| Summary: | ikiwiki new security issue CVE-2019-9187 (and missing fixes for several older CVEs) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, herman.viaene, shlomif, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK | ||
| Source RPM: | ikiwiki-3.20171001-2.mga7.src.rpm | CVE: | |
| Status comment: | Fixed upstream in 3.20190228 | ||
|
Description
David Walser
2019-03-01 23:28:13 CET
David Walser
2019-03-01 23:28:40 CET
Whiteboard:
(none) =>
MGA6TOO ikiwiki-3.20190228-1.mga7 uploaded for Cauldron by Shlomi. Whiteboard:
MGA6TOO =>
(none) ikiwiki-3.20190228-1.mga6 ikiwiki-w3m-3.20190228-1.mga6 from ikiwiki-3.20190228-1.mga6.src.rpm uploaded by Shlomi. Advisory to come later. CC:
(none) =>
shlomif MGA6-32 MATE on IBM Thinkpad R50e Installing this draws in 93 more packages, but I guess there are more missing. Ref https://ikiwiki.info/setup/ for a test I get: $ ikiwiki --setup /etc/ikiwiki/auto.setup Cannot find termcap: Can't find a valid termcap file at /usr/lib/perl5/5.22.3/Term/ReadLine.pm line 373. What will the wiki be named? ikiwikitest Cannot find termcap: Can't find a valid termcap file at /usr/lib/perl5/5.22.3/Term/ReadLine.pm line 373. What revision control system to use? git Cannot find termcap: Can't find a valid termcap file at /usr/lib/perl5/5.22.3/Term/ReadLine.pm line 373. Which user (wiki account, openid, or email) will be admin? tester6 Setting up ikiwikitest ... Importing /home/tester6/ikiwikitest into git Initialized empty shared Git repository in /home/tester6/ikiwikitest.git/ Initialized empty Git repository in /home/tester6/ikiwikitest/.git/ [master (root-commit) ae634b6] initial commit 1 file changed, 1 insertion(+) create mode 100644 .gitignore Counting objects: 3, done. Writing objects: 100% (3/3), 216 bytes | 216.00 KiB/s, done. Total 3 (delta 0), reused 0 (delta 0) To /home/tester6/ikiwikitest.git * [new branch] master -> master Directory /home/tester6/ikiwikitest is now a clone of git repository /home/tester6/ikiwikitest.git /etc/ikiwiki/auto.setup: Can't locate YAML/XS.pm in @INC (you may need to install the YAML::XS module) (@INC contains: /home/tester6/.ikiwiki /usr/lib/perl5/site_perl/5.22.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.22.3 /usr/lib/perl5/vendor_perl/5.22.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.22.3 /usr/lib/perl5/5.22.3/i386-linux-thread-multi /usr/lib/perl5/5.22.3 /usr/lib/perl5/site_perl/5.22.3 /usr/lib/perl5/site_perl/5.22.3/i386-linux-thread-multi /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.22.3 /usr/lib/perl5/vendor_perl/5.22.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.22.2 /usr/lib/perl5/vendor_perl/5.22.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.22.0 /usr/lib/perl5/vendor_perl) at (eval 889) line 2. BEGIN failed--compilation aborted at (eval 889) line 2. usage: ikiwiki [options] source dest ikiwiki --setup my.setup [options] CC:
(none) =>
herman.viaene Updated packages from Shlomi to fix the perl errors. ikiwiki-3.20190228-1.1.mga6 ikiwiki-w3m-3.20190228-1.1.mga6 from ikiwiki-3.20190228-1.1.mga6.src.rpm Getting better, but still not OK.
First uninstalled older version and removed all ikiwiki stuff from my home, then install new version, then
$ ikiwiki --setup /etc/ikiwiki/auto.setup
Cannot find termcap: Can't find a valid termcap file at /usr/lib/perl5/5.22.3/Term/ReadLine.pm line 373.
What will the wiki be named? ikiwiktest
Cannot find termcap: Can't find a valid termcap file at /usr/lib/perl5/5.22.3/Term/ReadLine.pm line 373.
What revision control system to use? git
Cannot find termcap: Can't find a valid termcap file at /usr/lib/perl5/5.22.3/Term/ReadLine.pm line 373.
Which user (wiki account, openid, or email) will be admin? tester6
Setting up ikiwiktest ...
Importing /home/tester6/ikiwiktest into git
Initialized empty shared Git repository in /home/tester6/ikiwiktest.git/
Initialized empty Git repository in /home/tester6/ikiwiktest/.git/
[master (root-commit) c84ae4d] initial commit
1 file changed, 1 insertion(+)
create mode 100644 .gitignore
Counting objects: 3, done.
Writing objects: 100% (3/3), 216 bytes | 216.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0)
To /home/tester6/ikiwiktest.git
* [new branch] master -> master
Directory /home/tester6/ikiwiktest is now a clone of git repository /home/tester6/ikiwiktest.git
warning: installing LWPx::ParanoidAgent is recommended
Creating wiki admin tester6 ...
Choose a password:
Confirm password:
Can't exec "cc": Bestand of map bestaat niet at /usr/lib/perl5/vendor_perl/5.22.3/IkiWiki/Wrapper.pm line 302.
failed to compile /home/tester6/public_html/ikiwiktest/ikiwiki.cgi.c
/etc/ikiwiki/auto.setup: ikiwiki --wrappers --setup /home/tester6/ikiwiktest.setup failed at /usr/lib/perl5/vendor_perl/5.22.3/IkiWiki/Setup/Automator.pm line 189, <STDIN> line 2.
usage: ikiwiki [options] source dest
ikiwiki --setup my.setup [options]
Debian has issued an advisory for the newest issue on February 28: https://www.debian.org/security/2019/dsa-4399 Keywords:
(none) =>
feedback Testing on Mageia 6 x86_64 Installed the old version. Installed the update, which also pulled in perl-YAML-LibYAML from core release. [root@x6v ~]# ikiwiki --setup /etc/ikiwiki/auto.setup What will the wiki be named? qatestwiki What revision control system to use? git Which user (wiki account, openid, or email) will be admin? dave@x6v.hodgins.homeip.net Setting up qatestwiki ... Importing /root/2qatestwiki into git Initialized empty shared Git repository in /root/2qatestwiki.git/ Initialized empty Git repository in /root/2qatestwiki/.git/ [master (root-commit) a220042] initial commit 1 file changed, 1 insertion(+) create mode 100644 .gitignore Counting objects: 3, done. Writing objects: 100% (3/3), 216 bytes | 216.00 KiB/s, done. Total 3 (delta 0), reused 0 (delta 0) To /root/2qatestwiki.git * [new branch] master -> master Directory /root/2qatestwiki is now a clone of git repository /root/2qatestwiki.git warning: installing LWPx::ParanoidAgent is recommended ikiwiki-update-wikilist: added user root to /etc/ikiwiki/wikilist Successfully set up qatestwiki: url: http://x6v.hodgins.homeip.net/~root/qatestwiki srcdir: ~/2qatestwiki destdir: ~/public_html/qatestwiki repository: ~/2qatestwiki.git To modify settings, edit ~/qatestwiki.setup and then run: ikiwiki --setup ~/qatestwiki.setup Viewed several pages starting with ... # w3m /root/public_html/qatestwiki/index.html No regressions found. Advisory committed to svn. Validating the update. Whiteboard:
(none) =>
MGA6-64-OK An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0113.html Resolution:
(none) =>
FIXED |