aboutsummaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
authorSimon McVittie <smcv@debian.org>2016-12-29 17:31:30 +0000
committerSimon McVittie <smcv@debian.org>2016-12-29 17:36:11 +0000
commitcf0166347c1b017bba4f99f9e6bffa2eb221d933 (patch)
tree0e88c7559601a52b39b23ada30f7585c6552555d /debian
parent078d4208cac9fcd12f9cfc189770de68230abff7 (diff)
downloadikiwiki-cf0166347c1b017bba4f99f9e6bffa2eb221d933.tar
ikiwiki-cf0166347c1b017bba4f99f9e6bffa2eb221d933.tar.gz
Add CVE references for CVE-2016-9646, CVE-2016-9645
Thanks to the Debian security team for allocating these.
Diffstat (limited to 'debian')
-rw-r--r--debian/changelog17
1 files changed, 9 insertions, 8 deletions
diff --git a/debian/changelog b/debian/changelog
index c7d193825..bc0480912 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,14 +4,15 @@ ikiwiki (3.20161220) UNRELEASED; urgency=medium
necessary, avoiding unintended function argument injection
analogous to CVE-2014-1572. In ikiwiki this could be used to
forge commit metadata, but thankfully nothing more serious.
- (OVE-20161226-0001)
- * Security: try revert operations before approving them. Previously,
- automatic rename detection could result in a revert writing outside
- the wiki srcdir or altering a file that the reverting user should not be
- able to alter, an authorization bypass. The incomplete fix released in
- 3.20161219 was not effective for git versions prior to 2.8.0rc0.
- (CVE-2016-10026 represents the original vulnerability)
- (OVE-20161226-0002 represents the incomplete fix released in 3.20161219)
+ (CVE-2016-9646)
+ * Security: try revert operations in a temporary working tree before
+ approving them. Previously, automatic rename detection could result in
+ a revert writing outside the wiki srcdir or altering a file that the
+ reverting user should not be able to alter, an authorization bypass.
+ (CVE-2016-10026 represents the original vulnerability.)
+ The incomplete fix released in 3.20161219 was not effective for git
+ versions prior to 2.8.0rc0.
+ (CVE-2016-9645 represents that incomplete solution.)
* Add CVE references for CVE-2016-10026
* Add automated test for using the CGI with git, including
CVE-2016-10026