Document the security fix soon to be released in 3.20170111

author: Simon McVittie <smcv@debian.org> 2017-01-11 18:16:42 +0000
committer: Simon McVittie <smcv@debian.org> 2017-01-11 18:16:42 +0000
commit: 4d0e525e6a1469a30f3b81c19a289840147463e6 (patch)
tree: 5dff8e8ac7e6092c6807ba96243175561bd67829 /debian/changelog
parent: 2486d83706a48044c88d6ffc8501a63d60d190a4 (diff)
download: ikiwiki-4d0e525e6a1469a30f3b81c19a289840147463e6.tar
ikiwiki-4d0e525e6a1469a30f3b81c19a289840147463e6.tar.gz
1 files changed, 13 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 2183ef179..36a9701d9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+ikiwiki (3.20170111) UNRELEASED; urgency=medium
+
+  * passwordauth: prevent authentication bypass via multiple name
+    parameters (CVE-2017-0356, OVE-20170111-0001)
+  * passwordauth: avoid userinfo forgery via repeated email parameter
+    (also in the scope of CVE-2017-0356)
+  * CGI, attachment, passwordauth: harden against repeated parameters
+    (not believed to have been a vulnerability)
+  * remove: make it clearer that repeated page parameter is OK here
+  * t/passwordauth.t: new automated test for passwordauth
+
+ -- Simon McVittie <smcv@debian.org>  Wed, 11 Jan 2017 18:12:05 +0000
+
 ikiwiki (3.20170110) unstable; urgency=medium
 
   [ Amitai Schleier ]
author	Simon McVittie <smcv@debian.org>	2017-01-11 18:16:42 +0000
committer	Simon McVittie <smcv@debian.org>	2017-01-11 18:16:42 +0000
commit	4d0e525e6a1469a30f3b81c19a289840147463e6 (patch)
tree	5dff8e8ac7e6092c6807ba96243175561bd67829 /debian/changelog
parent	2486d83706a48044c88d6ffc8501a63d60d190a4 (diff)
download	ikiwiki-4d0e525e6a1469a30f3b81c19a289840147463e6.tar ikiwiki-4d0e525e6a1469a30f3b81c19a289840147463e6.tar.gz