Add CVE reference

diff --git a/doc/news/version_3.20160506.mdwn b/doc/news/version_3.20160506.mdwn
index 331a48b6b2f3967f90774f30a7ba459006cb5847..6800a3022c301f19ac9fc6b521673ebd54cfd395 100644 (file)
--- a/doc/news/version_3.20160506.mdwn
+++ b/doc/news/version_3.20160506.mdwn
@@ -22,7 +22,7 @@ ikiwiki 3.20160506 released with [[!toggle text="these changes"]]
 [[!toggleable text="""
  * [ [[Simon McVittie|smcv]] ]
    * HTML-escape error messages, in one case avoiding potential cross-site
-     scripting (OVE-20160505-0012)
+     scripting ([[!cve CVE-2016-4561]], OVE-20160505-0012)
    * Mitigate ImageMagick vulnerabilities such as CVE-2016-3714:
      - img: force common Web formats to be interpreted according to extension,
        so that "allowed\_attachments: '*.jpg'" does what one might expect

diff --git a/doc/security.mdwn b/doc/security.mdwn
index 6d4841fe6f258d25eeb077dc0a650bfd35b25422..594b7212668c75afdfcd0b6e726f782d1b700434 100644 (file)
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -515,7 +515,7 @@ allowing an attacker to carry out cross-site scripting by directing a
 user to a URL that would result in a crafted ikiwiki error message. This
 was discovered on 4 May by the ikiwiki developers, and the fixed version
 3.20160506 was released on 6 May. An upgrade is recommended for sites using
-the CGI.
+the CGI. ([[!cve CVE-2016-4561]], OVE-20160505-0012)
 
 ## ImageMagick CVE-2016–3714 ("ImageTragick")