changelog: sort user-visible changes before packaging and test fixes

[git.ikiwiki.info.git] / doc / security.mdwn

diff --git a/doc/security.mdwn b/doc/security.mdwn
index afefd1bc300eb4d18811c42f72931d9dfd7b7860..d5a0266cdce5638cd437c4d79cb58592f886bc01 100644 (file)
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -497,3 +497,12 @@ Raúl Benencia discovered an additional XSS exposure in the meta plugin.
 This hole was discovered on 16 May 2012 and fixed the same day with
 the release of ikiwiki 3.20120516. A fix was backported to Debian squeeze,
 as version 3.20100815.9. An upgrade is recommended for all sites.
 This hole was discovered on 16 May 2012 and fixed the same day with
 the release of ikiwiki 3.20120516. A fix was backported to Debian squeeze,
 as version 3.20100815.9. An upgrade is recommended for all sites.

+
+## XSS via openid selector
+
+Raghav Bisht discovered this XSS in the openid selector. ([[!cve CVE-2015-2793]])
+
+The hole was reported on March 24th, a fix was developed on March 27th,
+and the fixed version 3.20150329 was released on the 29th. A fix was backported
+to Debian jessie as version 3.20141016.2 and to Debian wheezy as version
+3.20120629.2. An upgrade is recommended for sites using CGI and openid.