Debian: DLA-1716-1 Critical: ikiwiki Aggregate Plugin Security Issue
debian lts
March 18, 2019
The ikiwiki maintainers discovered that the aggregate plugin did not use LWPx::ParanoidAgent
Topics Covered
Summary
This could be used by an attacker to publish information that should not have
been accessible, cause denial of service by requesting "tarpit" URIs that are
slow to respond, or cause undesired side-effects if local web servers implement
"unsafe" GET requests. (CVE-2019-9187)
Additionally, if liblwpx-paranoidagent-perl is not installed, the
blogspam, openid and pinger plugins would fall back to LWP, which is
susceptible to similar attacks. This is unlikely to be a practical problem for
the blogspam plugin because the URL it requests is under the control of the
wiki administrator, but the openid plugin can request URLs controlled by
unauthenticated remote users, and the pinger plugin can request URLs controlled
by authorized wiki editors.
This is addressed in ikiwiki 3.20190228 as follows, with the same fixes
backported to Debian 9 in version 3.20170111.1:
* URI schemes other than http: and https: are not accepted, preventing access
to file:, gopher:, etc.
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: ikiwiki
Version: 3.20141016.4+deb8u1
CVE ID: CVE-2019-9187
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!