X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/7586f5165e36ca010d14ad87202ad923ca63144b..3e1d1ec36a8a5e128fafd2d5b3983df82f1875e7:/doc/security.mdwn diff --git a/doc/security.mdwn b/doc/security.mdwn index a538a49fe..e7770dd27 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -564,8 +564,8 @@ which are both used in most ikiwiki installations. This bug was reported on 2016-12-17. A partially fixed version 3.20161219 was released on 2016-12-19, but the solution used in that version was not effective with git versions older than 2.8.0. -A more complete fix was released on 2016-12-29 in version 3.20161229. -A backport to Debian 8 'jessie' is in progress. +A more complete fix was released on 2016-12-29 in version 3.20161229, +with fixes backported to Debian 8 in version 3.20141016.4. ([[!debcve CVE-2016-10026]] represents the original vulnerability. [[!debcve CVE-2016-9645]]/OVE-20161226-0002 represents the vulnerability @@ -591,7 +591,23 @@ of them relatively minor: could potentially forge commit authorship (attribute their edit to someone else) by crafting multiple values for the rcsinfo field -This was fixed in ikiwiki 3.20161229. A backport to Debian 8 -'jessie' is in progress. +This was fixed in ikiwiki 3.20161229, with fixes backported to Debian 8 +in version 3.20141016.4. ([[!debcve CVE-2016-9646]]/OVE-20161226-0001) + +## Authentication bypass via repeated parameters + +The ikiwiki maintainers discovered further flaws similar to CVE-2016-9646 +in the passwordauth plugin's use of CGI::FormBuilder, with a more +serious impact: + +* An attacker who can log in to a site with a password can log in + as a different and potentially more privileged user. +* An attacker who can create a new account can set arbitrary fields + in the user database for that account. + +This was fixed in ikiwiki 3.20170111, with fixes backported to Debian 8 +in version 3.20141016.4. + +([[!debcve CVE-2017-0356]]/OVE-20170111-0001)