X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/c1120bbbe8fdea20cf64fa12247f4f4a4006c834..c142dba356b757facd6684a99623c58430b7221e:/doc/security.mdwn?ds=inline diff --git a/doc/security.mdwn b/doc/security.mdwn index 9818e0c94..823f5ef88 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -561,8 +561,15 @@ result in `policy.mdwn` being altered. This affects sites with the `git` VCS and the `recentchanges` plugin, which are both used in most ikiwiki installations. -This bug was reported on 2016-12-17. The fixed version 3.20161219 -was released on 2016-12-19. ([[!cve CVE-2016-10026]]) +This bug was reported on 2016-12-17. A partially fixed version +3.20161219 was released on 2016-12-19, but the solution used in that +version was not effective with git versions older than 2.8.0. +A more complete fix was released on 2016-12-29 in version 3.20161229. +A backport to Debian 8 'jessie' is in progress. + +([[!cve CVE-2016-10026]] represents the original vulnerability. +[[!cve CVE-2016-9645]]/OVE-20161226-0002 represents the vulnerability +in 3.20161219 caused by the incomplete fix.) ## Commit metadata forgery via CGI::FormBuilder context-dependent APIs @@ -584,4 +591,7 @@ of them relatively minor: could potentially forge commit authorship (attribute their edit to someone else) by crafting multiple values for the rcsinfo field -(OVE-20161226-0001) +This was fixed in ikiwiki 3.20161229. A backport to Debian 8 +'jessie' is in progress. + +([[!cve CVE-2016-9646]]/OVE-20161226-0001)