Debian Bug report logs -
#683378
CVE-2012-0283
Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Tue, 31 Jul 2012 09:39:02 UTC
Severity: important
Tags: security
Fixed in version dokuwiki/0.0.20120125b-1
Done: Tanguy Ortolo <tanguy+debian@ortolo.eu>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>
:
Bug#683378
; Package dokuwiki
.
(Tue, 31 Jul 2012 09:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>
.
(Tue, 31 Jul 2012 09:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: dokuwiki
Severity: important
Tags: security
Please see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0283
http://secunia.com/secunia_research/2012-24/
http://bugs.dokuwiki.org/index.php?do=details&task_id=2561
This doesn't warrant a DSA, but you can fix it through a stable point update.
Cheers,
Moritz
Reply sent
to Tanguy Ortolo <tanguy+debian@ortolo.eu>
:
You have taken responsibility.
(Wed, 15 Aug 2012 13:51:04 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>
:
Bug acknowledged by developer.
(Wed, 15 Aug 2012 13:51:04 GMT) (full text, mbox, link).
Message #10 received at 683378-close@bugs.debian.org (full text, mbox, reply):
Source: dokuwiki
Source-Version: 0.0.20120125b-1
We believe that the bug you reported is fixed in the latest version of
dokuwiki, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 683378@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tanguy Ortolo <tanguy+debian@ortolo.eu> (supplier of updated dokuwiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 15 Aug 2012 11:46:36 +0200
Source: dokuwiki
Binary: dokuwiki
Architecture: source all
Version: 0.0.20120125b-1
Distribution: unstable
Urgency: high
Maintainer: Tanguy Ortolo <tanguy+debian@ortolo.eu>
Changed-By: Tanguy Ortolo <tanguy+debian@ortolo.eu>
Description:
dokuwiki - standards compliant simple to use wiki
Closes: 683378
Changes:
dokuwiki (0.0.20120125b-1) unstable; urgency=high
.
* New upstream bugfix release: sanitize a POST parameter that could be used
to inject artitrary HTML and JavaScript, leading to an XSS vulnerability.
(CVE-2012-0283) (Closes: #683378)
Checksums-Sha1:
b7179002aec5caf85b8a0b22b37092d5406e7ccd 1990 dokuwiki_0.0.20120125b-1.dsc
662c805de802e5889820eb911e3431f18003328a 2507783 dokuwiki_0.0.20120125b.orig.tar.gz
648953bda17b019f68834d0ba4add0f5fbefc9f4 89167 dokuwiki_0.0.20120125b-1.debian.tar.gz
77c20726166be9d369ea24af6dea43afb58b67fb 1773466 dokuwiki_0.0.20120125b-1_all.deb
Checksums-Sha256:
475071ff6d75803614d528405d374e888c2ab4bd88a50eced41d761f103c19f8 1990 dokuwiki_0.0.20120125b-1.dsc
0231fd4fabdb14a05628fad60a6d68017b7664b645662d4dfdb5f2f704ca165a 2507783 dokuwiki_0.0.20120125b.orig.tar.gz
515f82605c2d941083e9acd7488e25989eb36f0f491cd05a0094d46cdf0b4d04 89167 dokuwiki_0.0.20120125b-1.debian.tar.gz
3ae712614ef7a7c1e75e71e14bddbdfee7de882c7f1e4f9d1a23c62de3949c33 1773466 dokuwiki_0.0.20120125b-1_all.deb
Files:
1f73a70990d2e052c8e04868cd0c5e61 1990 web optional dokuwiki_0.0.20120125b-1.dsc
6bceed04c3c38b3b251c70dfe2f9fca0 2507783 web optional dokuwiki_0.0.20120125b.orig.tar.gz
ce1cf3934aa76c351600190e40c72e0a 89167 web optional dokuwiki_0.0.20120125b-1.debian.tar.gz
a44e37a031d6c2c2d3c09aee17f316d9 1773466 web optional dokuwiki_0.0.20120125b-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJQK6R6AAoJEOryzVHFAGgZsywQAKaemcFLnfRUjcH1zjXRJ6OW
4y4/HDa6rG/0wTcVbUFVh93OgykAOLtcZFcRh4ygl+L0uYtGhPsZUPH+RslIkbHj
iTEpMEjC3xljfHma60TBnw+aYB5YySNg2uYibMIinjaf1R/yUgWuHP4IMTJfDUHH
fPiYQUOpqyTj44sRQ1kPXyJoutYo8TOD2zs5Zdx8+HZpfpJ1NLG4+2uLw42rrEn2
wuC1ASEHWCRqtV8o7mc0n+ZdgLC361q/bPJSpI1B6QAG2l3rXsgGRprufTCGtYKg
xOUGqa7gX97GuLjC/VgeQNAsIwY5JJUp3FoYdoilCuXRufh6dnjfIYoE77s0QqgT
a2iLTsrR/hyIZL1FnOG1FQYarOXuim/6zwLXKnJKeIJhrueGou4QVZCj8MkjyBgC
ABZQiSFf9uFCj6l5qGrJPho8aokMiwx2iaviTRu0ED3GPiYPL668SG/nWVWu3sgO
ef3uC+Ylq2uLrDfkNHLtHGg57OQUiQwQg/9s11ZOidAfgojB/nooh4HIMKrbmPAo
zAlzMyp5nPIPwgnGwl8B+8XSm6mcFz53F/PaAIypkngqvMr7X1BbZvK+6PdAtWXg
9ClRWqMRhXM1y6FjqKZdrSv+ctGJYc4FFNQ8Ls3LEGA+GGgB1cKcyVd6wSymcfcL
jk2vN5QrEwshzCo86mmP
=y/32
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>
:
Bug#683378
; Package dokuwiki
.
(Thu, 16 Aug 2012 12:03:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>
:
Extra info received and forwarded to list. Copy sent to Tanguy Ortolo <tanguy+debian@ortolo.eu>
.
(Thu, 16 Aug 2012 12:03:08 GMT) (full text, mbox, link).
Message #15 received at 683378@bugs.debian.org (full text, mbox, reply):
Package: dokuwiki
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.6) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/683378/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#683378
; Package dokuwiki
.
(Thu, 16 Aug 2012 12:21:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Tanguy Ortolo <tanguy+debian@ortolo.eu>
:
Extra info received and forwarded to list.
(Thu, 16 Aug 2012 12:21:07 GMT) (full text, mbox, link).
Message #20 received at 683378@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello Jonathan.
Jonathan Wiltshire, 2012-08-16 11:15-0000:
>Dear maintainer,
>
>Recently you fixed one or more security problems and as a result you closed
>this bug. These problems were not serious enough for a Debian Security
>Advisory, so they are now on my radar for fixing in the following suites
>through point releases:
>
>squeeze (6.0.6) - use target "stable"
>
>Please prepare a minimal-changes upload targetting each of these suites,
>and submit a debdiff to the Release Team [0] for consideration. They will
>offer additional guidance or instruct you to upload your package.
I do not think this is necessary. The fix is for a flaw in the last
version of DokuWiki, and it does not apply to the previous one which is
currently in squeeze. I will have to double-check that, but I think that
version is not concerned.
Regards
--
,--.
: /` ) Tanguy Ortolo <xmpp:tanguy@ortolo.eu>
| `-' Debian Developer <irc://irc.oftc.net/Tanguy>
\_
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>
:
Bug#683378
; Package dokuwiki
.
(Fri, 17 Aug 2012 08:45:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>
:
Extra info received and forwarded to list. Copy sent to Tanguy Ortolo <tanguy+debian@ortolo.eu>
.
(Fri, 17 Aug 2012 08:45:06 GMT) (full text, mbox, link).
Message #25 received at 683378@bugs.debian.org (full text, mbox, reply):
Hi,
On 2012-08-16 13:08, Tanguy Ortolo wrote:
>
> I do not think this is necessary. The fix is for a flaw in the last
> version of DokuWiki, and it does not apply to the previous one which
> is currently in squeeze. I will have to double-check that, but I
> think
> that version is not concerned.
>
Thanks. If this is indeed the case please confirm so that the security
tracker can be updated, it currently thinks squeeze is affected.
Cheers,
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#683378
; Package dokuwiki
.
(Fri, 17 Aug 2012 09:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Tanguy Ortolo <tanguy+debian@ortolo.eu>
:
Extra info received and forwarded to list.
(Fri, 17 Aug 2012 09:09:03 GMT) (full text, mbox, link).
Message #30 received at 683378@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Jonathan Wiltshire, 2012-08-17 09:37+0100:
>Thanks. If this is indeed the case please confirm so that the
>security tracker can be updated, it currently thinks squeeze is
>affected.
I have just had a look to the code: squeeze is affected. I shall prepare
an update by hand.
--
,--.
: /` ) Tanguy Ortolo <xmpp:tanguy@ortolo.eu>
| `-' Debian Developer <irc://irc.oftc.net/Tanguy>
\_
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#683378
; Package dokuwiki
.
(Sat, 18 Aug 2012 09:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Tanguy Ortolo <tanguy+debian@ortolo.eu>
:
Extra info received and forwarded to list.
(Sat, 18 Aug 2012 09:42:03 GMT) (full text, mbox, link).
Message #35 received at 683378@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Tanguy Ortolo, 2012-08-17 11:04+0200:
>I have just had a look to the code: squeeze is affected. I shall
>prepare an update by hand.
Well, after looking more closely, it appears that in fact, it is not.
The fix for version 0.0.20120125 in testing does apply to 0.0.20091225
in stable after some modifications, but:
1. it breaks some functionnality;
2. it is useless, because it is meant to cover a use case that did not
exist at the time (the code to process the POST argument do=media fo
the possible attack is only present in 0.0.20120125).
So, sorry for my hesitation with this bug…
--
,--.
: /` ) Tanguy Ortolo <xmpp:tanguy@ortolo.eu>
| `-' Debian Developer <irc://irc.oftc.net/Tanguy>
\_
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>
:
Bug#683378
; Package dokuwiki
.
(Mon, 20 Aug 2012 08:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Tanguy Ortolo <tanguy+debian@ortolo.eu>
.
(Mon, 20 Aug 2012 08:36:03 GMT) (full text, mbox, link).
Message #40 received at 683378@bugs.debian.org (full text, mbox, reply):
On Sat, Aug 18, 2012 at 11:38:51AM +0200, Tanguy Ortolo wrote:
> Tanguy Ortolo, 2012-08-17 11:04+0200:
>> I have just had a look to the code: squeeze is affected. I shall
>> prepare an update by hand.
>
> Well, after looking more closely, it appears that in fact, it is not.
> The fix for version 0.0.20120125 in testing does apply to 0.0.20091225
> in stable after some modifications, but:
> 1. it breaks some functionnality;
> 2. it is useless, because it is meant to cover a use case that did not
> exist at the time (the code to process the POST argument do=media fo
> the possible attack is only present in 0.0.20120125).
>
> So, sorry for my hesitation with this bug…
Thanks, I've updated the Debian security tracker.
Cheers,
Moritz
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 21 Sep 2012 07:39:38 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:25:30 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.