CVE-2017-12979 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12979): DokuWiki through 2017-02-19c has stored XSS when rendering a malicious language name in a code element, in /inc/parser/xhtml.php. An attacker can create or edit a wiki with this element to trigger JavaScript execution. References: https://github.com/splitbrain/dokuwiki/issues/2080 Fix: https://github.com/phy25/dokuwiki/commit/56bd9509ab2037512829392fda6427af7f390724 CVE-2017-12980 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12980): DokuWiki through 2017-02-19c has stored XSS when rendering a malicious RSS or Atom feed, in /inc/parser/xhtml.php. An attacker can create or edit a wiki that uses RSS or Atom data from an attacker-controlled server to trigger JavaScript execution. The JavaScript can be in an author field, as demonstrated by the dc:creator element. References: https://github.com/splitbrain/dokuwiki/issues/2081 Fix: https://github.com/phy25/dokuwiki/commit/163c2842d17452fffabffccaba3e18b7fbd5fc0b
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c31676125999f57f4e98a7b2c63346f6fe14261f www-apps/dokuwiki: Add releases 20160626e and 20170219e - security bump to address CVE-2017-{12583,12979,12980}. Fixes bug 627154 and bug 628482.