Clarify which versions of ikiwiki fixed CVE-2016-9645, -9646

author Simon McVittie <smcv@debian.org>

Thu, 29 Dec 2016 20:08:49 +0000 (20:08 +0000)

committer Simon McVittie <smcv@debian.org>

Thu, 29 Dec 2016 20:08:49 +0000 (20:08 +0000)
author Simon McVittie <smcv@debian.org>
Thu, 29 Dec 2016 20:08:49 +0000 (20:08 +0000)
committer Simon McVittie <smcv@debian.org>
Thu, 29 Dec 2016 20:08:49 +0000 (20:08 +0000)
diff --git a/doc/security.mdwn b/doc/security.mdwn

index 317a534cad8aad4f13485bc59435eeabc7672b85..823f5ef88297fcea7b706a74cd8f6639c8ac7e6b 100644 (file)
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -564,6 +564,8 @@ which are both used in most ikiwiki installations.
  This bug was reported on 2016-12-17. A partially fixed version
  3.20161219 was released on 2016-12-19, but the solution used in that
  version was not effective with git versions older than 2.8.0.
+A more complete fix was released on 2016-12-29 in version 3.20161229.
+A backport to Debian 8 'jessie' is in progress.
  
  ([[!cve CVE-2016-10026]] represents the original vulnerability.
  [[!cve CVE-2016-9645]]/OVE-20161226-0002 represents the vulnerability
@@ -589,4 +591,7 @@ of them relatively minor:
    could potentially forge commit authorship (attribute their edit to
    someone else) by crafting multiple values for the rcsinfo field
  
+This was fixed in ikiwiki 3.20161229. A backport to Debian 8
+'jessie' is in progress.
+
  ([[!cve CVE-2016-9646]]/OVE-20161226-0001)
author	Simon McVittie <smcv@debian.org>
	Thu, 29 Dec 2016 20:08:49 +0000 (20:08 +0000)
committer	Simon McVittie <smcv@debian.org>
	Thu, 29 Dec 2016 20:08:49 +0000 (20:08 +0000)