Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 544224 (CVE-2015-2172)

Summary: <www-apps/dokuwiki-20140929d: multiple vulnerabilities (CVE-2015-2172)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: jmbsvicetto, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.dokuwiki.org/changes
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-03-23 13:57:03 UTC
From ${URL} :

Release 2014-09-29d "Hrun"

It's now possible to customize single strings of the localization
New history function to see how a wiki looked at a certain time (no user interface yet, details at date at)
Security fix for AD/LDAP auth plugin related problem (Details here)
Some caching in the database auth plugins
Improved CLI interface for better command line tools
Support for external Audio/Video sources
Various improvements and bug fixes
Note: When you had disabled the 'compress' config setting, you would enable it again since this release.

Hotfix 2014-09-29a: fixes for login problems caused by certain PCRE versions and changes in the recent Chrome release
Security Hotfix 2014-09-29b: prevents XSS attack via SWF uploads
Security Hotfix 2014-09-29c: fixes privilege escalation in RPC API
Security Hotfix 2014-09-29d: fixes a XSS vulnerability in the user manager

Release 2014-05-05e "Ponder Stibbons"

Extension Manager
Audio & video support
New and more file icons (as e.g. seen on mime)
Show login form at denied access
Show a domain dropdown when multiple AD domains are configured
Added user page linking by adding the showuseras config option: “Full name as interwiki user link”. Configurable via the interwiki configuration
Added a more versatile Revision selection to the diff page of articles
:!: Fallback of old date format removed: early wikis need to update their dformat config setting
:!: When the layout seems broken, you may be affected by an issue in the CSS compressor. Please try disabling the 'compress' config setting.

Hotfix

Security Hotfix 2014-05-05a for Issue 765.
Security Hotfix 2014-05-05b for AD/LDAP auth plugin related problem (Details here)
Security Hotfix 2014-05-05c: prevents XSS attack via SWF uploads
Security Hotfix 2014-05-05d: fixes privilege escalation in RPC API
Security Hotfix 2014-05-05e: fixes a XSS vulnerability in the user manager


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev 2015-04-09 18:14:09 UTC
17:42 < gentoovcs> jmbsvicetto → gentoo-x86 (www-apps/dokuwiki/) Security bump - fixes bug 544224.

@arch teams:
please add keywords for www-apps/dokuwiki-20140929d.
Target keywords "amd64 ~ppc ~sparc x86".
Comment 2 Agostino Sarubbo gentoo-dev 2015-04-10 09:45:41 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2015-04-10 09:46:08 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 4 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev 2015-04-10 10:54:56 UTC
10:53 < gentoovcs> jmbsvicetto → gentoo-x86 (www-apps/dokuwiki/) Security clean-up.                

Done
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2015-04-11 15:23:11 UTC
CVE-2015-2172 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2172):
  DokuWiki before 2014-05-05d and before 2014-09-29c does not properly check
  permission for the ACL plugins, which allows remote authenticated users to
  gain privileges and add or delete ACL rules via a request to the XMLRPC API.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2015-04-11 15:23:56 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: Yes
Comment 7 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-05-11 20:59:49 UTC
GLSA Vote: No
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-05-11 21:04:51 UTC
GLSA vote: no.