Debian Bug report logs -
#1011056
dokuwiki: CVE-2022-28919 XSS vulnerability via the function _generateFilename
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, codehelp@debian.org, team@security.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>
:
Bug#1011056
; Package src:dokuwiki
.
(Mon, 16 May 2022 09:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Neil Williams <codehelp@debian.org>
:
New Bug report received and forwarded. Copy sent to codehelp@debian.org, team@security.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>
.
(Mon, 16 May 2022 09:12:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: dokuwiki
Version: 0.0.20200729-0.1
Severity: important
Tags: security
X-Debbugs-Cc: codehelp@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for dokuwiki.
CVE-2022-28919[0]:
| HTMLCreator release_stable_2020-07-29 was discovered to contain a
| cross-site scripting (XSS) vulnerability via the function
| _generateFilename.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-28919
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28919
Please adjust the affected versions in the BTS as needed.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.17.0-2-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Information forwarded
to debian-bugs-dist@lists.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>
:
Bug#1011056
; Package src:dokuwiki
.
(Mon, 16 May 2022 09:33:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Axel Beckert <abe@debian.org>
:
Extra info received and forwarded to list. Copy sent to Tanguy Ortolo <tanguy+debian@ortolo.eu>
.
(Mon, 16 May 2022 09:33:06 GMT) (full text, mbox, link).
Message #10 received at 1011056@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: forwarded -1 https://github.com/splitbrain/dokuwiki/issues/3651
Control: tag -1 + fixed-upstream
Control: found -1 0.0.20220317~gitaeff85c-0.1~exp1
Hi Neil,
thanks for the bug report.
Neil Williams wrote:
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2022-28919
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28919
The relevant information seems to be in
https://github.com/splitbrain/dokuwiki/issues/3651
> Please adjust the affected versions in the BTS as needed.
Thanks for the reminder. I updated the upper limit based on its date
and the information in the upstream bug report that the fix was made
just four days ago.
Upstream though hasn't made any new upstream release with this fix
yet, so we will either do an upload of a git snapshot or
cherry-picking that commit. (JFTR, mostly for Anton: Upstream's
release plans for the next stable release are here:
https://github.com/splitbrain/dokuwiki/projects/6)
Figuring out which older releases are affected likely needs some more
digging in upstream's and/or in the library's upstream git repo.
Regards, Axel
--
,''`. | Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
[signature.asc (application/pgp-signature, inline)]
Added tag(s) fixed-upstream.
Request was from Axel Beckert <abe@debian.org>
to 1011056-submit@bugs.debian.org
.
(Mon, 16 May 2022 09:33:06 GMT) (full text, mbox, link).
Marked as found in versions dokuwiki/0.0.20220317~gitaeff85c-0.1~exp1.
Request was from Axel Beckert <abe@debian.org>
to 1011056-submit@bugs.debian.org
.
(Mon, 16 May 2022 09:33:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon May 16 13:12:05 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.