diff options
author | Thomas Lange <lange@debian.org> | 2019-03-21 07:08:50 +0000 |
---|---|---|
committer | Thomas Lange <lange@debian.org> | 2019-03-21 07:08:50 +0000 |
commit | e299933920f7e7cf9159ad5846e9ff2559a6c7a9 (patch) | |
tree | b544ef20a581716f74e1099bea808070582805f9 | |
parent | d9036bafa643ba1fabc8cc0346d5398b0d253cad (diff) | |
parent | b2eb73ccfe48a5f3cabfe3614ab068da445fd89d (diff) |
Merge branch 'DLA-1716-1' into 'master'
DLA-1716-1 advisory
See merge request webmaster-team/webwml!76
-rw-r--r-- | english/lts/security/2019/dla-1716.data | 10 | ||||
-rw-r--r-- | english/lts/security/2019/dla-1716.wml | 65 |
2 files changed, 75 insertions, 0 deletions
diff --git a/english/lts/security/2019/dla-1716.data b/english/lts/security/2019/dla-1716.data new file mode 100644 index 00000000000..b73622daadb --- /dev/null +++ b/english/lts/security/2019/dla-1716.data @@ -0,0 +1,10 @@ +<define-tag pagetitle>DLA-1716-1 ikiwiki</define-tag> +<define-tag report_date>2019-03-18</define-tag> +<define-tag secrefs>CVE-2019-9187</define-tag> +<define-tag packages>ikiwiki</define-tag> +<define-tag isvulnerable>yes</define-tag> +<define-tag fixed>yes</define-tag> +<define-tag fixed-section>no</define-tag> + +#use wml::debian::security + diff --git a/english/lts/security/2019/dla-1716.wml b/english/lts/security/2019/dla-1716.wml new file mode 100644 index 00000000000..13606bf1782 --- /dev/null +++ b/english/lts/security/2019/dla-1716.wml @@ -0,0 +1,65 @@ +<define-tag description>LTS security update</define-tag> +<define-tag moreinfo> +<p>The ikiwiki maintainers discovered that the aggregate plugin did not use +LWPx::ParanoidAgent. On sites where the aggregate plugin is enabled, authorized +wiki editors could tell ikiwiki to fetch potentially undesired URIs even if +LWPx::ParanoidAgent was installed:</p> + + <p>local files via file: URIs + other URI schemes that might be misused by attackers, such as gopher: + hosts that resolve to loopback IP addresses (127.x.x.x) + hosts that resolve to RFC 1918 IP addresses (192.168.x.x etc.)</p> + +<p>This could be used by an attacker to publish information that should not have +been accessible, cause denial of service by requesting <q>tarpit</q> URIs that are +slow to respond, or cause undesired side-effects if local web servers implement +<q>unsafe</q> GET requests. (<a href="https://security-tracker.debian.org/tracker/CVE-2019-9187">CVE-2019-9187</a>)</p> + +<p>Additionally, if liblwpx-paranoidagent-perl is not installed, the +blogspam, openid and pinger plugins would fall back to LWP, which is +susceptible to similar attacks. This is unlikely to be a practical problem for +the blogspam plugin because the URL it requests is under the control of the +wiki administrator, but the openid plugin can request URLs controlled by +unauthenticated remote users, and the pinger plugin can request URLs controlled +by authorized wiki editors.</p> + +<p>This is addressed in ikiwiki 3.20190228 as follows, with the same fixes +backported to Debian 9 in version 3.20170111.1:</p> + +<ul> + +<li>URI schemes other than http: and https: are not accepted, preventing access + to file:, gopher:, etc.</li> + +<li>If a proxy is configured in the ikiwiki setup file, it is used for all + outgoing http: and https: requests. In this case the proxy is responsible for + blocking any requests that are undesired, including loopback or RFC 1918 + addresses.</li> + +<li>If a proxy is not configured, and liblwpx-paranoidagent-perl is installed, it + will be used. This prevents loopback and RFC 1918 IP addresses, and sets a + timeout to avoid denial of service via <q>tarpit</q> URIs.</li> + +<li>Otherwise, the ordinary LWP user-agent will be used. This allows requests to + loopback and RFC 1918 IP addresses, and has less robust timeout behaviour. + We are not treating this as a vulnerability: if this behaviour is not + acceptable for your site, please make sure to install LWPx::ParanoidAgent or + disable the affected plugins.</li> + +</ul> + +<p>For Debian 8 <q>Jessie</q>, this problem has been fixed in version +3.20141016.4+deb8u1.</p> + +<p>We recommend that you upgrade your ikiwiki packages. In addition it is also +recommended that you have liblwpx-paranoidagent-perl installed, which listed in +the recommends field of ikiwiki.</p> + +<p>Further information about Debian LTS security advisories, how to apply +these updates to your system and frequently asked questions can be +found at: <a href="https://wiki.debian.org/LTS">https://wiki.debian.org/LTS</a></p> +</define-tag> + +# do not modify the following line +#include "$(ENGLISHDIR)/lts/security/2019/dla-1716.data" +# $Id: $ |