Bug 1518716 - [dokuwiki] package orphaned/unmaintained since 2015, automated CVE bugs got ignored
Summary: [dokuwiki] package orphaned/unmaintained since 2015, automated CVE bugs got i...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: dokuwiki
Version: 28
Hardware: All
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Andrew Colin Kissa
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-29 13:57 UTC by Pascal Ernster
Modified: 2018-08-26 20:18 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-08-26 20:18:36 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1390290 None CLOSED CVE-2016-7964 CVE-2016-7965 CVE-2017-12583 CVE-2017-12979 CVE-2017-12980 CVE-2017-18123 dokuwiki: Various flaws 2019-07-30 10:28:07 UTC

Description Pascal Ernster 2017-11-29 13:57:51 UTC
All Fedora releases from 25 up to Rawhide ship dokuwiki 20150810a, which contains a bunch of security vulnerabilites:

https://www.dokuwiki.org/changes

https://src.fedoraproject.org/cgit/rpms/dokuwiki.git/log/


There's also been a bunch of (automated) bugs about some of there vulnerabilites, but it seems those have been ignored, and the package is actually unmaintained / de facto orphaned:

https://bugzilla.redhat.com/buglist.cgi?bug_status=__open__&content=dokuwiki&list_id=8166066

Comment 1 Fedora End Of Life 2018-02-20 15:33:11 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle.
Changing version to '28'.

Comment 2 Artur Iwicki 2018-08-26 20:18:36 UTC
The package was updated to latest upstream version (2018-04-22a) and built for Rawhide and F29:
https://koji.fedoraproject.org/koji/buildinfo?buildID=1139333
https://koji.fedoraproject.org/koji/buildinfo?buildID=1139334

Successful builds have also been done for F28 and F27:
https://koji.fedoraproject.org/koji/buildinfo?buildID=1139337
https://koji.fedoraproject.org/koji/buildinfo?buildID=1139339
I'm wondering whether these should be pushed as updates, or not. On one hand, there's the risk of breaking changes, on the other - the package has security flaws, so not updating it leaves its users vulnerable to potential attacks.


Note You need to log in before you can comment on or make changes to this bug.