Debian 10260 Published by

The following updates has been released for Debian GNU/Linux:

[DLA 79-1] dokuwiki security update
[DLA 80-1] libxml2 security update
[DSA 3059-1] dokuwiki security update



[DLA 79-1] dokuwiki security update

Package : dokuwiki
Version : 0.0.20091225c-10+squeeze3
CVE ID : CVE-2014-8763 CVE-2014-8764
Debian Bug : 766545

This fixes a possibility of bypasswing the wiki authentication when an Active
Directory is used for LDAP authentication. These two CVE are almost the same,
one apparently being a superset of the other. They are fixed together.

CVE-2014-8763

DokuWiki before 2014-05-05b, when using Active Directory for LDAP
authentication, allows remote attackers to bypass authentication via a
password starting with a null (\0) character and a valid user name, which
triggers an unauthenticated bind.

CVE-2014-8764

DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP
authentication, allows remote attackers to bypass authentication via a
user name and password starting with a null (\0) character, which triggers
an anonymous bind.

[DLA 80-1] libxml2 security update


Package : libxml2
Version : 2.7.8.dfsg-2+squeeze10
CVE ID : CVE-2014-0191 CVE-2014-3660

Sogeti found a denial of service flaw in libxml2, a library providing
support to read, modify and write XML and HTML files. A remote attacker
could provide a specially crafted XML file that, when processed by an
application using libxml2, would lead to excessive CPU consumption
(denial of service) based on excessive entity substitutions, even if
entity substitution was disabled, which is the parser default behavior.
(CVE-2014-3660)

In addition, this update addresses a misapplied chunk for a patch
released the previous version (#762864).

[DSA 3059-1] dokuwiki security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3059-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
October 29, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : dokuwiki
CVE ID : CVE-2014-8761 CVE-2014-8762 CVE-2014-8763 CVE-2014-8764

Two vulnerabilities have been discovered in dokuwiki. Access control in
the media manager was insufficiently restricted and authentication could
be bypassed when using Active Directory for LDAP authentication.

For the stable distribution (wheezy), these problems have been fixed in
version 0.0.20120125b-2+deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 0.0.20140929.a-1.

We recommend that you upgrade your dokuwiki packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/