Debian Bug report logs -
#781483
ikiwiki: CVE-2015-2793: cross-site scripting via openid_identifier
Reported by: Simon McVittie <smcv@debian.org>
Date: Sun, 29 Mar 2015 21:09:01 UTC
Severity: serious
Tags: fixed-upstream, security, upstream
Found in version ikiwiki/3.20141016.1
Fixed in versions ikiwiki/3.20150329, ikiwiki/3.20141016.2, ikiwiki/3.20120629.2
Done: Simon McVittie <smcv@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org:
Bug#781483; Package ikiwiki.
(Sun, 29 Mar 2015 21:09:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Simon McVittie <smcv@debian.org>:
New Bug report received and forwarded.
(Sun, 29 Mar 2015 21:09:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: ikiwiki
Version: 3.20141016.1
Severity: serious
Tags: security fixed-upstream pending
Justification: cookie theft via XSS
Raghav Bisht reported a cross-site scripting vulnerability in the handling
of the openid_identifier parameter. Unfortunately this was reported in
public and while I was 500 miles away from my computer, which is why
it has taken me unacceptably long to do a release.
Reply sent
to Simon McVittie <smcv@debian.org>:
You have taken responsibility.
(Sun, 29 Mar 2015 21:51:30 GMT) (full text, mbox, link).
Notification sent
to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer.
(Sun, 29 Mar 2015 21:51:30 GMT) (full text, mbox, link).
Message #10 received at 781483-close@bugs.debian.org (full text, mbox, reply):
Source: ikiwiki
Source-Version: 3.20150329
We believe that the bug you reported is fixed in the latest version of
ikiwiki, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 781483@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated ikiwiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 29 Mar 2015 21:48:24 +0100
Source: ikiwiki
Binary: ikiwiki
Architecture: all source
Version: 3.20150329
Distribution: experimental
Urgency: high
Maintainer: Simon McVittie <smcv@debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 776181 779365 781483
Description:
ikiwiki - a wiki compiler
Changes:
ikiwiki (3.20150329) experimental; urgency=high
.
[ Joey Hess ]
* Fix NULL ptr deref on ENOMEM in wrapper. (Thanks, igli)
.
[ Simon McVittie ]
* Really don't double-decode CGI submissions, even on Perl versions that
bundle an old enough Encode.pm for that not to be a problem: the
system might have a newer Encode.pm installed separately, like Fedora 20.
(Closes: #776181; thanks, Anders Kaseorg)
* If neither timezone nor TZ is set, set both to :/etc/localtime if
we're on a GNU system and that file exists, or GMT otherwise
* t/inline.t: accept translations of "Add a new post titled:"
(Closes: #779365)
* Consistently document command-line options as e.g. --refresh, not -refresh
.
[ Amitai Schlair ]
* In VCS-committed anonymous comments, link to url.
.
[ Joey Hess ]
* Fix XSS in openid selector. Thanks, Raghav Bisht. (Closes: #781483)
Checksums-Sha1:
d314953c2f3ac533a435b1a0364e5c10acbfd060 1893 ikiwiki_3.20150329.dsc
413ec18620360070ab5f02554143b8420b6d96ab 3311195 ikiwiki_3.20150329.tar.gz
1edabc9b167d1b3f22563065bc486ea59dddc244 1993458 ikiwiki_3.20150329_all.deb
Checksums-Sha256:
0a944808bbbabc0c924bbb9189bfeefd7d2ce829ba35960f974655833e424205 1893 ikiwiki_3.20150329.dsc
c898001d8fcfa99e2abb7f804633f628f1c00f4be22adc60757014b3c10381d5 3311195 ikiwiki_3.20150329.tar.gz
af4025b66eab0e3785ed494f3904b5fc7743a399212dbc51bdc258d3a565c62f 1993458 ikiwiki_3.20150329_all.deb
Files:
84e03ed20489b982c83c247ce83f8868 1893 web optional ikiwiki_3.20150329.dsc
99ccfbca19be4ba6a67487607f62609e 3311195 web optional ikiwiki_3.20150329.tar.gz
ac07d9d70eb40842cabe9a5469d53d5b 1993458 web optional ikiwiki_3.20150329_all.deb
-----BEGIN PGP SIGNATURE-----
iQIVAwUBVRhtWE3o/ypjx8yQAQi6BA//cMwdXyMDAxm4iV1FJkSiTyORLLs6mIfA
fhlTKK4ilNM8uQz9XhHkfBPiq3PbaxPgq+Wo+A32pJ42L3iUUP2LXzfVIRZQOwPX
VxO1nAPYSV7NJRgm3A9xcB+jKDUYPyOI8kEr86hY5Tl3DKrRVmZB15sP9qmV67x7
YvpRUJmCeuBIImLQNVVzW+gmT8dj2bHkYU1P93DJX+HiYSrr0EaZQjt3eQmUdLFu
sCRDvBbY4BKfs/1YTGMViPlFX9b9hN/09ZBWedBt2VqHfx3eO2h7abjVN8Ee59lL
SW5BSKH1fWgw0Aor61vXcWsr98YlEYbJZMq7T+SC/TOP156NpY1kiT8x5ASKTdYr
tgLl5s3e9im6oM5TiivymIlRgVfW+O/IoQDGPse4h4X8H8WKY2+M0/GwieOoqUmH
++H85s1PU6JUKW8HTjXoeUD4aThX6UFDz7cXxsMQwFAu3iHzv5Y0TkSA6VqWyUe8
aERTjW2Y3uPVPEZVXwiPzj1u5gSdilz0MN5d8QQzHiBlIBu4dyrMOMsvyLI0alZE
mnAtN1F/GeIwLUIubeatzwmhBMNHEQgn5YfhW79JQdh0nQQYIrnHXUwDEY46dAkc
xh4ZPL28ysOZp2j7IDUimMzv7BRE/+1RjIdkb/Ii1hMuK/sLOn2z4UIDxgiGn/Yl
GCJN5HunvmQ=
=4x36
-----END PGP SIGNATURE-----
Reply sent
to Simon McVittie <smcv@debian.org>:
You have taken responsibility.
(Sun, 29 Mar 2015 22:09:13 GMT) (full text, mbox, link).
Notification sent
to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer.
(Sun, 29 Mar 2015 22:09:13 GMT) (full text, mbox, link).
Message #15 received at 781483-close@bugs.debian.org (full text, mbox, reply):
Source: ikiwiki
Source-Version: 3.20141016.2
We believe that the bug you reported is fixed in the latest version of
ikiwiki, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 781483@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated ikiwiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 29 Mar 2015 22:28:15 +0100
Source: ikiwiki
Binary: ikiwiki
Architecture: all source
Version: 3.20141016.2
Distribution: unstable
Urgency: high
Maintainer: Simon McVittie <smcv@debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 781483
Description:
ikiwiki - a wiki compiler
Changes:
ikiwiki (3.20141016.2) unstable; urgency=high
.
[ Joey Hess ]
* Fix XSS in openid selector. Thanks, Raghav Bisht. (Closes: #781483)
Checksums-Sha1:
d41cd68ab381ad609a874807d25cdcaece9a8cd1 1921 ikiwiki_3.20141016.2.dsc
b696f4171c63017d008b341ca1609b80667e597d 3257633 ikiwiki_3.20141016.2.tar.gz
707e67a0eb07c5084f9d2b06adcb73b16a512ab5 1981508 ikiwiki_3.20141016.2_all.deb
Checksums-Sha256:
0e5e69860310bdb12c4d2332ca81ab720a89afdb60d6f38893b1a99bf113ed91 1921 ikiwiki_3.20141016.2.dsc
53ff251cb4726f9b974190a270969c9bdebf96812760b6e28690a127b124227a 3257633 ikiwiki_3.20141016.2.tar.gz
6e3accdd8e89e9ad7b01b83fc41c530f2f5012cb0c1e81c77a62a61162723a78 1981508 ikiwiki_3.20141016.2_all.deb
Files:
d769de2dc317bc23347e8d238794d889 1921 web optional ikiwiki_3.20141016.2.dsc
0b55b03dbeac085235862f53788589dc 3257633 web optional ikiwiki_3.20141016.2.tar.gz
e05e7a9cfbed4fbee6f179b3eb186782 1981508 web optional ikiwiki_3.20141016.2_all.deb
-----BEGIN PGP SIGNATURE-----
iQIVAwUBVRhyak3o/ypjx8yQAQglOA/9EAgSnHeb/P1SzjQkBy08G++HjwnraBOp
GjaamDkBrL4xUB3cb1vXa/DVVfBFj1LfVmGG9AE8lZR8rogFzh06Mtg+jz/a+R1j
gBJ84W6v8hIFdSZLxju5ehaLMzCAaFN/YpwS1a/SZ1gYSiRIqgIWhmNzJUugGeS5
5O7XF5MHBHEKTd55J/ObMtF+3kiHF/rjz0wxjaJDP+pAG7M7dwmos3xQPCuWT45X
sd6fravpLjl+liZHGoXrEEyDyIBac87nT/vmSgbboHRw9RiPYVTV+okNjrVEn11R
Fm1RXWqK3n2hu43YiPTppwQlw2e1PlqbXNiOiKkHKDC9mhMIGN1OVfvd+xO4g1Ql
Bs3IPgdwVd0df3dOlfei5PTZjRC57FT0YHy9BSM2ojtwDXFQ12a3Di5IIcZFMoyP
HgZsYO1NQ0uDWen8a6MrTDitdTd5ZJgQvoJR9DiAmoca7qiWTQv3mipC6o1gtyMJ
zd+pQvZUmEAUyW9cYQvFNOCEuFP6WfaYYNfHSV2bddasvfl/NbX5mGdSzxJftJL3
SAlbIF8qRPf7+1+3Ymn5WIEPdOuAddDYqs6OlQhqCPXd8+9C5iNsmAmyQO8kyQm5
HanSyqgJwizqpFLmeqA0vn5Z9TyQVEmFhz/fTCgiFV5hd0Z2FXgwdm7jBb2/Dohu
sm+aze6ZHfY=
=0ZOe
-----END PGP SIGNATURE-----
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 30 Mar 2015 05:03:09 GMT) (full text, mbox, link).
Changed Bug title to 'ikiwiki: CVE-2015-2793: cross-site scripting via openid_identifier' from 'ikiwiki: cross-site scripting via openid_identifier'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 31 Mar 2015 04:45:05 GMT) (full text, mbox, link).
Reply sent
to Simon McVittie <smcv@debian.org>:
You have taken responsibility.
(Tue, 07 Apr 2015 19:51:05 GMT) (full text, mbox, link).
Notification sent
to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer.
(Tue, 07 Apr 2015 19:51:05 GMT) (full text, mbox, link).
Message #24 received at 781483-close@bugs.debian.org (full text, mbox, reply):
Source: ikiwiki
Source-Version: 3.20120629.2
We believe that the bug you reported is fixed in the latest version of
ikiwiki, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 781483@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated ikiwiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 06 Apr 2015 20:34:51 +0100
Source: ikiwiki
Binary: ikiwiki
Architecture: all source
Version: 3.20120629.2
Distribution: wheezy
Urgency: medium
Maintainer: Simon McVittie <smcv@debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 781483
Description:
ikiwiki - a wiki compiler
Changes:
ikiwiki (3.20120629.2) wheezy; urgency=medium
.
[ Joey Hess ]
* Fix XSS in openid selector. Thanks, Raghav Bisht. (Closes: #781483;
CVE-2015-2793)
Checksums-Sha1:
00cc739fe41b410820e45c864dfdcba074852d31 1794 ikiwiki_3.20120629.2.dsc
9c2c6406b4f9b60475e7f950598d2be97349e627 2777104 ikiwiki_3.20120629.2.tar.gz
e57ec19e21371c0a6f75cbde0821b2af866f6949 1802842 ikiwiki_3.20120629.2_all.deb
Checksums-Sha256:
a060f97be1455c005547d413534be48eb68e99f3f5dce9c8f8460840ea2c2e57 1794 ikiwiki_3.20120629.2.dsc
3d7261de05da5787731e2147ce53fbd2bc98b4e3138f62b3cf13d680079c689d 2777104 ikiwiki_3.20120629.2.tar.gz
f42d2dcccd4882f8a85bc474e8183da7e810c2ec5c2871836eb439da510c1bea 1802842 ikiwiki_3.20120629.2_all.deb
Files:
0a96ca1b26b5022dddaba0f9aa270b64 1794 web optional ikiwiki_3.20120629.2.dsc
13a9475c1c185267a3df377786803bd3 2777104 web optional ikiwiki_3.20120629.2.tar.gz
e2c3158191f36f485e7d78198041ff5b 1802842 web optional ikiwiki_3.20120629.2_all.deb
-----BEGIN PGP SIGNATURE-----
iQIVAwUBVSOP1k3o/ypjx8yQAQhunw/8CMtU4cSRUd/A+elzNi+aF1uzWVBUZnHz
e3c+Q7slTz20pN0nNtz+w2CWe5olvnOwt8wKDym/U077zCxkgqf5D8d6tYspKEU0
DiuycDYcmQbWkQcbiSGANmjUOJ/+4XMrepQsVW4sungcu0ZbVqzKSrHu0N2JOjKR
ZM+5YCg2BuSpoazcRKIka65tLLQkrlesUen3d3RCfRoTjceQQxWqFILMJbS8mRBa
yUaiIwQJvxTtPgl80lyZQ/Gx9wKxweezPpHpeClR9E4QZF/AeeptAyx/i0WFZOWP
CVKEvDaWA3lHRHZsqX+qUPlB6RYs7p0dI8RCPcnKVJNMvm+MQ75+GzDfYKd+83AN
QkXBRl/lX9XvKykv/CwtgkhusJczZNa/Xm8sY144JS6TpFLB+xvh4HSUrGh4i1sX
FYJ/y51ioE/R/sMMcT51JaECx6hEYoSZpbLq9NS5+X0dGoYcYt/XMBQZ6eZnIMVI
FIsCp0K9AhvQ8ZKcIdEIu1nTP53yoYnRpsDHTlQksJXmPati0ANbd9Oa4R+xBJo7
H7s8PWUl+B1d8qal+GPcyM+i4wJYl5vMdUGPaUEAmpZonpq8gcuRMLRahtbu04mS
KoDuMaMLTsRTWgEVAhwYuGIsgPzZYAAJ/xSOvSnIzcbEKRAwzmsiJxGK/S4qyv7u
jMugrphuHes=
=GSip
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 06 May 2015 07:26:52 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:48:48 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon