Description of problem: dokuwiki update to release 2012-01-25a "Angua" Version-Release number of selected component (if applicable): 20110525-2.mga2 How reproducible: This is an update request, I am using dokuwiki as seen below. Steps to Reproduce: 1. Get current tarball from http://www.splitbrain.org/_media/projects/dokuwiki/dokuwiki-2012-01-25a.tgz 2. Modify SPEC : --- dokuwiki.spec.orig +++ dokuwiki.spec @@ -1,10 +1,10 @@ -%define dir_version 2011-05-25 +%define dir_version 2012-01-25a %define _localstatedir %_var Name: dokuwiki -Version: 20110525 -Release: %mkrel 2 +Version: 20120125a +Release: %mkrel 1 Summary: A wiki with plain text files backend License: GPLv2 Group: Networking/WWW @@ -34,6 +34,7 @@ install -d -m 755 %{buildroot}%{_var}/www/%{name} install -m 644 *.php %{buildroot}%{_var}/www/%{name} (cd %{buildroot}%{_var}/www/%{name} && ln -sf ../../..%{_datadir}/%{name}/lib .) +(cd %{buildroot}%{_var}/www/%{name} && ln -sf ../../..%{_datadir}/%{name}/lib/plugins/config/images data) cat > %{buildroot}%{_var}/www/%{name}/prepend.php <<'EOF' <?php @@ -118,6 +119,9 @@ %changelog +* Day Mth nn Year 20120125a-1.mga2 ++ Revision: 20120125a + * Tue Jun 21 2011 dmorgan <dmorgan> 20110525-2.mga2 + Revision: 111382 - Fix requires 3. Build and push to core/updates/ Enjoy changes seen at http://www.dokuwiki.org/changes
This would take care of Bug 6166 - dokuwiki new security issues CVE-2012-2128 and CVE-2012-2129
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=6166
(In reply to comment #1) > This would take care of Bug 6166 - dokuwiki new security issues CVE-2012-2128 > and CVE-2012-2129 No, 20120125a is vulnerable to those CVEs as well. You might consider joining the packaging team so that there would be a more active maintainer for this software. Just a thought :o) See the wiki if you're interested.
CC: (none) => luigiwalser
It looks like 20120125 is vulnerable, 20120125a has the fix. Or am I looking at the wrong thing? The one fix takes care of both issues. http://bugs.dokuwiki.org/index.php?do=details&task_id=2487 http://bugs.dokuwiki.org/index.php?do=details&task_id=2488 The fix is : https://github.com/splitbrain/dokuwiki/commit/ff71173477e54774b5571015d49d944f51cb8a26#diff-0 As seen in the installed 20120125a : $ rpm -qf /usr/share/dokuwiki/inc/html.php dokuwiki-20120125a-1.mga2 $ grep -nA6 function\ html_edit_form /usr/share/dokuwiki/inc/html.php 1436:function html_edit_form($param) { 1437- global $TEXT; 1438- 1439- if ($param['target'] !== 'section') { 1440- msg('No editor for edit target ' . hsc($param['target']) . ' found.', -1); 1441- } 1442- This is the same as the fc17 fix-CVE-2012-2129.patch.
Ahh, nice catch.
2012-01-25b fixes another security issue, as noted in Bug 6166.
Summary: dokuwiki update to 2012-01-25a => dokuwiki update to 2012-01-25b
Cauldron has been updated to 2012-01-25b, including your fix. I'm going to close this one and handle the security update for Mageia 2 in Bug 6166. It will also be upgraded to 2012-01-25b. Rod, if you could help test the update candidate in updates_testing, that would be great.
Status: NEW => RESOLVEDVersion: 2 => CauldronResolution: (none) => FIXED