X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/a8c96a1418b4a4bb1f16c80d86f3ef2361b6d64b..06fce2b23888621fe87759ffa014c3920f937b7e:/doc/security.mdwn

diff --git a/doc/security.mdwn b/doc/security.mdwn
index 055e1d006..6d68fac00 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -531,3 +531,13 @@ resize. An upgrade is recommended for sites where an untrusted user is
 able to attach images. Upgrading ImageMagick to a version where
 CVE-2016-3714 has been fixed is also recommended, but at the time of
 writing no such version is available.
+
+## Perl CVE-2016-1238 (current working directory in search path)
+
+ikiwiki 3.20160728 attempts to mitigate [[!cve CVE-2016-1238]] by
+removing `'.'` from the Perl library search path. An attacker with write
+access to ikiwiki's current working directory could potentially use this
+vulnerability to execute arbitrary Perl code. An upgrade is recommended
+for sites where an untrusted user is able to attach files with arbitrary
+names and/or run a setuid ikiwiki wrapper with a working directory of
+their choice.