Being told there is a security hotfix available... "Security Hotfix 2014-05-05a for Issue 765 available. upgrade now! [44.1] (what's this?)" Issue 765 is described at https://github.com/splitbrain/dokuwiki/issues/765 Reproducible: Always
Just ran into this one aswell. quickfix: rename of ebuild is enough to get it to work.
More recent updates for Dokuwiki, I'm informed there is now a security update to 2014-05-05b and a new release to 2014-09-29.
My apologies for not taking care of this bump earlier, but I've been busy with other stuff. 16:41 < irker171> gentoo-x86: jmbsvicetto www-apps/dokuwiki: Add 20140505b and 20140929 releases. Update to EAPI 5. Fixes bug 522146.
*** Bug 524608 has been marked as a duplicate of this bug. ***
(In reply to Jorge Manuel B. S. Vicetto from comment #3) > My apologies for not taking care of this bump earlier, but I've been busy > with other stuff. > Not a problem, we all have busy lives. Thanks for updating, installs and updates fine here.
Hotfix release available: 2014-09-29a "Hrun" available, but not mentioned on the changelogs page yet. Maybe it's this: https://github.com/splitbrain/dokuwiki/issues/885
*** Bug 524968 has been marked as a duplicate of this bug. ***
(In reply to Thomas Beutin from comment #6) > Hotfix release available: 2014-09-29a "Hrun" available, but not mentioned on > the changelogs page yet. Maybe it's this: > https://github.com/splitbrain/dokuwiki/issues/885 Going through https://github.com/splitbrain/dokuwiki/issues/885 , this doesn't seem a security or feature bump, but a compatibility patch for a very old libpcre version. From a quick glance at libpcre ChangeLog, that version seems to have been removed from the tree on 05 Feb 2008, so over 6.5 years ago.
(In reply to Jorge Manuel B. S. Vicetto from comment #8) > Going through https://github.com/splitbrain/dokuwiki/issues/885 , this > doesn't seem a security or feature bump, but a compatibility patch for a > very old libpcre version. From a quick glance at libpcre ChangeLog, that > version seems to have been removed from the tree on 05 Feb 2008, so over 6.5 > years ago. This bug was originally a request to bump to 20140505a for security reasons. It looks like Jer decided yesterday to evolve it into a request for the 20140929a version bump (see closed duplicate bug #524968), which is just this "hotfix" for 20140929 which is already in the tree. I agree with your assessment that it's a compatibility fix for an ancient and unlikely present libpcre. The main reason I'd say for still doing the version bump is that dokuwiki has a nag/warning on every page when you're not up-to-date.
(In reply to Philippe Chaintreuil from comment #9) > > I agree with your assessment that it's a compatibility fix for an ancient > and unlikely present libpcre. The main reason I'd say for still doing the > version bump is that dokuwiki has a nag/warning on every page when you're > not up-to-date. Yes, I'm going to do the bump. I already did a diff between versions yesterday and noticed the code path won't even change (they added a check for libpcre version and if it's >= 6.7, they use the same code, if not, they use the compatibility code. I'll add it to my overlay / tree in a few minutes.
15:55 < irker043> gentoo-x86: jmbsvicetto www-apps/dokuwiki: Add 20140929a release. Drop old. Fixes bug 522146. Done. @security: as seen on https://github.com/splitbrain/dokuwiki/issues/765 , there is a security issue affecting dokuwiki versions prior to 20140505b and 2140929. If you want to track this, an email requesting a CVE has already been sent to the oss-security ml and I suggest marking stable the 20140505b and 20140929a releases. The latter has a small compatibility patch and was released a few days after 20140929.
Making this a security bug Maintainers, please advise when ebuilds have had enough testing, and are ready for stabilization.
Both 20140505b and 20140929a should be ready for being marked stable.
CVE-2014-8764 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8764): DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a user name and password starting with a null (\0) character, which triggers an anonymous bind. CVE-2014-8763 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8763): DokuWiki before 2014-05-05b, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a password starting with a null (\0) character and a valid user name, which triggers an unauthenticated bind. CVE-2014-8762 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8762): The ajax_mediadiff function in DokuWiki before 2014-05-05a allows remote attackers to access arbitrary images via a crafted namespace in the ns parameter. CVE-2014-8761 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8761): inc/template.php in DokuWiki before 2014-05-05a only checks for access to the root namespace, which allows remote attackers to access arbitrary images via a media file details ajax call.
(In reply to Jorge Manuel B. S. Vicetto from comment #13) > Both 20140505b and 20140929a should be ready for being marked stable. Thanks, Jorge. Arches, please test and mark stable. Target KEYWORDS: "amd64 ~ppc ~sparc x86"
amd64 stable
x86 stable. Maintainer(s), please cleanup.
Arches, Thank you for your work. Maintainer(s), please drop the vulnerable version(s).
Vulnerable versions have been dropped.
Maintainer(s), Thank you for you for cleanup.