Package: ikiwiki
Severity: serious
CSRF attacks can be used to construct links that change a logged-in
user's password or other preferences. Links can also be constructed
that cause a logged-in user to modify a wiki page.
--
see shy jo
Source: ikiwiki
Source-Version: 2.42
We believe that the bug you reported is fixed in the latest version of
ikiwiki, which is due to be installed in the Debian FTP archive:
ikiwiki_2.42.dsc
to pool/main/i/ikiwiki/ikiwiki_2.42.dsc
ikiwiki_2.42.tar.gz
to pool/main/i/ikiwiki/ikiwiki_2.42.tar.gz
ikiwiki_2.42_all.deb
to pool/main/i/ikiwiki/ikiwiki_2.42_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 475445@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Joey Hess <joeyh@debian.org> (supplier of updated ikiwiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 03 Apr 2008 02:35:39 -0400
Source: ikiwiki
Binary: ikiwiki
Architecture: source all
Version: 2.42
Distribution: unstable
Urgency: high
Maintainer: Joey Hess <joeyh@debian.org>
Changed-By: Joey Hess <joeyh@debian.org>
Description:
ikiwiki - a wiki compiler
Closes: 475445
Changes:
ikiwiki (2.42) unstable; urgency=high
.
* aggregate: Correct a mistake in the code that dummy up a guid for feeds
lacking one.
* inline: Correct handling of urls relative to baseurl in feeds.
* Fix CSRF attacks against the preferences and edit forms. The fix involved
embedding the session id in the forms, and not allowing the forms to be
submitted if the embedded id does not match the session id. Closes: #475445
Files:
36eb80d0053218c923b6192f4cac3606 865 web optional ikiwiki_2.42.dsc
036620a1781bd04d2e2fa6245fbc214b 694550 web optional ikiwiki_2.42.tar.gz
bbf1cd705e69fa3832b7684ca6c9be8b 829166 web optional ikiwiki_2.42_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH/oV32tp5zXiKP0wRAgmoAJ0SCvYAIWARtMQqqXGg/hqzn966kwCghs6n
y/YJtFU3YCklG/6cZVvV09s=
=vco0
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org: Bug#475445; Package ikiwiki.
(full text, mbox, link).
Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.