Ubuntu
ikiwiki package

ikiwiki 3.20190228-1 source package in Ubuntu

Changelog

ikiwiki (3.20190228-1) unstable; urgency=high

  * New upstream release
    - aggregate: Use LWPx::ParanoidAgent if available.
      Previously blogspam, openid and pinger used this module if available,
      but aggregate did not. This prevents server-side request forgery or
      local file disclosure, and mitigates denial of service when slow
      "tarpit" URLs are accessed.
      (CVE-2019-9187)
    - blogspam, openid, pinger: Use a HTTP proxy if configured, even if
      LWPx::ParanoidAgent is installed.
      Previously, only aggregate would obey proxy configuration. If a proxy
      is used, the proxy (not ikiwiki) is responsible for preventing attacks
      like CVE-2019-9187.
    - aggregate, blogspam, openid, pinger: Do not access non-http, non-https
      URLs.
      Previously, these plugins would have allowed non-HTTP-based requests if
      LWPx::ParanoidAgent was not installed. Preventing file URIs avoids local
      file disclosure, and preventing other rarely-used URI schemes like
      gopher mitigates request forgery attacks.
    - aggregate, openid, pinger: Document LWPx::ParanoidAgent as strongly
      recommended.
      These plugins can request attacker-controlled URLs in some site
      configurations.
    - blogspam: Document LWPx::ParanoidAgent as desirable.
      This plugin doesn't request attacker-controlled URLs, so it's
      non-critical here.
    - blogspam, openid, pinger: Consistently use cookiejar if configured.
      Previously, these plugins would only obey this configuration if
      LWPx::ParanoidAgent was not installed, but this appears to have been
      unintended.
    - po: Always filter .po files.
      The po plugin in previous ikiwiki releases made the second and
      subsequent filter call per (page, destpage) pair into a no-op,
      apparently in an attempt to prevent *recursive* filtering (which as
      far as we can tell can't happen anyway), with the undesired effect
      of interpreting the raw .po file as page content (e.g. Markdown)
      if it was inlined into the same page twice, which is apparently
      something that tails.org does. Simplify this by deleting the code
      that prevented repeated filtering. Thanks, intrigeri
      (Closes: #911356)

 -- Simon McVittie <email address hidden>  Tue, 26 Feb 2019 23:04:42 +0000

Upload details

Uploaded by:
Simon McVittie
Uploaded to:
Sid
Original maintainer:
Simon McVittie
Architectures:
all
Section:
web
Urgency:
Very Urgent

See full publishing history Publishing

Series Pocket Published Component Section

Builds

Eoan: [FULLYBUILT] amd64

Downloads

File Size SHA-256 Checksum
ikiwiki_3.20190228-1.dsc 2.5 KiB 963d9cc94926faddd17e21c10cc20b72e2d49280a7e61cf2986f8e20f6f6da60
ikiwiki_3.20190228.orig.tar.xz 2.5 MiB d07a4d0da60c3e4de698a4dc54d0445547e762b37f0d433b0d664d88155dfe9e
ikiwiki_3.20190228-1.debian.tar.xz 85.0 KiB 0bc38826600d23b572fe03704b8f10cd13ec111cf6bcd94bf0d9d09f83d2e42d

Available diffs

No changes file available.

Binary packages built by this source

ikiwiki: No summary available for ikiwiki in ubuntu eoan.

No description available for ikiwiki in ubuntu eoan.