X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/4d0e525e6a1469a30f3b81c19a289840147463e6..1d96095af7009e97203c12451caaa9f4efaf10a2:/doc/security.mdwn diff --git a/doc/security.mdwn b/doc/security.mdwn index 5c54031a8..e7770dd27 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -564,8 +564,8 @@ which are both used in most ikiwiki installations. This bug was reported on 2016-12-17. A partially fixed version 3.20161219 was released on 2016-12-19, but the solution used in that version was not effective with git versions older than 2.8.0. -A more complete fix was released on 2016-12-29 in version 3.20161229. -A backport to Debian 8 'jessie' is in progress. +A more complete fix was released on 2016-12-29 in version 3.20161229, +with fixes backported to Debian 8 in version 3.20141016.4. ([[!debcve CVE-2016-10026]] represents the original vulnerability. [[!debcve CVE-2016-9645]]/OVE-20161226-0002 represents the vulnerability @@ -598,7 +598,7 @@ in version 3.20141016.4. ## Authentication bypass via repeated parameters -The ikiwiki maintainers discovered further flaws similar 2016-9646 +The ikiwiki maintainers discovered further flaws similar to CVE-2016-9646 in the passwordauth plugin's use of CGI::FormBuilder, with a more serious impact: