Release 3.20141016.4

[git.ikiwiki.info.git] / debian / changelog

diff --git a/debian/changelog b/debian/changelog
index 229d44e27baccbdbd18d729245f7c0226a0318a6..b3e7e559b7fd44389ffc2dbd8e799d8d9f69a972 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,19 +1,19 @@
-ikiwiki (3.20141016.4) UNRELEASED; urgency=high
+ikiwiki (3.20141016.4) jessie-security; urgency=high
 
   * Reference CVE-2016-4561 in 3.20141016.3 changelog
   * Security: force CGI::FormBuilder->field to scalar context where
     necessary, avoiding unintended function argument injection
     analogous to CVE-2014-1572.
     - passwordauth: prevent authentication bypass via multiple name
-      parameters (OVE-20170111-0001)
+      parameters (CVE-2017-0356, OVE-20170111-0001)
     - passwordauth: prevent userinfo forgery via repeated email
-      parameter (OVE-20170111-0001)
+      parameter (also CVE-2017-0356)
     - comments, editpage: prevent commit metadata forgery
       (CVE-2016-9646, OVE-20161226-0001)
     - CGI, attachment, comments, editpage, notifyemail, passwordauth,
       po, rename: harden against similar issues that are not believed
       to be exploitable
-  * t/passwordauth.t: new automated test for OVE-20170111-0001
+  * t/passwordauth.t: new automated test for CVE-2017-0356
   * Backport IkiWiki::Plugin::git from 3.20170110 to fix the following
     bugs, including one minor security vulnerability:
     - Security: try revert operations before approving them. Previously,
@@ -51,7 +51,7 @@ ikiwiki (3.20141016.4) UNRELEASED; urgency=high
     - d/control: add enough build-dependencies to run all tests, except for
       non-git VCSs
 
- -- Simon McVittie <smcv@debian.org>  Wed, 11 Jan 2017 15:22:38 +0000
+ -- Simon McVittie <smcv@debian.org>  Wed, 11 Jan 2017 18:18:52 +0000
 
 ikiwiki (3.20141016.3) jessie-security; urgency=high