X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/341296184dc486f39c3627dbac73f5b4003adbb4..062e316a9a7313da0955061eeb06e13780257430:/doc/news/version_2.48.mdwn

diff --git a/doc/news/version_2.48.mdwn b/doc/news/version_2.48.mdwn
index c5e0e830d..76dbd7ddc 100644
--- a/doc/news/version_2.48.mdwn
+++ b/doc/news/version_2.48.mdwn
@@ -1,8 +1,10 @@
+**This release fixes an important security hole, upgrade immediately.**
+
 News for ikiwiki 2.48:
 
    If you allowed password based logins to your wiki, those passwords were
    stored in cleartext in the userdb. To guard against exposing users'
-   passwords, I recommend you install the Authen::Passphrase perl module, and
+   passwords, I recommend you install the [[cpan Authen::Passphrase]] perl module, and
    then run `ikiwiki-transition hashpassword /path/to/srcdir` to replace all
    existing cleartext passwords with strong (blowfish) hashes.
 
@@ -11,6 +13,7 @@ ikiwiki 2.48 released with [[toggle text="these changes"]]
    * Fix security hole that occurred if openid and passwordauth were both
      enabled. passwordauth would allow logging in as a known openid, with an
      empty password. Closes: #[483770](http://bugs.debian.org/483770)
+     (CVE-2008-0169)
    * Add rel=nofollow to edit links. This may prevent some spiders from
      pounding on the cgi following edit links.
    * passwordauth: If Authen::Passphrase is installed, use it to store
@@ -21,4 +24,4 @@ ikiwiki 2.48 released with [[toggle text="these changes"]]
    * The password\_cost config setting is provided as a "more security" knob.
    * teximg: Fix logurl.
    * teximg: If the log isn't written, avoid ugly error messages.
-   * Updated French translation. Closes: #[478530](http://bugs.debian.org/478530)"""]]
\ No newline at end of file
+   * Updated French translation. Closes: #[478530](http://bugs.debian.org/478530)"""]]