ikiwiki-3.20200202.3-2.7 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10860 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z ikiwiki-3.20200202.3-2.7 on GA media These are all security issues fixed in the ikiwiki-3.20200202.3-2.7 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10860 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10860 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2008-0169/ SUSE CVE CVE-2008-0169 page https://www.suse.com/security/cve/CVE-2009-2944/ SUSE CVE CVE-2009-2944 page https://www.suse.com/security/cve/CVE-2011-0428/ SUSE CVE CVE-2011-0428 page https://www.suse.com/security/cve/CVE-2011-1401/ SUSE CVE CVE-2011-1401 page https://www.suse.com/security/cve/CVE-2012-0220/ SUSE CVE CVE-2012-0220 page https://www.suse.com/security/cve/CVE-2014-1572/ SUSE CVE CVE-2014-1572 page https://www.suse.com/security/cve/CVE-2016-10026/ SUSE CVE CVE-2016-10026 page https://www.suse.com/security/cve/CVE-2016-1238/ SUSE CVE CVE-2016-1238 page https://www.suse.com/security/cve/CVE-2016-3714/ SUSE CVE CVE-2016-3714 page https://www.suse.com/security/cve/CVE-2016-4561/ SUSE CVE CVE-2016-4561 page https://www.suse.com/security/cve/CVE-2016-9645/ SUSE CVE CVE-2016-9645 page https://www.suse.com/security/cve/CVE-2016-9646/ SUSE CVE CVE-2016-9646 page https://www.suse.com/security/cve/CVE-2017-0356/ SUSE CVE CVE-2017-0356 page https://www.suse.com/security/cve/CVE-2019-9187/ SUSE CVE CVE-2019-9187 page openSUSE Tumbleweed ikiwiki-3.20200202.3-2.7 ikiwiki-w3m-3.20200202.3-2.7 ikiwiki-3.20200202.3-2.7 as a component of openSUSE Tumbleweed ikiwiki-w3m-3.20200202.3-2.7 as a component of openSUSE Tumbleweed Plugin/passwordauth.pm (aka the passwordauth plugin) in ikiwiki 1.34 through 2.47 allows remote attackers to bypass authentication, and login to any account for which an OpenID identity is configured and a password is not configured, by specifying an empty password during the login sequence. CVE-2008-0169 openSUSE Tumbleweed:ikiwiki-3.20200202.3-2.7 openSUSE Tumbleweed:ikiwiki-w3m-3.20200202.3-2.7 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-0169.html CVE-2008-0169 Incomplete blacklist vulnerability in the teximg plugin in ikiwiki before 3.1415926 and 2.x before 2.53.4 allows context-dependent attackers to read arbitrary files via crafted TeX commands. CVE-2009-2944 openSUSE Tumbleweed:ikiwiki-3.20200202.3-2.7 openSUSE Tumbleweed:ikiwiki-w3m-3.20200202.3-2.7 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-2944.html CVE-2009-2944 Cross Site Scripting (XSS) in ikiwiki before 3.20110122 could allow remote attackers to insert arbitrary JavaScript due to insufficient checking in comments. CVE-2011-0428 openSUSE Tumbleweed:ikiwiki-3.20200202.3-2.7 openSUSE Tumbleweed:ikiwiki-w3m-3.20200202.3-2.7 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-0428.html CVE-2011-0428 ikiwiki before 3.20110328 does not ascertain whether the htmlscrubber plugin is enabled during processing of the "meta stylesheet" directive, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences in (1) the default stylesheet or (2) an alternate stylesheet. CVE-2011-1401 openSUSE Tumbleweed:ikiwiki-3.20200202.3-2.7 openSUSE Tumbleweed:ikiwiki-w3m-3.20200202.3-2.7 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-1401.html CVE-2011-1401 Multiple cross-site scripting (XSS) vulnerabilities in the meta plugin (Plugin/meta.pm) in ikiwiki before 3.20120516 allow remote attackers to inject arbitrary web script or HTML via the (1) author or (2) authorurl meta tags. CVE-2012-0220 openSUSE Tumbleweed:ikiwiki-3.20200202.3-2.7 openSUSE Tumbleweed:ikiwiki-w3m-3.20200202.3-2.7 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-0220.html CVE-2012-0220 The confirm_create_account function in the account-creation feature in token.cgi in Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 does not specify a scalar context for the realname parameter, which allows remote attackers to create accounts with unverified e-mail addresses by sending three realname values with realname=login_name as the second, as demonstrated by selecting an e-mail address with a domain name for which group privileges are automatically granted. CVE-2014-1572 openSUSE Tumbleweed:ikiwiki-3.20200202.3-2.7 openSUSE Tumbleweed:ikiwiki-w3m-3.20200202.3-2.7 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-1572.html CVE-2014-1572 ikiwiki 3.20161219 does not properly check if a revision changes the access permissions for a page on sites with the git and recentchanges plugins and the CGI interface enabled, which allows remote attackers to revert certain changes by leveraging permissions to change the page before the revision was made. CVE-2016-10026 openSUSE Tumbleweed:ikiwiki-3.20200202.3-2.7 openSUSE Tumbleweed:ikiwiki-w3m-3.20200202.3-2.7 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-10026.html CVE-2016-10026 https://bugzilla.suse.com/1016606 SUSE Bug 1016606 (1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory. CVE-2016-1238 openSUSE Tumbleweed:ikiwiki-3.20200202.3-2.7 openSUSE Tumbleweed:ikiwiki-w3m-3.20200202.3-2.7 moderate 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-1238.html CVE-2016-1238 https://bugzilla.suse.com/1108749 SUSE Bug 1108749 https://bugzilla.suse.com/1123389 SUSE Bug 1123389 https://bugzilla.suse.com/987887 SUSE Bug 987887 https://bugzilla.suse.com/988311 SUSE Bug 988311 The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka "ImageTragick." CVE-2016-3714 openSUSE Tumbleweed:ikiwiki-3.20200202.3-2.7 openSUSE Tumbleweed:ikiwiki-w3m-3.20200202.3-2.7 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-3714.html CVE-2016-3714 https://bugzilla.suse.com/1000484 SUSE Bug 1000484 https://bugzilla.suse.com/1057163 SUSE Bug 1057163 https://bugzilla.suse.com/1105592 SUSE Bug 1105592 https://bugzilla.suse.com/978061 SUSE Bug 978061 https://bugzilla.suse.com/980401 SUSE Bug 980401 https://bugzilla.suse.com/982178 SUSE Bug 982178 Cross-site scripting (XSS) vulnerability in the cgierror function in CGI.pm in ikiwiki before 3.20160506 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving an error message. CVE-2016-4561 openSUSE Tumbleweed:ikiwiki-3.20200202.3-2.7 openSUSE Tumbleweed:ikiwiki-w3m-3.20200202.3-2.7 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-4561.html CVE-2016-4561 The fix for ikiwiki for CVE-2016-10026 was incomplete resulting in editing restriction bypass for git revert when using git versions older than 2.8.0. This has been fixed in 3.20161229. CVE-2016-9645 openSUSE Tumbleweed:ikiwiki-3.20200202.3-2.7 openSUSE Tumbleweed:ikiwiki-w3m-3.20200202.3-2.7 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9645.html CVE-2016-9645 ikiwiki before 3.20161229 incorrectly called the CGI::FormBuilder->field method (similar to the CGI->param API that led to Bugzilla's CVE-2014-1572), which can be abused to lead to commit metadata forgery. CVE-2016-9646 openSUSE Tumbleweed:ikiwiki-3.20200202.3-2.7 openSUSE Tumbleweed:ikiwiki-w3m-3.20200202.3-2.7 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9646.html CVE-2016-9646 A flaw, similar to to CVE-2016-9646, exists in ikiwiki before 3.20170111, in the passwordauth plugin's use of CGI::FormBuilder, allowing an attacker to bypass authentication via repeated parameters. CVE-2017-0356 openSUSE Tumbleweed:ikiwiki-3.20200202.3-2.7 openSUSE Tumbleweed:ikiwiki-w3m-3.20200202.3-2.7 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-0356.html CVE-2017-0356 ikiwiki before 3.20170111.1 and 3.2018x and 3.2019x before 3.20190228 allows SSRF via the aggregate plugin. The impact also includes reading local files via file: URIs. CVE-2019-9187 openSUSE Tumbleweed:ikiwiki-3.20200202.3-2.7 openSUSE Tumbleweed:ikiwiki-w3m-3.20200202.3-2.7 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-9187.html CVE-2019-9187 https://bugzilla.suse.com/1128085 SUSE Bug 1128085