Debian Bug report logs -
#670917
CVE-2012-2129: Cross-site scripting
Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Mon, 30 Apr 2012 12:33:13 UTC
Severity: important
Tags: security
Found in version dokuwiki/0.0.20101107-1
Fixed in version dokuwiki/0.0.20120125a-1
Done: Tanguy Ortolo <tanguy+debian@ortolo.eu>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>:
Bug#670917; Package dokuwiki.
(Mon, 30 Apr 2012 12:33:15 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>.
(Mon, 30 Apr 2012 12:33:23 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: dokuwiki
Severity: important
Tags: security
Please see http://secunia.com/advisories/48848/ for more details.
Cheers,
Moritz
Reply sent
to Tanguy Ortolo <tanguy+debian@ortolo.eu>:
You have taken responsibility.
(Sat, 05 May 2012 12:59:13 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer.
(Sat, 05 May 2012 12:59:16 GMT) (full text, mbox, link).
Message #10 received at 670917-close@bugs.debian.org (full text, mbox, reply):
Source: dokuwiki
Source-Version: 0.0.20120125a-1
We believe that the bug you reported is fixed in the latest version of
dokuwiki, which is due to be installed in the Debian FTP archive:
dokuwiki_0.0.20120125a-1.debian.tar.gz
to main/d/dokuwiki/dokuwiki_0.0.20120125a-1.debian.tar.gz
dokuwiki_0.0.20120125a-1.dsc
to main/d/dokuwiki/dokuwiki_0.0.20120125a-1.dsc
dokuwiki_0.0.20120125a-1_all.deb
to main/d/dokuwiki/dokuwiki_0.0.20120125a-1_all.deb
dokuwiki_0.0.20120125a.orig.tar.gz
to main/d/dokuwiki/dokuwiki_0.0.20120125a.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 670917@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tanguy Ortolo <tanguy+debian@ortolo.eu> (supplier of updated dokuwiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 05 May 2012 14:27:37 +0200
Source: dokuwiki
Binary: dokuwiki
Architecture: source all
Version: 0.0.20120125a-1
Distribution: unstable
Urgency: high
Maintainer: Tanguy Ortolo <tanguy+debian@ortolo.eu>
Changed-By: Tanguy Ortolo <tanguy+debian@ortolo.eu>
Description:
dokuwiki - standards compliant simple to use wiki
Closes: 670917
Changes:
dokuwiki (0.0.20120125a-1) unstable; urgency=high
.
* New upstream bugfix release: properly escape an error messages that could
be used to inject arbitrary JavaScript, leading to an XSS vulnerability.
(CVE-2012-2129) (Closes: 670917)
Checksums-Sha1:
a2371cd17a33087e058f10bf7f12573470405882 1990 dokuwiki_0.0.20120125a-1.dsc
4287b947e5d59528ef0d6685fee4ebefd99c1a24 2539659 dokuwiki_0.0.20120125a.orig.tar.gz
f42b61f6152f93d2f5fe0c7efd8ce814dbb49fd1 89246 dokuwiki_0.0.20120125a-1.debian.tar.gz
566583d8c322ddb2b87a98b2ec53a0fd3f8e1910 1773232 dokuwiki_0.0.20120125a-1_all.deb
Checksums-Sha256:
9dc8899305a636f4c0a106a46b80db42c2552e2f406ad2ac9cc473d92c6e3958 1990 dokuwiki_0.0.20120125a-1.dsc
7a7f23ae6847db02bfc123d4292d7938662cc0c443a8e33402c63acb280ff664 2539659 dokuwiki_0.0.20120125a.orig.tar.gz
2f0004981b67224cdec005c2ad9ed304afc53f1407d4a1e1f44ebd7c15fb9aba 89246 dokuwiki_0.0.20120125a-1.debian.tar.gz
0671eda094a603d6290aea9e0f16cf75b44c58d2116a22892bed373d8c89b75b 1773232 dokuwiki_0.0.20120125a-1_all.deb
Files:
9ad46d538d789c376f2476531954f349 1990 web optional dokuwiki_0.0.20120125a-1.dsc
aea520bd7bb61f7ecd3322e479cd8047 2539659 web optional dokuwiki_0.0.20120125a.orig.tar.gz
c562df6c47683d9e72057cd029b2e1a0 89246 web optional dokuwiki_0.0.20120125a-1.debian.tar.gz
d7c0dcdbbca75437e9f96919689a66a5 1773232 web optional dokuwiki_0.0.20120125a-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJPpR1YAAoJEOryzVHFAGgZ5hEQAMbo6Sy8VY2QT5sViEzsanDz
5UxCVll9g4P/mEFjbwOtUAt3Gfas/69fsYrIyNJt0SPG4Kw+vToIzBFhGOv7TIj3
WUWm7jKTt3+MUUL3SmZzmL+S+7K9mgS2PWRcd2cpgBZ6KxnmBZtK9LKWOiLZAjNa
UHauF45LJOejIGKEC1D5uWoVfGepMWfksACYNqKdsvw0GOHP6aJNt4kDnz5xrlY+
cco4uug1ArEePz9sBODxHfpNpiOCdRq0vn1Ldyv9WHK4RSrabO38IMUDjzqTkbFx
9jbpzy6lv/vW1eBeAAN/ITPh4KjWht8xgtFHtHiZJKuQd7DF0zQyWNeJrqdalO97
UNOQ9/l90P3ti1vn5fA8tMAQx5Cu7DqDXnnaKBBM/8diFSc22vS4UGoN3Efzb4DS
OVine4UTM5KiTryJoieQB2UZj0GH61yshi4CK553w08EYn4IqWmMpRVLXH44whdW
lsDg/njuIB060sKLJGTPmqrvPoxamfA7pdWsr7FB8Cc6QNBAf1xKw0eNX3e2ZLin
ZhBw/R8LlMZwqGCyA3hgTsprbp8sxt/rXTntyywBIoKvtF9EH24Dva5wTL7TO0V7
8VLiSQhJC7k7VRB7bCg9lHbjZluO3z+rY5d8YF+ZPVCe9mt5s1ebl9yAyCombnpX
LzfZ3NRhKomXUTtA+hT/
=kztj
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 05 Jun 2012 07:36:23 GMT) (full text, mbox, link).
Bug unarchived.
Request was from jmw@debian.org
to control@bugs.debian.org.
(Sun, 08 Jul 2012 16:21:58 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>:
Bug#670917; Package dokuwiki.
(Sun, 08 Jul 2012 22:42:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Tanguy Ortolo <tanguy+debian@ortolo.eu>.
(Sun, 08 Jul 2012 22:42:06 GMT) (full text, mbox, link).
Message #19 received at 670917@bugs.debian.org (full text, mbox, reply):
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.6) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/670917/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#670917; Package dokuwiki.
(Tue, 10 Jul 2012 13:09:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Tanguy Ortolo <tanguy+debian@ortolo.eu>:
Extra info received and forwarded to list.
(Tue, 10 Jul 2012 13:09:09 GMT) (full text, mbox, link).
Message #24 received at 670917@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Jonathan Wiltshire, 2012-07-08 17:38-0000:
>this bug. These problems were not serious enough for a Debian Security
>Advisory, so they are now on my radar for fixing in the following suites
>through point releases:
>
>squeeze (6.0.6) - use target "stable"
In fact this is not needed, because this security problem only affected
the version from testing/unstable. So a fix is not needed for stable
because it is not affected.
Librement,
--
,--.
: /` ) Tanguy Ortolo <xmpp:tanguy@ortolo.eu>
| `-' Debian Developer <irc://irc.oftc.net/Tanguy>
\_
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>:
Bug#670917; Package dokuwiki.
(Sat, 14 Jul 2012 21:21:16 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Tanguy Ortolo <tanguy+debian@ortolo.eu>.
(Sat, 14 Jul 2012 21:21:16 GMT) (full text, mbox, link).
Message #29 received at 670917@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tue, Jul 10, 2012 at 03:07:56PM +0200, Tanguy Ortolo wrote:
> Jonathan Wiltshire, 2012-07-08 17:38-0000:
> >this bug. These problems were not serious enough for a Debian Security
> >Advisory, so they are now on my radar for fixing in the following suites
> >through point releases:
> >
> >squeeze (6.0.6) - use target "stable"
>
> In fact this is not needed, because this security problem only
> affected the version from testing/unstable. So a fix is not needed
> for stable because it is not affected.
Thanks, trackers updated.
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
<directhex> i have six years of solaris sysadmin experience, from
8->10. i am well qualified to say it is made from bonghits
layered on top of bonghits
[signature.asc (application/pgp-signature, inline)]
Marked as found in versions dokuwiki/0.0.20101107-1.
Request was from Jonathan Wiltshire <jmw@debian.org>
to control@bugs.debian.org.
(Sat, 14 Jul 2012 21:27:06 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 12 Aug 2012 07:25:29 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:26:52 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon