Re: Wheezy update of ikiwiki?

To: ikiwiki@packages.debian.org, debian-lts@lists.debian.org
Subject: Re: Wheezy update of ikiwiki?
From: Simon McVittie <smcv@debian.org>
Date: Wed, 11 Jan 2017 01:48:00 +0000
Message-id: <[🔎] 20170111014632.izctpzhyqd65icij@perpetual.pseudorandom.co.uk>
In-reply-to: <20161223233909.jhixr2r7gpo43ixu@perpetual.pseudorandom.co.uk>
References: <20161222220934.GA14195@inguza.net> <20161223233909.jhixr2r7gpo43ixu@perpetual.pseudorandom.co.uk>

On Fri, 23 Dec 2016 at 23:39:09 +0000, Simon McVittie wrote:
> On Thu, 22 Dec 2016 at 23:09:38 +0100, Ola Lundqvist wrote:
> > the Debian LTS team would like to fix the security issues which are
> > currently open in the Wheezy version of ikiwiki:
> > https://security-tracker.debian.org/tracker/CVE-2016-10026
> 
> I requested a CVE ID because this is technically a security vulnerability,
> but I don't think it's a particularly urgent one - the circumstances for
> it to be a problem are really quite specific, and if those circumstances
> apply then the unwanted change is necessarily easy to revert.

While testing the first attempt at a fix for CVE-2016-10026 I discovered
that it didn't actually fix jessie (CVE-2016-9645 was allocated for this
incomplete fix), and also discovered an unrelated minor vulnerability
that the automated test happened to expose (CVE-2016-9646). So I'm glad
we didn't rush into preparing something for wheezy that later turned out
to be broken.

Subsequent manual testing of the fixes for all those revealed some tricky
issues in error recovery code paths which I fixed in 3.20170110. We'll
see whether that's the final version...

I suspect the diff resulting from all this is going to be larger than the
rest of the differences between git.pm in wheezy and git.pm in sid, which
makes me very tempted to recommend backporting the entire git.pm from sid
(I think the only thing in there that's incompatible with older ikiwiki
is one call to IkiWiki::cloak(), which didn't exist in wheezy/jessie).
But please don't do so until I've had an opinion from the SRMs
on what they'd accept in jessie - it would be perverse for the version
of ikiwiki in oldstable LTS to have more backporting than the version
in stable.

> Please de-prioritize it while I talk to the security team about
> whether they want to bother releasing a DSA.

As expected, the security team are not interested in releasing a DSA
for this.

> There were some trivial git conflicts when cherry-picking the change
> from master to debian-jessie, so you'll probably want to use my
> cherry-pick to debian-jessie as the basis for backporting:
> 
> http://source.ikiwiki.branchable.com/?p=source.git;a=commit;h=bb5cf4a0940b8fd2750c6175adb15382b84c71e2

This is not sufficient. Please do not use it alone.

    S

Reply to:

Follow-Ups:
- Re: Wheezy update of ikiwiki?
  - From: Simon McVittie <smcv@debian.org>

Prev by Date: Re: wheezy update for libav
Next by Date: Re: wheezy update for libav
Previous by thread: Re: nvidia-graphics-drivers 304.134 proposed packages for wheezy-lts
Next by thread: Re: Wheezy update of ikiwiki?
Index(es):
- Date
- Thread