X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/e193c75b7dd67cee731570c321a121cf79cb3c23..c1120bbbe8fdea20cf64fa12247f4f4a4006c834:/debian/changelog

diff --git a/debian/changelog b/debian/changelog
index 86d06bdc6..ccf830b27 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,10 @@
 ikiwiki (3.20161220) UNRELEASED; urgency=medium
 
+  * Security: force CGI::FormBuilder->field to scalar context where
+    necessary, avoiding unintended function argument injection
+    analogous to CVE-2014-1572. In ikiwiki this could be used to
+    forge commit metadata, but thankfully nothing more serious.
+    (OVE-20161226-0001)
   * Add CVE references for CVE-2016-10026
   * Add missing ikiwiki.setup for the manual test for CVE-2016-10026
   * git: don't issue a warning if the rcsinfo CGI parameter is undefined