Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Please unblock package dokuwiki
Current version in testing 0.0.20120125a-1 has a security flaw #683378. There
is a new upstream version, 0.0.20120125b, which fixes this and only this.
I am not convinced that this fits into the release policy, since it does not
fix an RC bug, only a security one. Additionally, it consists in a new upstream
version, which adds to this uncertainty regarding the policy. For this reason I
have not uploaded it to unstable yet. Attached it a debdiff of the updated
package, please advice.
unblock dokuwiki/dokuwiki_0.0.20120125b-1
Regards,
- --
Tanguy Ortolo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJQK3WjAAoJEOryzVHFAGgZIZcQAI2FAkfA1VfwMayzJeOMwmye
asHVV2eTQq4IeNyGnAMoV+lBbT6RwTxgnH7IwJWQcasWe3J47lmkRVDgi6mk/Eq9
+pk0qLuQQP1pte56flth0vrBhZ/1XCg2YVSFLLhoUSBwtxg5EPL1BjL8MFCU7ba3
4k22TFhLGZLK1tqH9r/o5Nh9xdmoE6mldKSBkmDhZqd8BoFdvVd5RmwcdtpmYpCw
9+ywAE61gj1DTg7m/4SzRtfrJ0rh+9cKVveNc08SsvG1hlcw/qJWlCcbDwagkrwF
9rZ3vGjZV87sSpR2SBdJQz9SswcArKm7r2YUqQ6I1dNvKu7UkX3T6E13MQJa/pZ3
LxhEV8ITREyvAU1/0+vLSjxpa66hUx/pMwuobIHrSkAd7XWlEptnu2g+uLrDHcd/
vInKyCQq83K3OsKsf3c3wVPdWQRwOaYnFOci4t1ud0g8swhPpUaAHKZTKUb74Wmd
AbD3x7t7EgFZb+OkthHUyW8Hm0g9Rr9+zFoh56OcCmJlz8FJQVRD3L5cb4cs/6UN
1WssfA0+BFe/vNT6qEeceUNuSAOa8yfTflm4N8FVv7kX7q7KQ80HxP75yJ4HKGh9
Q2FAz55N05Z0SeiQhnQi6rODZaEmauWn/oDjOvI8kr4i3uVwhp975egM+g1j2CIr
aJ9tF4198Bh2hwFRwsY0
=w/oh
-----END PGP SIGNATURE-----
diff -Nru dokuwiki-0.0.20120125a/debian/changelog dokuwiki-0.0.20120125b/debian/changelog
--- dokuwiki-0.0.20120125a/debian/changelog 2012-05-05 14:28:26.000000000 +0200
+++ dokuwiki-0.0.20120125b/debian/changelog 2012-08-15 11:59:25.000000000 +0200
@@ -1,3 +1,11 @@
+dokuwiki (0.0.20120125b-1) unstable; urgency=high
+
+ * New upstream bugfix release: sanitize a POST parameter that could be used
+ to inject artitrary HTML and JavaScript, leading to an XSS vulnerability.
+ (CVE-2012-0283) (Closes: #683378)
+
+ -- Tanguy Ortolo <tanguy+deb...@ortolo.eu> Wed, 15 Aug 2012 11:46:36 +0200
+
dokuwiki (0.0.20120125a-1) unstable; urgency=high
* New upstream bugfix release: properly escape an error messages that could
diff -Nru dokuwiki-0.0.20120125a/doku.php dokuwiki-0.0.20120125b/doku.php
--- dokuwiki-0.0.20120125a/doku.php 2012-04-19 12:12:33.000000000 +0200
+++ dokuwiki-0.0.20120125b/doku.php 2012-07-13 13:13:57.000000000 +0200
@@ -7,7 +7,7 @@
*/
// update message version
-$updateVersion = 36.1;
+$updateVersion = 36.2;
// xdebug_start_profiling();
diff -Nru dokuwiki-0.0.20120125a/inc/template.php dokuwiki-0.0.20120125b/inc/template.php
--- dokuwiki-0.0.20120125a/inc/template.php 2012-04-19 12:09:54.000000000 +0200
+++ dokuwiki-0.0.20120125b/inc/template.php 2012-07-13 13:13:57.000000000 +0200
@@ -1151,7 +1151,7 @@
echo '<div class="panelHeader">'.NL;
echo '<h3>';
$tabTitle = ($NS) ? $NS : '['.$lang['mediaroot'].']';
- printf($lang['media_' . $opened_tab], '<strong>'.$tabTitle.'</strong>');
+ printf($lang['media_' . $opened_tab], '<strong>'.hsc($tabTitle).'</strong>');
echo '</h3>'.NL;
if ($opened_tab === 'search' || $opened_tab === 'files') {
media_tab_files_options();
diff -Nru dokuwiki-0.0.20120125a/lib/exe/ajax.php dokuwiki-0.0.20120125b/lib/exe/ajax.php
--- dokuwiki-0.0.20120125a/lib/exe/ajax.php 2012-04-19 12:09:54.000000000 +0200
+++ dokuwiki-0.0.20120125b/lib/exe/ajax.php 2012-07-13 13:13:57.000000000 +0200
@@ -13,7 +13,6 @@
header('Content-Type: text/html; charset=utf-8');
-
//call the requested function
if(isset($_POST['call'])){
$call = $_POST['call'];
@@ -204,7 +203,7 @@
global $conf;
global $NS;
- $NS = $_POST['ns'];
+ $NS = cleanID($_POST['ns']);
if ($_POST['do'] == 'media') {
tpl_mediaFileList();
} else {
diff -Nru dokuwiki-0.0.20120125a/VERSION dokuwiki-0.0.20120125b/VERSION
--- dokuwiki-0.0.20120125a/VERSION 2012-04-19 12:12:33.000000000 +0200
+++ dokuwiki-0.0.20120125b/VERSION 2012-07-13 13:13:57.000000000 +0200
@@ -1 +1 @@
-2012-01-25a "Angua"
+2012-01-25b "Angua"
