+ikiwiki (3.20141016.4) UNRELEASED; urgency=high
+
+ * Reference CVE-2016-4561 in 3.20141016.3 changelog
+ * Security: force CGI::FormBuilder->field to scalar context where
+ necessary, avoiding unintended function argument injection
+ analogous to CVE-2014-1572.
+ - passwordauth: prevent authentication bypass via multiple name
+ parameters (OVE-20170111-0001)
+ - passwordauth: prevent userinfo forgery via repeated email
+ parameter (OVE-20170111-0001)
+ - comments, editpage: prevent commit metadata forgery
+ (CVE-2016-9646, OVE-20161226-0001)
+ - CGI, attachment, comments, editpage, notifyemail, passwordauth,
+ po, rename: harden against similar issues that are not believed
+ to be exploitable
+ * t/passwordauth.t: new automated test for OVE-20170111-0001
+
+ -- Simon McVittie <smcv@debian.org> Wed, 11 Jan 2017 15:22:38 +0000
+