Debian Bug report logs -
#779547
dokuwiki: CVE-2015-2172: DokuWiki privilege escalation in RPC API
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 2 Mar 2015 05:51:01 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in versions dokuwiki/0.0.20131208-1, dokuwiki/0.0.20140929.a-1
Fixed in versions dokuwiki/0.0.20140505.a+dfsg-4, dokuwiki/0.0.20140929.d-1
Done: Tanguy Ortolo <tanguy+debian@ortolo.eu>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>:
Bug#779547; Package src:dokuwiki.
(Mon, 02 Mar 2015 05:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>.
(Mon, 02 Mar 2015 05:51:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: dokuwiki
Version: 0.0.20140929.a-1
Severity: grave
Tags: security upstream fixed-upstream
Hi,
the following vulnerability was published for dokuwiki.
CVE-2015-2172[0]:
DokuWiki privilege escalation in RPC API
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-2172
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions dokuwiki/0.0.20120125b-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 02 Mar 2015 05:57:10 GMT) (full text, mbox, link).
Severity set to 'important' from 'grave'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 02 Mar 2015 06:03:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>:
Bug#779547; Package src:dokuwiki.
(Mon, 02 Mar 2015 19:03:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Tanguy Ortolo <tanguy+debian@ortolo.eu>.
(Mon, 02 Mar 2015 19:03:10 GMT) (full text, mbox, link).
Message #14 received at 779547@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
notfound 779547 0.0.20120125b-1
thanks
Present since release_candidate_2013-10-28
[signature.asc (application/pgp-signature, inline)]
No longer marked as found in versions dokuwiki/0.0.20120125b-1.
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org.
(Mon, 02 Mar 2015 19:03:14 GMT) (full text, mbox, link).
Marked as found in versions dokuwiki/0.0.20131208-1.
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org.
(Mon, 02 Mar 2015 19:09:11 GMT) (full text, mbox, link).
Severity set to 'grave' from 'important'
Request was from Moritz Muehlenhoff <jmm@debian.org>
to control@bugs.debian.org.
(Sun, 15 Mar 2015 20:33:08 GMT) (full text, mbox, link).
Reply sent
to Tanguy Ortolo <tanguy+debian@ortolo.eu>:
You have taken responsibility.
(Sun, 22 Mar 2015 18:36:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 22 Mar 2015 18:36:05 GMT) (full text, mbox, link).
Message #25 received at 779547-close@bugs.debian.org (full text, mbox, reply):
Source: dokuwiki
Source-Version: 0.0.20140505.a+dfsg-4
We believe that the bug you reported is fixed in the latest version of
dokuwiki, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 779547@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tanguy Ortolo <tanguy+debian@ortolo.eu> (supplier of updated dokuwiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 22 Mar 2015 17:40:22 +0100
Source: dokuwiki
Binary: dokuwiki
Architecture: source all
Version: 0.0.20140505.a+dfsg-4
Distribution: testing-proposed-updates
Urgency: high
Maintainer: Tanguy Ortolo <tanguy+debian@ortolo.eu>
Changed-By: Tanguy Ortolo <tanguy+debian@ortolo.eu>
Description:
dokuwiki - standards compliant simple to use wiki
Closes: 779547
Changes:
dokuwiki (0.0.20140505.a+dfsg-4) testing-proposed-updates; urgency=high
.
* debian/patches: security fix, from upstream hotfix release
+ cve-2015-2172_check_permissions_in_rpc.patch: check permissions in the
ACL plugin's RPC API to avoid a privilege escalation. (CVE-2015-2172)
(Closes: #779547)
Checksums-Sha1:
e556cb772749c7aa6c5659a24132d7d35f2a1904 2035 dokuwiki_0.0.20140505.a+dfsg-4.dsc
bd5e8cc3f5ee87955aa4d7cae30f02403c1210a4 95096 dokuwiki_0.0.20140505.a+dfsg-4.debian.tar.xz
d092ad31fd72324d02ec46df01a85b15c62263b6 1653376 dokuwiki_0.0.20140505.a+dfsg-4_all.deb
Checksums-Sha256:
c72cd1677af3a334c7b45f089ed746982953071d7f689dde3b74abc274b86737 2035 dokuwiki_0.0.20140505.a+dfsg-4.dsc
6804f8152ff1938dfde02e7738d7aa7e1fb1cef570762d49b11d476d013e3036 95096 dokuwiki_0.0.20140505.a+dfsg-4.debian.tar.xz
c6348f9149455f18c79bb87f7daf1c60c1b804e429785a478bcbd57d13bd5a1e 1653376 dokuwiki_0.0.20140505.a+dfsg-4_all.deb
Files:
b9fab8b8f6ae70794a8a9c844b68aa46 2035 web optional dokuwiki_0.0.20140505.a+dfsg-4.dsc
8307c86a3d0f38ac852d78b54b9514ad 95096 web optional dokuwiki_0.0.20140505.a+dfsg-4.debian.tar.xz
2eae6aa486cd3a29f21ff297cd7ea5e3 1653376 web optional dokuwiki_0.0.20140505.a+dfsg-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJVDwEaAAoJEOryzVHFAGgZ3/8P/2OEcEorBRnUBc2nGabM+Dw0
xoJ+XaicUBrAiGzWDChEvssLyy79EJbmjXZ+qv6PdlfLujc3sjbMs40muM8TTulx
KFluzOu7lSnQCICzeRAC4kyxTfeBimCvgfcSNs7OuwZCOepGP9mEXxjCoDId65V7
4J72jSEByAU8G6O74dmJTjCxYCAm3rXiUqKl67Uck6mpswmpj//7iLX/4dGIPkVK
LDD4lIFb2ecDKUOQkZPSnVSYBQM9S6wetoAXCuvHQqV3NJr4uZ2kpEr/rfQH+FFE
SizGem2eOQS0C059UwqSQOnYAguTs/nKzKp42WDoUUT7QvGusH78t5ZULf7vXjzp
5cJA3RXqyHqJKW/23W4OkM3g8TXlALCfcApn/C4cB/uVERym9FY0KV0Z3COXlBbA
6KD1RYU7dzfh470clQW/L1djCRAv0gRk3JysfQOM6n1mGaLYKN8HN2zsLqBiDjtb
qzxOj+b49PAIVnyU+sUR0KYr/cTda06lIrAX4ScXDVHRxGuj13+7xa4R22FNjQ3i
iBLjV7RQs0o/xcgZtpx7VVrEBG+4K2Of2dswTMUG/kJYqM55FHaMNe20mGWieQCh
PfvXk6oKE26eRGzybSCXbIjlv9U2w3wSIGla8uA64+2gczMWqES1JzRoNKOV1oKv
D5rOTQ3XZirZd3suvGhp
=KF2P
-----END PGP SIGNATURE-----
Reply sent
to Tanguy Ortolo <tanguy+debian@ortolo.eu>:
You have taken responsibility.
(Sun, 22 Mar 2015 18:51:13 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 22 Mar 2015 18:51:13 GMT) (full text, mbox, link).
Message #30 received at 779547-close@bugs.debian.org (full text, mbox, reply):
Source: dokuwiki
Source-Version: 0.0.20140929.d-1
We believe that the bug you reported is fixed in the latest version of
dokuwiki, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 779547@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tanguy Ortolo <tanguy+debian@ortolo.eu> (supplier of updated dokuwiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 22 Mar 2015 17:00:41 +0100
Source: dokuwiki
Binary: dokuwiki
Architecture: source all
Version: 0.0.20140929.d-1
Distribution: unstable
Urgency: medium
Maintainer: Tanguy Ortolo <tanguy+debian@ortolo.eu>
Changed-By: Tanguy Ortolo <tanguy+debian@ortolo.eu>
Description:
dokuwiki - standards compliant simple to use wiki
Closes: 773429 779547 780817
Changes:
dokuwiki (0.0.20140929.d-1) unstable; urgency=medium
.
* New upstream hotfix releases:
+ prevent XSS attack via SWF uploads. (CVE-2014-9253) (Closes: #773429)
+ fix privilege escalation in RPC API (CVE-2015-2172) (Closes: #779547)
+ fix an XSS vulnerability in the user manager (Closes: #780817)
Checksums-Sha1:
f7f4d93aeb99880056a2fc3aca46d9861e8ed63c 2000 dokuwiki_0.0.20140929.d-1.dsc
623c9f1351b8df704abe64a49e16550e60623c86 3283317 dokuwiki_0.0.20140929.d.orig.tar.gz
21c3695e0a707b06f6e0e5d760147c1801a84416 94748 dokuwiki_0.0.20140929.d-1.debian.tar.xz
37c0071556effd725988fd4b2b769fe807428e1b 1688518 dokuwiki_0.0.20140929.d-1_all.deb
Checksums-Sha256:
699448f5ea71147779a4c8b28da20b6b90dd34b599b26b8e4fc8953b68cf01cb 2000 dokuwiki_0.0.20140929.d-1.dsc
6fc6794e13c8e3fe07f5e02bd09cc3a167486a676e9822fa17aab0a45b094794 3283317 dokuwiki_0.0.20140929.d.orig.tar.gz
e2023434920d5629e58924d9c4438c93179e79ffa451ff6170f8e98142fb9b3d 94748 dokuwiki_0.0.20140929.d-1.debian.tar.xz
9b56acc8574e75815ba42e467fe8b3c9f1cfd1f2edef0d07ddc736f0bd07c51b 1688518 dokuwiki_0.0.20140929.d-1_all.deb
Files:
da7a75494251ab1169d17b9553c64c9b 2000 web optional dokuwiki_0.0.20140929.d-1.dsc
2bf2d6c242c00e9c97f0647e71583375 3283317 web optional dokuwiki_0.0.20140929.d.orig.tar.gz
9adf20fbebbbca1a84bce8fe62dddf89 94748 web optional dokuwiki_0.0.20140929.d-1.debian.tar.xz
dedab2fbe60ec10fd043558d95492ed2 1688518 web optional dokuwiki_0.0.20140929.d-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJVDwTlAAoJEOryzVHFAGgZEBcP/3NA9CuNFBY3wvvqsVhc7//0
TaWkWumN2IxciLAnhUsyTPR9zqRGsXHX5f7/4rA+5oOlFLVhW/QFcvLtOmz0BTbo
Oan0ij7wGIl4iycaiKoonw8TtlFleu9G8relivJX6HQz9AxxS9Bn/RmI+NDlxgfG
T8MyFNfXlCHtpE7eJF7qAQGWT/SB99AKpoQLljDaOPvkZSWMgmTmzH7Nr65fU55k
QcLdQN1On+C/g3IbBHNfw+18j6MQUWTLD50oicBLpKY0hWTnYVrfNAdvNYVxj49X
iUSoMMH4Nv4UAz0E0DqhhZA4C6td1c/fm7WUYBmq38J3ctNF2MnYSZbaQ5ppqlkp
f6YBZMTR8QaFrGQXCJcjCKYaPIhw28Fc/7YyFfE7FWfFjvu+tXIyKHEa1LT1iEVC
5gHGVTg00Vz376B/+O5n+DtqTZX5SUpZhAKWp8ih424k5K2YGFLLHXBIYEJRdJ1L
1iEKz/Atr6BmJssPwVBugGGEnK8CoOIgQf7DEQxwuXGMiprNEVD7Pzv8wZQ6D8km
ktTuo2thLJDLPtbso10tAfQcLtGtGefs7DrUytumGudseLiEND0BT/EA/IUCsI0f
hQs6exXJanT0tSJj0QQKJeaMGv1j5h6O90UzTusAKY5tnydn/End4K8gq2Q1tAk9
ksTGVwNcl8b6OkCj9VvC
=H0dC
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 20 Apr 2015 07:26:31 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:13:42 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon