X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/c1120bbbe8fdea20cf64fa12247f4f4a4006c834..33b39968948f2dcda5c073916d797259e441d1de:/doc/security.mdwn

diff --git a/doc/security.mdwn b/doc/security.mdwn
index 9818e0c94..317a534ca 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -561,8 +561,13 @@ result in `policy.mdwn` being altered.
 This affects sites with the `git` VCS and the `recentchanges` plugin,
 which are both used in most ikiwiki installations.
 
-This bug was reported on 2016-12-17. The fixed version 3.20161219
-was released on 2016-12-19. ([[!cve CVE-2016-10026]])
+This bug was reported on 2016-12-17. A partially fixed version
+3.20161219 was released on 2016-12-19, but the solution used in that
+version was not effective with git versions older than 2.8.0.
+
+([[!cve CVE-2016-10026]] represents the original vulnerability.
+[[!cve CVE-2016-9645]]/OVE-20161226-0002 represents the vulnerability
+in 3.20161219 caused by the incomplete fix.)
 
 ## Commit metadata forgery via CGI::FormBuilder context-dependent APIs
 
@@ -584,4 +589,4 @@ of them relatively minor:
   could potentially forge commit authorship (attribute their edit to
   someone else) by crafting multiple values for the rcsinfo field
 
-(OVE-20161226-0001)
+([[!cve CVE-2016-9646]]/OVE-20161226-0001)