X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/c7a4d5777261f0cad1e57d5b16788caaf0f74850..8b54ba7ad14af13f82842968c09f91d7b49b2f86:/debian/changelog

diff --git a/debian/changelog b/debian/changelog
index 2183ef179..14045a961 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+ikiwiki (3.20170111) unstable; urgency=high
+
+  * passwordauth: prevent authentication bypass via multiple name
+    parameters (CVE-2017-0356, OVE-20170111-0001)
+  * passwordauth: avoid userinfo forgery via repeated email parameter
+    (also in the scope of CVE-2017-0356)
+  * CGI, attachment, passwordauth: harden against repeated parameters
+    (not believed to have been a vulnerability)
+  * remove: make it clearer that repeated page parameter is OK here
+  * t/passwordauth.t: new automated test for passwordauth
+
+ -- Simon McVittie <smcv@debian.org>  Wed, 11 Jan 2017 18:16:53 +0000
+
 ikiwiki (3.20170110) unstable; urgency=medium
 
   [ Amitai Schleier ]