diff options
author | Simon McVittie <smcv@debian.org> | 2017-01-11 18:16:42 +0000 |
---|---|---|
committer | Simon McVittie <smcv@debian.org> | 2017-01-11 18:16:42 +0000 |
commit | 4d0e525e6a1469a30f3b81c19a289840147463e6 (patch) | |
tree | 5dff8e8ac7e6092c6807ba96243175561bd67829 /doc/security.mdwn | |
parent | 2486d83706a48044c88d6ffc8501a63d60d190a4 (diff) | |
download | ikiwiki-4d0e525e6a1469a30f3b81c19a289840147463e6.tar ikiwiki-4d0e525e6a1469a30f3b81c19a289840147463e6.tar.gz |
Document the security fix soon to be released in 3.20170111
Diffstat (limited to 'doc/security.mdwn')
-rw-r--r-- | doc/security.mdwn | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/doc/security.mdwn b/doc/security.mdwn index a538a49fe..5c54031a8 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -591,7 +591,23 @@ of them relatively minor: could potentially forge commit authorship (attribute their edit to someone else) by crafting multiple values for the rcsinfo field -This was fixed in ikiwiki 3.20161229. A backport to Debian 8 -'jessie' is in progress. +This was fixed in ikiwiki 3.20161229, with fixes backported to Debian 8 +in version 3.20141016.4. ([[!debcve CVE-2016-9646]]/OVE-20161226-0001) + +## <span id="cve-2017-0356">Authentication bypass via repeated parameters</span> + +The ikiwiki maintainers discovered further flaws similar 2016-9646 +in the passwordauth plugin's use of CGI::FormBuilder, with a more +serious impact: + +* An attacker who can log in to a site with a password can log in + as a different and potentially more privileged user. +* An attacker who can create a new account can set arbitrary fields + in the user database for that account. + +This was fixed in ikiwiki 3.20170111, with fixes backported to Debian 8 +in version 3.20141016.4. + +([[!debcve CVE-2017-0356]]/OVE-20170111-0001) |