X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/c7a4d5777261f0cad1e57d5b16788caaf0f74850..60cb2ac458dc8dea3b6a72abe52dcb1cd05617a4:/debian/changelog

diff --git a/debian/changelog b/debian/changelog
index 2183ef179..a92e3711e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,28 @@
+ikiwiki (3.20170112) UNRELEASED; urgency=medium
+
+  * t/git-cgi.t: Wait 1 second before doing a revert that should work.
+    This hopefully fixes a race condition in which the test failed
+    around 6% of the time. (Closes: 862494)
+  * Guard against set-but-empty REMOTE_USER CGI variable on
+    misconfigured nginx servers, and in general treat sessions with
+    a set-but-empty name as if they were not signed in.
+  * When the CGI fails, print the error to stderr, not "Died"
+
+ -- Simon McVittie <smcv@debian.org>  Sun, 14 May 2017 15:34:52 +0100
+
+ikiwiki (3.20170111) unstable; urgency=high
+
+  * passwordauth: prevent authentication bypass via multiple name
+    parameters (CVE-2017-0356, OVE-20170111-0001)
+  * passwordauth: avoid userinfo forgery via repeated email parameter
+    (also in the scope of CVE-2017-0356)
+  * CGI, attachment, passwordauth: harden against repeated parameters
+    (not believed to have been a vulnerability)
+  * remove: make it clearer that repeated page parameter is OK here
+  * t/passwordauth.t: new automated test for passwordauth
+
+ -- Simon McVittie <smcv@debian.org>  Wed, 11 Jan 2017 18:16:53 +0000
+
 ikiwiki (3.20170110) unstable; urgency=medium
 
   [ Amitai Schleier ]