Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1518716 - [dokuwiki] package orphaned/unmaintained since 2015, automated CVE bugs got ignored
Summary: [dokuwiki] package orphaned/unmaintained since 2015, automated CVE bugs got i...
Alias: None
Product: Fedora
Classification: Fedora
Component: dokuwiki
Version: 28
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Andrew Colin Kissa
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2017-11-29 13:57 UTC by Pascal Ernster
Modified: 2018-08-26 20:18 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-08-26 20:18:36 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1390290 None NEW CVE-2016-7964 CVE-2016-7965 CVE-2017-12583 CVE-2017-12979 CVE-2017-12980 CVE-2017-18123 dokuwiki: Various flaws 2018-09-09 17:24:57 UTC

Description Pascal Ernster 2017-11-29 13:57:51 UTC
All Fedora releases from 25 up to Rawhide ship dokuwiki 20150810a, which contains a bunch of security vulnerabilites:

There's also been a bunch of (automated) bugs about some of there vulnerabilites, but it seems those have been ignored, and the package is actually unmaintained / de facto orphaned:

Comment 1 Fedora End Of Life 2018-02-20 15:33:11 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle.
Changing version to '28'.

Comment 2 Artur Iwicki 2018-08-26 20:18:36 UTC
The package was updated to latest upstream version (2018-04-22a) and built for Rawhide and F29:

Successful builds have also been done for F28 and F27:
I'm wondering whether these should be pushed as updates, or not. On one hand, there's the risk of breaking changes, on the other - the package has security flaws, so not updating it leaves its users vulnerable to potential attacks.

Note You need to log in before you can comment on or make changes to this bug.