X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/a8a7462382ff235086743f06a92a9ab9100083b4..2e15a490067991448c3b65323ad9ecdc774dbfe4:/doc/security.mdwn

diff --git a/doc/security.mdwn b/doc/security.mdwn
index c08d658c8..823f5ef88 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -564,9 +564,12 @@ which are both used in most ikiwiki installations.
 This bug was reported on 2016-12-17. A partially fixed version
 3.20161219 was released on 2016-12-19, but the solution used in that
 version was not effective with git versions older than 2.8.0.
+A more complete fix was released on 2016-12-29 in version 3.20161229.
+A backport to Debian 8 'jessie' is in progress.
 
 ([[!cve CVE-2016-10026]] represents the original vulnerability.
-OVE-20161226-0002 represents the incomplete fix in 3.20161219.)
+[[!cve CVE-2016-9645]]/OVE-20161226-0002 represents the vulnerability
+in 3.20161219 caused by the incomplete fix.)
 
 ## Commit metadata forgery via CGI::FormBuilder context-dependent APIs
 
@@ -588,4 +591,7 @@ of them relatively minor:
   could potentially forge commit authorship (attribute their edit to
   someone else) by crafting multiple values for the rcsinfo field
 
-(OVE-20161226-0001)
+This was fixed in ikiwiki 3.20161229. A backport to Debian 8
+'jessie' is in progress.
+
+([[!cve CVE-2016-9646]]/OVE-20161226-0001)