Clarify which versions of ikiwiki fixed CVE-2016-9645, -9646

diff --git a/doc/security.mdwn b/doc/security.mdwn
index 317a534cad8aad4f13485bc59435eeabc7672b85..823f5ef88297fcea7b706a74cd8f6639c8ac7e6b 100644 (file)
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -564,6 +564,8 @@ which are both used in most ikiwiki installations.
 This bug was reported on 2016-12-17. A partially fixed version
 3.20161219 was released on 2016-12-19, but the solution used in that
 version was not effective with git versions older than 2.8.0.
 This bug was reported on 2016-12-17. A partially fixed version
 3.20161219 was released on 2016-12-19, but the solution used in that
 version was not effective with git versions older than 2.8.0.

+A more complete fix was released on 2016-12-29 in version 3.20161229.
+A backport to Debian 8 'jessie' is in progress.

 
 ([[!cve CVE-2016-10026]] represents the original vulnerability.
 [[!cve CVE-2016-9645]]/OVE-20161226-0002 represents the vulnerability
 
 ([[!cve CVE-2016-10026]] represents the original vulnerability.
 [[!cve CVE-2016-9645]]/OVE-20161226-0002 represents the vulnerability


@@ -589,4 +591,7 @@ of them relatively minor:
   could potentially forge commit authorship (attribute their edit to
   someone else) by crafting multiple values for the rcsinfo field
 
   could potentially forge commit authorship (attribute their edit to
   someone else) by crafting multiple values for the rcsinfo field
 

+This was fixed in ikiwiki 3.20161229. A backport to Debian 8
+'jessie' is in progress.
+

 ([[!cve CVE-2016-9646]]/OVE-20161226-0001)
 ([[!cve CVE-2016-9646]]/OVE-20161226-0001)