Clarify which versions of ikiwiki fixed CVE-2016-9645, -9646

author: Simon McVittie <smcv@debian.org> 2016-12-29 20:08:49 +0000
committer: Simon McVittie <smcv@debian.org> 2016-12-29 20:08:49 +0000
commit: 04e322fd6b1160608a1e957cde5c7ad6b56eb137 (patch)
tree: cd50ba81fac984ce1a23cde10ebc886acf74c978 /doc
parent: 287bb19883f9fba8d1b1257d010ba7e086e38df6 (diff)
download: ikiwiki-04e322fd6b1160608a1e957cde5c7ad6b56eb137.tar
ikiwiki-04e322fd6b1160608a1e957cde5c7ad6b56eb137.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/doc/security.mdwn b/doc/security.mdwn
index 317a534ca..823f5ef88 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -564,6 +564,8 @@ which are both used in most ikiwiki installations.
 This bug was reported on 2016-12-17. A partially fixed version
 3.20161219 was released on 2016-12-19, but the solution used in that
 version was not effective with git versions older than 2.8.0.
+A more complete fix was released on 2016-12-29 in version 3.20161229.
+A backport to Debian 8 'jessie' is in progress.
 
 ([[!cve CVE-2016-10026]] represents the original vulnerability.
 [[!cve CVE-2016-9645]]/OVE-20161226-0002 represents the vulnerability
@@ -589,4 +591,7 @@ of them relatively minor:
   could potentially forge commit authorship (attribute their edit to
   someone else) by crafting multiple values for the rcsinfo field
 
+This was fixed in ikiwiki 3.20161229. A backport to Debian 8
+'jessie' is in progress.
+
 ([[!cve CVE-2016-9646]]/OVE-20161226-0001)
author	Simon McVittie <smcv@debian.org>	2016-12-29 20:08:49 +0000
committer	Simon McVittie <smcv@debian.org>	2016-12-29 20:08:49 +0000
commit	04e322fd6b1160608a1e957cde5c7ad6b56eb137 (patch)
tree	cd50ba81fac984ce1a23cde10ebc886acf74c978 /doc
parent	287bb19883f9fba8d1b1257d010ba7e086e38df6 (diff)
download	ikiwiki-04e322fd6b1160608a1e957cde5c7ad6b56eb137.tar ikiwiki-04e322fd6b1160608a1e957cde5c7ad6b56eb137.tar.gz