d679a5a0e2498 -RMD160 (ikiwiki_3.20161219.tar.gz) = fd3f313f0ef79dc8f6f13624f12075af626f8b5b -SHA512 (ikiwiki_3.20161219.tar.gz) = 2b544c7fcbc878a344f03fa403de784e33a61397d58cc42356ac99ae134bf0b633d63154a9ffac01bc8cca69cdb8e2d23360b95be56d0cd8999264cdb5b7dc3e -Size (ikiwiki_3.20161219.tar.gz) = 3471888 bytes +SHA1 (ikiwiki_3.20170111.tar.xz) = c6df014617d3ac5e6c57eb573f02cc4cf71e9b7b +RMD160 (ikiwiki_3.20170111.tar.xz) = a15bdf28eb6f1c857b8faccc2fba368892b0d597 +SHA512 (ikiwiki_3.20170111.tar.xz) = 78c2a624684bb1c34878ff008558a3967f6e7f5648878e931961695e582a40e4351b6e467c64ca42ba99cb403fd275265bd5d96ecd860ad8263043514d207ad4 +Size (ikiwiki_3.20170111.tar.xz) = 2614240 bytes |