From: Simon McVittie <smcv@debian.org>
Date: Wed, 11 Jan 2017 14:57:55 +0000 (+0000)
Subject: Update changelog
X-Git-Tag: debian/3.20141016.4~36
X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/4cd59e4d8b17a96edfb65c6ebbaeff507afb0f66

Update changelog
---

diff --git a/debian/changelog b/debian/changelog
index 5dd17a958..4cedb1e80 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,22 @@
+ikiwiki (3.20141016.4) UNRELEASED; urgency=high
+
+  * Reference CVE-2016-4561 in 3.20141016.3 changelog
+  * Security: force CGI::FormBuilder->field to scalar context where
+    necessary, avoiding unintended function argument injection
+    analogous to CVE-2014-1572.
+    - passwordauth: prevent authentication bypass via multiple name
+      parameters (OVE-20170111-0001)
+    - passwordauth: prevent userinfo forgery via repeated email
+      parameter (OVE-20170111-0001)
+    - comments, editpage: prevent commit metadata forgery
+      (CVE-2016-9646, OVE-20161226-0001)
+    - CGI, attachment, comments, editpage, notifyemail, passwordauth,
+      po, rename: harden against similar issues that are not believed
+      to be exploitable
+  * t/passwordauth.t: new automated test for OVE-20170111-0001
+
+ -- Simon McVittie <smcv@debian.org>  Wed, 11 Jan 2017 15:22:38 +0000
+
 ikiwiki (3.20141016.3) jessie-security; urgency=high
 
   [ Simon McVittie ]