Announce 3.20160728

author: Simon McVittie <smcv@debian.org> 2016-07-28 11:30:30 +0100
committer: Simon McVittie <smcv@debian.org> 2016-07-28 11:30:30 +0100
commit: 20e3655a10ce25fde2e09f65a7f275bd16efb6d3 (patch)
tree: e918ac58a847efa6974138b653a15be08ad30577 /doc/security.mdwn
parent: 6264e91bac119ed783232a2bc607accd0a6c4d3c (diff)
download: ikiwiki-20e3655a10ce25fde2e09f65a7f275bd16efb6d3.tar
ikiwiki-20e3655a10ce25fde2e09f65a7f275bd16efb6d3.tar.gz
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/security.mdwn b/doc/security.mdwn
index 055e1d006..6d68fac00 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -531,3 +531,13 @@ resize. An upgrade is recommended for sites where an untrusted user is
 able to attach images. Upgrading ImageMagick to a version where
 CVE-2016-3714 has been fixed is also recommended, but at the time of
 writing no such version is available.
+
+## Perl CVE-2016-1238 (current working directory in search path)
+
+ikiwiki 3.20160728 attempts to mitigate [[!cve CVE-2016-1238]] by
+removing `'.'` from the Perl library search path. An attacker with write
+access to ikiwiki's current working directory could potentially use this
+vulnerability to execute arbitrary Perl code. An upgrade is recommended
+for sites where an untrusted user is able to attach files with arbitrary
+names and/or run a setuid ikiwiki wrapper with a working directory of
+their choice.
author	Simon McVittie <smcv@debian.org>	2016-07-28 11:30:30 +0100
committer	Simon McVittie <smcv@debian.org>	2016-07-28 11:30:30 +0100
commit	20e3655a10ce25fde2e09f65a7f275bd16efb6d3 (patch)
tree	e918ac58a847efa6974138b653a15be08ad30577 /doc/security.mdwn
parent	6264e91bac119ed783232a2bc607accd0a6c4d3c (diff)
download	ikiwiki-20e3655a10ce25fde2e09f65a7f275bd16efb6d3.tar ikiwiki-20e3655a10ce25fde2e09f65a7f275bd16efb6d3.tar.gz