+ikiwiki (3.20161220) UNRELEASED; urgency=medium
+
+ * Add CVE references for CVE-2016-10026
+
+ -- Simon McVittie <smcv@debian.org> Wed, 21 Dec 2016 13:03:07 +0000
+
ikiwiki (3.20161219) unstable; urgency=medium
[ Joey Hess ]
* Security: tell `git revert` not to follow renames. If it does, then
renaming a file can result in a revert writing outside the wiki srcdir
or altering a file that the reverting user should not be able to alter,
- an authorization bypass. Thanks, intrigeri
+ an authorization bypass. Thanks, intrigeri. (CVE-2016-10026)
* cgitemplate: remove some dead code. Thanks, blipvert
* Restrict CSS matches against header class to not break
Pandoc tables with header rows. Thanks, karsk
> I tried to do something more clever (doing the revert, and checking
> whether it made changes that aren't allowed) but couldn't get it to
> work in a reasonable time, so I'm going with the simpler fix.
-> [[Fix committed|done]], a release will follow later today. --[[smcv]]
+> [[Fix committed|done]], a release will follow later today.
+>
+> [[!cve CVE-2016-10026]] has been assigned to this vulnerability.
+> --[[smcv]]
>> You rock, thanks a lot! --[[intrigeri]]
* Security: tell `git revert` not to follow renames. If it does, then
renaming a file can result in a revert writing outside the wiki srcdir
or altering a file that the reverting user should not be able to alter,
- an authorization bypass. Thanks, intrigeri
+ an authorization bypass. Thanks, intrigeri. ([[!cve CVE-2016-10026]])
* cgitemplate: remove some dead code. Thanks, blipvert
* Restrict CSS matches against header class to not break
Pandoc tables with header rows. Thanks, karsk
- * Make pagestats output more deterministic. Thanks, intrigeri"""]]
\ No newline at end of file
+ * Make pagestats output more deterministic. Thanks, intrigeri"""]]
which are both used in most ikiwiki installations.
This bug was reported on 2016-12-17. The fixed version 3.20161219
-was released on 2016-12-19.
+was released on 2016-12-19. ([[!cve CVE-2016-10026]])