3.20161229.1~bpo8+1

[git.ikiwiki.info.git] / doc / security.mdwn

diff --git a/doc/security.mdwn b/doc/security.mdwn
index 9818e0c9429de9f2e50111ef79c467f110dc2e02..823f5ef88297fcea7b706a74cd8f6639c8ac7e6b 100644 (file)
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -561,8 +561,15 @@ result in `policy.mdwn` being altered.
 This affects sites with the `git` VCS and the `recentchanges` plugin,
 which are both used in most ikiwiki installations.
 
 This affects sites with the `git` VCS and the `recentchanges` plugin,
 which are both used in most ikiwiki installations.
 

-This bug was reported on 2016-12-17. The fixed version 3.20161219
-was released on 2016-12-19. ([[!cve CVE-2016-10026]])
+This bug was reported on 2016-12-17. A partially fixed version
+3.20161219 was released on 2016-12-19, but the solution used in that
+version was not effective with git versions older than 2.8.0.
+A more complete fix was released on 2016-12-29 in version 3.20161229.
+A backport to Debian 8 'jessie' is in progress.
+
+([[!cve CVE-2016-10026]] represents the original vulnerability.
+[[!cve CVE-2016-9645]]/OVE-20161226-0002 represents the vulnerability
+in 3.20161219 caused by the incomplete fix.)

 
 ## Commit metadata forgery via CGI::FormBuilder context-dependent APIs
 
 
 ## Commit metadata forgery via CGI::FormBuilder context-dependent APIs
 


@@ -584,4 +591,7 @@ of them relatively minor:
   could potentially forge commit authorship (attribute their edit to
   someone else) by crafting multiple values for the rcsinfo field
 
   could potentially forge commit authorship (attribute their edit to
   someone else) by crafting multiple values for the rcsinfo field
 

-(OVE-20161226-0001)
+This was fixed in ikiwiki 3.20161229. A backport to Debian 8
+'jessie' is in progress.
+
+([[!cve CVE-2016-9646]]/OVE-20161226-0001)