-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 26 Feb 2019 22:57:58 +0000 Source: ikiwiki Binary: ikiwiki Architecture: source Version: 3.20170111.1 Distribution: stretch-security Urgency: high Maintainer: Simon McVittie Changed-By: Simon McVittie Description: ikiwiki - wiki compiler Changes: ikiwiki (3.20170111.1) stretch-security; urgency=high . * aggregate: Use LWPx::ParanoidAgent if available. Previously blogspam, openid and pinger used this module if available, but aggregate did not. This prevents server-side request forgery or local file disclosure, and mitigates denial of service when slow "tarpit" URLs are accessed. (CVE-2019-9187) * blogspam, openid, pinger: Use a HTTP proxy if configured, even if LWPx::ParanoidAgent is installed. Previously, only aggregate would obey proxy configuration. If a proxy is used, the proxy (not ikiwiki) is responsible for preventing attacks like CVE-2019-9187. * aggregate, blogspam, openid, pinger: Do not access non-http, non-https URLs. Previously, these plugins would have allowed non-HTTP-based requests if LWPx::ParanoidAgent was not installed. Preventing file URIs avoids local file disclosure, and preventing other rarely-used URI schemes like gopher mitigates request forgery attacks. * aggregate, openid, pinger: Document LWPx::ParanoidAgent as strongly recommended. These plugins can request attacker-controlled URLs in some site configurations. * blogspam: Document LWPx::ParanoidAgent as desirable. This plugin doesn't request attacker-controlled URLs, so it's non-critical here. * blogspam, openid, pinger: Consistently use cookiejar if configured. Previously, these plugins would only obey this configuration if LWPx::ParanoidAgent was not installed, but this appears to have been unintended. Checksums-Sha1: 8c7ec3f78150f5c57ddbcc64df5c86cd222bc1ba 2223 ikiwiki_3.20170111.1.dsc 9b6b95c1da66d4492f5d935db0df73f3b949faa2 2618416 ikiwiki_3.20170111.1.tar.xz 15e570feae476535dba5b0fe5722cdb5529c255f 5494 ikiwiki_3.20170111.1_source.buildinfo Checksums-Sha256: 7ae898ad6564010f968ea260edcc9364110f46b2c3f8152285efd179bd127f01 2223 ikiwiki_3.20170111.1.dsc 443039c9b0ae748d7cb80543a217ac4074cc32a89d12c52ff5ff39e836b70488 2618416 ikiwiki_3.20170111.1.tar.xz a5733c439bc019713e95919c6530e686bad797f3769f445eaf1f981f1528c013 5494 ikiwiki_3.20170111.1_source.buildinfo Files: b7fd75ad3a26cb0d7b38eee430963f03 2223 web optional ikiwiki_3.20170111.1.dsc 707a04bb99abf54670dfb7f60b76723e 2618416 web optional ikiwiki_3.20170111.1.tar.xz 1bfe891d16b617d2b4d8d0b32f59819b 5494 web optional ikiwiki_3.20170111.1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAlx4IgQACgkQ4FrhR4+B TE/bzw/+KAixsYohnQNq0sS4qvdX2aX6ejJ+Hr77w+Qg0LVBA+gTYHSUwpZ+Y3RS Uqrzr1c5/GWKxrk+FSnhRMXD49E4fatwfT/qbX3wSlBKyR+D1qOiYj+YZeHVGAIn kDbYsXzj5zmLVsZ4h/RDht3Nf/h3tMrCojvwAzOciByXugM56Fz59CselLCWndiL L4/xCH4nV6EmAfjBGRqE4RBPsMkIaKMVsoMOWaznPDm4T40ODR2IgTYabDaJ6Pt7 WV+HygWGiPnJ2zKq7SsEr56GA4RtuZzzrAqCKWO0qh1e5Xnb/gJlGi5ksyjeuEqu kgmmAA+zAr5c0hpr3+gMGxINZLm6kn2syU2Q3C87JXFovjwIqg9WWlFrXyQ1IHqF 1Wn7VUVG93ue/WSDzA9eRbDHafMfU+npItdlclVDIqKpEsqfBPzCA4wMNFFxEgpo 7L7taERl58DFUm2aY7TpuOvJBp2kmcmjCr4g7BELIAtAhapzDcHiZKAF9oMnzO2+ Ir7LOGA0d4JxQBmVAWn/cGQnCKAR84b+c3GqZGPzTgrHwfnlixHmQabr9PAc/IHU mc+CbK2j5Kkr/Y+hhHxU/DtanHJr0JH8DnC3S+WyYJoxZ4ybFVRgFY8GhOnybiCu CRu9fAAng856iXdJeMGoU8xFkPofOCitu/mPkF1c5TdilEGRBzQ= =A7Dm -----END PGP SIGNATURE-----