aboutsummaryrefslogtreecommitdiff
path: root/doc/news
diff options
context:
space:
mode:
authorSimon McVittie <smcv@debian.org>2017-01-09 14:11:18 +0000
committerSimon McVittie <smcv@debian.org>2017-01-09 14:11:18 +0000
commit7586f5165e36ca010d14ad87202ad923ca63144b (patch)
tree0065527118f80a19afa2d94ba371f3b12b6267c6 /doc/news
parent9e03c002028b8187780835bdc58794a47e2dbdba (diff)
downloadikiwiki-7586f5165e36ca010d14ad87202ad923ca63144b.tar
ikiwiki-7586f5165e36ca010d14ad87202ad923ca63144b.tar.gz
news: Use Debian security tracker instead of MITRE for CVE references
The Debian security tracker gets timely updates, whereas the official CVE pages hosted by MITRE tend to show up as "RESERVED" for several weeks or months after assignment.
Diffstat (limited to 'doc/news')
-rw-r--r--doc/news/version_3.20160728.mdwn2
-rw-r--r--doc/news/version_3.20161219.mdwn2
-rw-r--r--doc/news/version_3.20161229.mdwn8
3 files changed, 6 insertions, 6 deletions
diff --git a/doc/news/version_3.20160728.mdwn b/doc/news/version_3.20160728.mdwn
index 6836a9b79..88baddca2 100644
--- a/doc/news/version_3.20160728.mdwn
+++ b/doc/news/version_3.20160728.mdwn
@@ -1,7 +1,7 @@
ikiwiki 3.20160728 released with [[!toggle text="these changes"]]
[[!toggleable text="""
* Explicitly remove current working directory from Perl's library
- search path, mitigating [[!cve CVE-2016-1238]] (see [[!debbug 588017]])
+ search path, mitigating [[!debcve CVE-2016-1238]] (see [[!debbug 588017]])
* wrappers: allocate new environment dynamically, so we won't overrun
the array if third-party plugins add multiple environment variables.
* Standards-Version: 3.9.8 (no changes required)
diff --git a/doc/news/version_3.20161219.mdwn b/doc/news/version_3.20161219.mdwn
index b03900972..e4f32db9e 100644
--- a/doc/news/version_3.20161219.mdwn
+++ b/doc/news/version_3.20161219.mdwn
@@ -7,7 +7,7 @@ ikiwiki 3.20161219 released with [[!toggle text="these changes"]]
* Security: tell `git revert` not to follow renames. If it does, then
renaming a file can result in a revert writing outside the wiki srcdir
or altering a file that the reverting user should not be able to alter,
- an authorization bypass. Thanks, intrigeri. ([[!cve CVE-2016-10026]])
+ an authorization bypass. Thanks, intrigeri. ([[!debcve CVE-2016-10026]])
* cgitemplate: remove some dead code. Thanks, blipvert
* Restrict CSS matches against header class to not break
Pandoc tables with header rows. Thanks, karsk
diff --git a/doc/news/version_3.20161229.mdwn b/doc/news/version_3.20161229.mdwn
index 7d96cedb9..365cb69d1 100644
--- a/doc/news/version_3.20161229.mdwn
+++ b/doc/news/version_3.20161229.mdwn
@@ -2,17 +2,17 @@ ikiwiki 3.20161229 released with [[!toggle text="these changes"]]
[[!toggleable text="""
* Security: force CGI::FormBuilder-&gt;field to scalar context where
necessary, avoiding unintended function argument injection
- analogous to [[!cve CVE-2014-1572]]. In ikiwiki this could be used to
+ analogous to [[!debcve CVE-2014-1572]]. In ikiwiki this could be used to
forge commit metadata, but thankfully nothing more serious.
- ([[!cve CVE-2016-9646]])
+ ([[!debcve CVE-2016-9646]])
* Security: try revert operations in a temporary working tree before
approving them. Previously, automatic rename detection could result in
a revert writing outside the wiki srcdir or altering a file that the
reverting user should not be able to alter, an authorization bypass.
- ([[!cve CVE-2016-10026]] represents the original vulnerability.)
+ ([[!debcve CVE-2016-10026]] represents the original vulnerability.)
The incomplete fix released in 3.20161219 was not effective for git
versions prior to 2.8.0rc0.
- ([[!cve CVE-2016-9645]] represents that incomplete solution.)
+ ([[!debcve CVE-2016-9645]] represents that incomplete solution.)
* Add CVE references for CVE-2016-10026
* Add automated test for using the CGI with git, including
CVE-2016-10026