X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/341296184dc486f39c3627dbac73f5b4003adbb4..c19fa8fbb0349ba899a30bb167144cb497652a95:/doc/news/version_2.48.mdwn diff --git a/doc/news/version_2.48.mdwn b/doc/news/version_2.48.mdwn index c5e0e830d..76dbd7ddc 100644 --- a/doc/news/version_2.48.mdwn +++ b/doc/news/version_2.48.mdwn @@ -1,8 +1,10 @@ +**This release fixes an important security hole, upgrade immediately.** + News for ikiwiki 2.48: If you allowed password based logins to your wiki, those passwords were stored in cleartext in the userdb. To guard against exposing users' - passwords, I recommend you install the Authen::Passphrase perl module, and + passwords, I recommend you install the [[cpan Authen::Passphrase]] perl module, and then run `ikiwiki-transition hashpassword /path/to/srcdir` to replace all existing cleartext passwords with strong (blowfish) hashes. @@ -11,6 +13,7 @@ ikiwiki 2.48 released with [[toggle text="these changes"]] * Fix security hole that occurred if openid and passwordauth were both enabled. passwordauth would allow logging in as a known openid, with an empty password. Closes: #[483770](http://bugs.debian.org/483770) + (CVE-2008-0169) * Add rel=nofollow to edit links. This may prevent some spiders from pounding on the cgi following edit links. * passwordauth: If Authen::Passphrase is installed, use it to store @@ -21,4 +24,4 @@ ikiwiki 2.48 released with [[toggle text="these changes"]] * The password\_cost config setting is provided as a "more security" knob. * teximg: Fix logurl. * teximg: If the log isn't written, avoid ugly error messages. - * Updated French translation. Closes: #[478530](http://bugs.debian.org/478530)"""]] \ No newline at end of file + * Updated French translation. Closes: #[478530](http://bugs.debian.org/478530)"""]]