X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/706bf876eab25158d34558fc2b0b0979a3dedcbf..2cab8880ad61f9d134b56c5eed952c1a48f4ea8a:/doc/bugs/rcs_revert_can_bypass_authorization_if_affected_files_were_renamed.mdwn

diff --git a/doc/bugs/rcs_revert_can_bypass_authorization_if_affected_files_were_renamed.mdwn b/doc/bugs/rcs_revert_can_bypass_authorization_if_affected_files_were_renamed.mdwn
index 8ac62e554..e7f3c6925 100644
--- a/doc/bugs/rcs_revert_can_bypass_authorization_if_affected_files_were_renamed.mdwn
+++ b/doc/bugs/rcs_revert_can_bypass_authorization_if_affected_files_were_renamed.mdwn
@@ -12,3 +12,21 @@ will automatically detect that the file affected by the to-be-reverted
 commit has moved, and modify the file in its new location
 when reverting.
 
+> Working on it. In future please report non-public security
+> vulnerabilities (such as authorization bypass) by private email to the
+> maintainers, so that they are not visible to the general public
+> until we have had a chance to fix the bug. --[[smcv]]
+
+>> Sorry about that, I should clearly know better :/ --[[intrigeri]]
+
+> Fixed by using
+> `git revert --strategy=recursive --strategy-option=no-renames`.
+> I tried to do something more clever (doing the revert, and checking
+> whether it made changes that aren't allowed) but couldn't get it to
+> work in a reasonable time, so I'm going with the simpler fix.
+> [[Fix committed|done]], a release will follow later today.
+>
+> [[!cve CVE-2016-10026]] has been assigned to this vulnerability.
+> --[[smcv]]
+
+>> You rock, thanks a lot! --[[intrigeri]]