Bug#782042: wheezy-pu: package ikiwiki/3.20120629.2

Mon, 06 Apr 2015 13:57:40 -0700 

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian....@packages.debian.org
Usertags: pu

Raghav Bisht reported a cross-site-scripting vulnerability in ikiwiki
(#781483, CVE-2015-2793). The security team have asked me to fix it
via wheezy-proposed-updates rather than wheezy-security.

OK to upload?

(As before, the double diff for the changelog is because CHANGELOG is a
symlink to debian/changelog.)

Thanks,
    S

diffstat for ikiwiki-3.20120629.1 ikiwiki-3.20120629.2

 CHANGELOG                      |    8 ++++++++
 debian/changelog               |    8 ++++++++
 templates/openid-selector.tmpl |    2 +-
 3 files changed, 17 insertions(+), 1 deletion(-)

diff -Nru ikiwiki-3.20120629.1/CHANGELOG ikiwiki-3.20120629.2/CHANGELOG
--- ikiwiki-3.20120629.1/CHANGELOG	2015-01-17 11:53:38.000000000 +0000
+++ ikiwiki-3.20120629.2/CHANGELOG	2015-04-06 21:15:31.000000000 +0100
@@ -1,3 +1,11 @@
+ikiwiki (3.20120629.2) wheezy; urgency=medium
+
+  [ Joey Hess ]
+  * Fix XSS in openid selector. Thanks, Raghav Bisht. (Closes: #781483;
+    CVE-2015-2793)
+
+ -- Simon McVittie <s...@debian.org>  Mon, 06 Apr 2015 20:34:51 +0100
+
 ikiwiki (3.20120629.1) wheezy; urgency=medium
 
   Backport blogspam plugin from experimental, because the version in
diff -Nru ikiwiki-3.20120629.1/debian/changelog ikiwiki-3.20120629.2/debian/changelog
--- ikiwiki-3.20120629.1/debian/changelog	2015-01-17 11:53:38.000000000 +0000
+++ ikiwiki-3.20120629.2/debian/changelog	2015-04-06 21:15:31.000000000 +0100
@@ -1,3 +1,11 @@
+ikiwiki (3.20120629.2) wheezy; urgency=medium
+
+  [ Joey Hess ]
+  * Fix XSS in openid selector. Thanks, Raghav Bisht. (Closes: #781483;
+    CVE-2015-2793)
+
+ -- Simon McVittie <s...@debian.org>  Mon, 06 Apr 2015 20:34:51 +0100
+
 ikiwiki (3.20120629.1) wheezy; urgency=medium
 
   Backport blogspam plugin from experimental, because the version in
diff -Nru ikiwiki-3.20120629.1/templates/openid-selector.tmpl ikiwiki-3.20120629.2/templates/openid-selector.tmpl
--- ikiwiki-3.20120629.1/templates/openid-selector.tmpl	2015-01-14 22:06:16.000000000 +0000
+++ ikiwiki-3.20120629.2/templates/openid-selector.tmpl	2015-04-06 21:15:27.000000000 +0100
@@ -23,7 +23,7 @@
 		</div>
 		<div id="openid_input_area">
 			<label for="openid_identifier" class="block">Enter your OpenID:</label>
-			<input id="openid_identifier" name="openid_identifier" type="text" value="<TMPL_VAR OPENID_URL>"/>
+			<input id="openid_identifier" name="openid_identifier" type="text" value="<TMPL_VAR ESCAPE=HTML OPENID_URL>"/>
 			<input id="openid_submit" type="submit" value="Login"/>
 		</div>
 		<TMPL_IF OPENID_ERROR>

Reply via email to