Document the security fix soon to be released in 3.20170111

diff --git a/debian/changelog b/debian/changelog
index 2183ef17994a07794ad5bb859f639faaaa2fba6e..36a9701d9aea9d29799d53a73af328c5aac76fd5 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+ikiwiki (3.20170111) UNRELEASED; urgency=medium
+
+  * passwordauth: prevent authentication bypass via multiple name
+    parameters (CVE-2017-0356, OVE-20170111-0001)
+  * passwordauth: avoid userinfo forgery via repeated email parameter
+    (also in the scope of CVE-2017-0356)
+  * CGI, attachment, passwordauth: harden against repeated parameters
+    (not believed to have been a vulnerability)
+  * remove: make it clearer that repeated page parameter is OK here
+  * t/passwordauth.t: new automated test for passwordauth
+
+ -- Simon McVittie <smcv@debian.org>  Wed, 11 Jan 2017 18:12:05 +0000
+

 ikiwiki (3.20170110) unstable; urgency=medium
 
   [ Amitai Schleier ]
 ikiwiki (3.20170110) unstable; urgency=medium
 
   [ Amitai Schleier ]

diff --git a/doc/security.mdwn b/doc/security.mdwn
index a538a49feb4e454e9e4a7c54c007725b0359b73b..5c54031a86ae403198a0591a67f20e74c73142df 100644 (file)
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -591,7 +591,23 @@ of them relatively minor:
   could potentially forge commit authorship (attribute their edit to
   someone else) by crafting multiple values for the rcsinfo field
 
   could potentially forge commit authorship (attribute their edit to
   someone else) by crafting multiple values for the rcsinfo field
 

-This was fixed in ikiwiki 3.20161229. A backport to Debian 8
-'jessie' is in progress.
+This was fixed in ikiwiki 3.20161229, with fixes backported to Debian 8
+in version 3.20141016.4.

 
 ([[!debcve CVE-2016-9646]]/OVE-20161226-0001)
 
 ([[!debcve CVE-2016-9646]]/OVE-20161226-0001)

+
+## <span id="cve-2017-0356">Authentication bypass via repeated parameters</span>
+
+The ikiwiki maintainers discovered further flaws similar 2016-9646
+in the passwordauth plugin's use of CGI::FormBuilder, with a more
+serious impact:
+
+* An attacker who can log in to a site with a password can log in
+  as a different and potentially more privileged user.
+* An attacker who can create a new account can set arbitrary fields
+  in the user database for that account.
+
+This was fixed in ikiwiki 3.20170111, with fixes backported to Debian 8
+in version 3.20141016.4.
+
+([[!debcve CVE-2017-0356]]/OVE-20170111-0001)