Package: hiki Version: 0.8.3-1 0.6.5-1 Severity: serious Tags: security -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
CVE-2006-3379: "Algorithmic complexity vulnerability in Hiki Wiki 0.6.0 through 0.6.5 and 0.8.0 through 0.8.5 allows remote attackers to cause a denial of service (CPU consumption) by performing a diff between large, crafted pages that trigger the worst case." The Hiki team has issued an advisory [1]. This affects the version in Sarge. The fix for this issue, according to ChangeLog [2] r1.417, appears to be in r1.81 of hiki/command.rb [3], r1.113 of hiki/config.rb [4], r1.18 of hikiconf.rb [5], and r1.10 of misc/i18n/hikiconf.rb.sample.en [6]. These changes are included in the latest version, 0.8.6. Unfortunately, the patches don't apply cleanly to 0.6.5; I hope to follow up with a real diff. Please mention the CVE in your changelog. Thanks, Alec [1] http://hikiwiki.org/en/advisory20060703.html [2] http://cvs.sourceforge.jp/cgi-bin/viewcvs.cgi/hiki/hiki/ChangeLog?rev=1.417&view=log [3] http://cvs.sourceforge.jp/cgi-bin/viewcvs.cgi/hiki/hiki/hiki/command.rb?rev=1.81&view=log [4] http://cvs.sourceforge.jp/cgi-bin/viewcvs.cgi/hiki/hiki/hiki/config.rb?rev=1.113&view=log [5] http://cvs.sourceforge.jp/cgi-bin/viewcvs.cgi/hiki/hiki/hikiconf.rb.sample?rev=1.18&view=log [6] http://cvs.sourceforge.jp/cgi-bin/viewcvs.cgi/hiki/hiki/misc/i18n/hikiconf.rb.sample.en?rev=1.10&view=log -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEtYqvAud/2YgchcQRAttoAKDqMLGQtLoS9xoRQ88EY30ilEWgigCfa+Ua /lI3ObdN+hGs0GR74WNZurQ= =BPAR -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]