From 20e3655a10ce25fde2e09f65a7f275bd16efb6d3 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@debian.org>
Date: Thu, 28 Jul 2016 11:30:30 +0100
Subject: [PATCH] Announce 3.20160728

---
 doc/news/version_3.20150329.mdwn | 34 --------------------------------
 doc/news/version_3.20160728.mdwn |  9 +++++++++
 doc/security.mdwn                | 10 ++++++++++
 3 files changed, 19 insertions(+), 34 deletions(-)
 delete mode 100644 doc/news/version_3.20150329.mdwn
 create mode 100644 doc/news/version_3.20160728.mdwn

diff --git a/doc/news/version_3.20150329.mdwn b/doc/news/version_3.20150329.mdwn
deleted file mode 100644
index 7e0d3e0bc..000000000
--- a/doc/news/version_3.20150329.mdwn
+++ /dev/null
@@ -1,34 +0,0 @@
-ikiwiki 3.20150329 released with [[!toggle text="these changes"]]. This is a
-security update fixing a cross-site scripting vulnerability.
-
-[[!toggleable text="""
-  [ [[Joey Hess|joey]] ]
-
-  * Fix NULL ptr deref on ENOMEM in wrapper. (Thanks, igli)
-
-  [ [[Simon McVittie|smcv]] ]
-
-  * Really don't double-decode CGI submissions, even on Perl versions that
-    bundle an old enough Encode.pm for that not to be a problem: the
-    system might have a newer Encode.pm installed separately, like Fedora 20.
-    (Closes: [[!debbug 776181]]; thanks, Anders Kaseorg)
-  * If neither timezone nor TZ is set, set both to :/etc/localtime if
-    we're on a GNU system and that file exists, or GMT otherwise
-  * t/inline.t: accept translations of "Add a new post titled:"
-    (Closes: [[!debbug 779365]])
-  * Consistently document command-line options as e.g. --refresh, not -refresh
-
-  [ [[Amitai Schlair|schmonz]] ]
-
-  * In VCS-committed anonymous comments, link to url.
-
-  [ [[Joey Hess|joey]] ]
-
-  * Fix XSS in openid selector. Thanks, Raghav Bisht.
-    (Closes: [[!debbug 781483]])
-"""]]
-
-In addition, version 3.20141016.2 was released on the same day to backport
-the cross-site-scripting fix to Debian 8.
-
-[[!meta date="2015-03-29 22:46:39 +0100"]]
diff --git a/doc/news/version_3.20160728.mdwn b/doc/news/version_3.20160728.mdwn
new file mode 100644
index 000000000..6836a9b79
--- /dev/null
+++ b/doc/news/version_3.20160728.mdwn
@@ -0,0 +1,9 @@
+ikiwiki 3.20160728 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * Explicitly remove current working directory from Perl's library
+     search path, mitigating [[!cve CVE-2016-1238]] (see [[!debbug 588017]])
+   * wrappers: allocate new environment dynamically, so we won't overrun
+     the array if third-party plugins add multiple environment variables.
+   * Standards-Version: 3.9.8 (no changes required)
+
+--[[smcv]]"""]]
diff --git a/doc/security.mdwn b/doc/security.mdwn
index 055e1d006..6d68fac00 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -531,3 +531,13 @@ resize. An upgrade is recommended for sites where an untrusted user is
 able to attach images. Upgrading ImageMagick to a version where
 CVE-2016-3714 has been fixed is also recommended, but at the time of
 writing no such version is available.
+
+## Perl CVE-2016-1238 (current working directory in search path)
+
+ikiwiki 3.20160728 attempts to mitigate [[!cve CVE-2016-1238]] by
+removing `'.'` from the Perl library search path. An attacker with write
+access to ikiwiki's current working directory could potentially use this
+vulnerability to execute arbitrary Perl code. An upgrade is recommended
+for sites where an untrusted user is able to attach files with arbitrary
+names and/or run a setuid ikiwiki wrapper with a working directory of
+their choice.
-- 
2.39.2