3.20161229.1~bpo8+1

[git.ikiwiki.info.git] / doc / security.mdwn

diff --git a/doc/security.mdwn b/doc/security.mdwn
index c08d658c84b0cc0bee96d0343a04d0ce2eead690..823f5ef88297fcea7b706a74cd8f6639c8ac7e6b 100644 (file)
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -564,9 +564,12 @@ which are both used in most ikiwiki installations.
 This bug was reported on 2016-12-17. A partially fixed version
 3.20161219 was released on 2016-12-19, but the solution used in that
 version was not effective with git versions older than 2.8.0.
 This bug was reported on 2016-12-17. A partially fixed version
 3.20161219 was released on 2016-12-19, but the solution used in that
 version was not effective with git versions older than 2.8.0.

+A more complete fix was released on 2016-12-29 in version 3.20161229.
+A backport to Debian 8 'jessie' is in progress.

 
 ([[!cve CVE-2016-10026]] represents the original vulnerability.
 
 ([[!cve CVE-2016-10026]] represents the original vulnerability.

-OVE-20161226-0002 represents the incomplete fix in 3.20161219.)
+[[!cve CVE-2016-9645]]/OVE-20161226-0002 represents the vulnerability
+in 3.20161219 caused by the incomplete fix.)

 
 ## Commit metadata forgery via CGI::FormBuilder context-dependent APIs
 
 
 ## Commit metadata forgery via CGI::FormBuilder context-dependent APIs
 


@@ -588,4 +591,7 @@ of them relatively minor:
   could potentially forge commit authorship (attribute their edit to
   someone else) by crafting multiple values for the rcsinfo field
 
   could potentially forge commit authorship (attribute their edit to
   someone else) by crafting multiple values for the rcsinfo field
 

-(OVE-20161226-0001)
+This was fixed in ikiwiki 3.20161229. A backport to Debian 8
+'jessie' is in progress.
+
+([[!cve CVE-2016-9646]]/OVE-20161226-0001)