more on the security hole

author: Joey Hess <joey@kodama.kitenet.net> 2008-05-30 18:26:04 -0400
committer: Joey Hess <joey@kodama.kitenet.net> 2008-05-30 18:26:04 -0400
commit: 2bf2af30eaf62833bd07005cec103374fc0a7cae (patch)
tree: 55ef053d99b22fb36e4d6d9f56a88025767cb0a0 /doc/security.mdwn
parent: 341296184dc486f39c3627dbac73f5b4003adbb4 (diff)
download: ikiwiki-2bf2af30eaf62833bd07005cec103374fc0a7cae.tar
ikiwiki-2bf2af30eaf62833bd07005cec103374fc0a7cae.tar.gz
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/security.mdwn b/doc/security.mdwn
index b3af3db3e..ea8954f5c 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -397,3 +397,13 @@ with strong blowfish hashes.
 You might also consider changing to [[plugins/openid]], which does not 
 require ikiwiki deal with passwords at all, and does not involve users sending
 passwords in cleartext over the net to log in, either.
+
+## Empty password security hole
+
+This hole allowed ikiwiki to accept logins using empty passwords, to openid
+accounts that didn't use a password. It was introduced in version 1.34, and
+fixed in version 2.48. The [bug](http://bugs.debian.org/483770) was
+discovered on 30 May 2008 and fixed the same day.
+
+I recommend upgrading to 2.48 immediatly if your wiki allows both password
+and openid logins.
author	Joey Hess <joey@kodama.kitenet.net>	2008-05-30 18:26:04 -0400
committer	Joey Hess <joey@kodama.kitenet.net>	2008-05-30 18:26:04 -0400
commit	2bf2af30eaf62833bd07005cec103374fc0a7cae (patch)
tree	55ef053d99b22fb36e4d6d9f56a88025767cb0a0 /doc/security.mdwn
parent	341296184dc486f39c3627dbac73f5b4003adbb4 (diff)
download	ikiwiki-2bf2af30eaf62833bd07005cec103374fc0a7cae.tar ikiwiki-2bf2af30eaf62833bd07005cec103374fc0a7cae.tar.gz