Add CVE references for CVE-2016-9646, CVE-2016-9645

Thanks to the Debian security team for allocating these.

diff --git a/debian/changelog b/debian/changelog
index c7d1938252791ec70c5bb777ace01319b686e3f7..bc0480912add471a9ba699ef67e57f550f75e7c4 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,14 +4,15 @@ ikiwiki (3.20161220) UNRELEASED; urgency=medium
     necessary, avoiding unintended function argument injection
     analogous to CVE-2014-1572. In ikiwiki this could be used to
     forge commit metadata, but thankfully nothing more serious.
     necessary, avoiding unintended function argument injection
     analogous to CVE-2014-1572. In ikiwiki this could be used to
     forge commit metadata, but thankfully nothing more serious.

-    (OVE-20161226-0001)
-  * Security: try revert operations before approving them. Previously,
-    automatic rename detection could result in a revert writing outside
-    the wiki srcdir or altering a file that the reverting user should not be
-    able to alter, an authorization bypass. The incomplete fix released in
-    3.20161219 was not effective for git versions prior to 2.8.0rc0.
-    (CVE-2016-10026 represents the original vulnerability)
-    (OVE-20161226-0002 represents the incomplete fix released in 3.20161219)
+    (CVE-2016-9646)
+  * Security: try revert operations in a temporary working tree before
+    approving them. Previously, automatic rename detection could result in
+    a revert writing outside the wiki srcdir or altering a file that the
+    reverting user should not be able to alter, an authorization bypass.
+    (CVE-2016-10026 represents the original vulnerability.)
+    The incomplete fix released in 3.20161219 was not effective for git
+    versions prior to 2.8.0rc0.
+    (CVE-2016-9645 represents that incomplete solution.)

   * Add CVE references for CVE-2016-10026
   * Add automated test for using the CGI with git, including
     CVE-2016-10026
   * Add CVE references for CVE-2016-10026
   * Add automated test for using the CGI with git, including
     CVE-2016-10026

diff --git a/doc/security.mdwn b/doc/security.mdwn
index c08d658c84b0cc0bee96d0343a04d0ce2eead690..317a534cad8aad4f13485bc59435eeabc7672b85 100644 (file)
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -566,7 +566,8 @@ This bug was reported on 2016-12-17. A partially fixed version
 version was not effective with git versions older than 2.8.0.
 
 ([[!cve CVE-2016-10026]] represents the original vulnerability.
 version was not effective with git versions older than 2.8.0.
 
 ([[!cve CVE-2016-10026]] represents the original vulnerability.

-OVE-20161226-0002 represents the incomplete fix in 3.20161219.)
+[[!cve CVE-2016-9645]]/OVE-20161226-0002 represents the vulnerability
+in 3.20161219 caused by the incomplete fix.)

 
 ## Commit metadata forgery via CGI::FormBuilder context-dependent APIs
 
 
 ## Commit metadata forgery via CGI::FormBuilder context-dependent APIs
 


@@ -588,4 +589,4 @@ of them relatively minor:
   could potentially forge commit authorship (attribute their edit to
   someone else) by crafting multiple values for the rcsinfo field
 
   could potentially forge commit authorship (attribute their edit to
   someone else) by crafting multiple values for the rcsinfo field
 

-(OVE-20161226-0001)
+([[!cve CVE-2016-9646]]/OVE-20161226-0001)