diff options
Diffstat (limited to 'doc/news')
-rw-r--r-- | doc/news/version_3.20160728.mdwn | 2 | ||||
-rw-r--r-- | doc/news/version_3.20161219.mdwn | 2 | ||||
-rw-r--r-- | doc/news/version_3.20161229.mdwn | 8 |
3 files changed, 6 insertions, 6 deletions
diff --git a/doc/news/version_3.20160728.mdwn b/doc/news/version_3.20160728.mdwn index 6836a9b79..88baddca2 100644 --- a/doc/news/version_3.20160728.mdwn +++ b/doc/news/version_3.20160728.mdwn @@ -1,7 +1,7 @@ ikiwiki 3.20160728 released with [[!toggle text="these changes"]] [[!toggleable text=""" * Explicitly remove current working directory from Perl's library - search path, mitigating [[!cve CVE-2016-1238]] (see [[!debbug 588017]]) + search path, mitigating [[!debcve CVE-2016-1238]] (see [[!debbug 588017]]) * wrappers: allocate new environment dynamically, so we won't overrun the array if third-party plugins add multiple environment variables. * Standards-Version: 3.9.8 (no changes required) diff --git a/doc/news/version_3.20161219.mdwn b/doc/news/version_3.20161219.mdwn index b03900972..e4f32db9e 100644 --- a/doc/news/version_3.20161219.mdwn +++ b/doc/news/version_3.20161219.mdwn @@ -7,7 +7,7 @@ ikiwiki 3.20161219 released with [[!toggle text="these changes"]] * Security: tell `git revert` not to follow renames. If it does, then renaming a file can result in a revert writing outside the wiki srcdir or altering a file that the reverting user should not be able to alter, - an authorization bypass. Thanks, intrigeri. ([[!cve CVE-2016-10026]]) + an authorization bypass. Thanks, intrigeri. ([[!debcve CVE-2016-10026]]) * cgitemplate: remove some dead code. Thanks, blipvert * Restrict CSS matches against header class to not break Pandoc tables with header rows. Thanks, karsk diff --git a/doc/news/version_3.20161229.mdwn b/doc/news/version_3.20161229.mdwn index 7d96cedb9..365cb69d1 100644 --- a/doc/news/version_3.20161229.mdwn +++ b/doc/news/version_3.20161229.mdwn @@ -2,17 +2,17 @@ ikiwiki 3.20161229 released with [[!toggle text="these changes"]] [[!toggleable text=""" * Security: force CGI::FormBuilder->field to scalar context where necessary, avoiding unintended function argument injection - analogous to [[!cve CVE-2014-1572]]. In ikiwiki this could be used to + analogous to [[!debcve CVE-2014-1572]]. In ikiwiki this could be used to forge commit metadata, but thankfully nothing more serious. - ([[!cve CVE-2016-9646]]) + ([[!debcve CVE-2016-9646]]) * Security: try revert operations in a temporary working tree before approving them. Previously, automatic rename detection could result in a revert writing outside the wiki srcdir or altering a file that the reverting user should not be able to alter, an authorization bypass. - ([[!cve CVE-2016-10026]] represents the original vulnerability.) + ([[!debcve CVE-2016-10026]] represents the original vulnerability.) The incomplete fix released in 3.20161219 was not effective for git versions prior to 2.8.0rc0. - ([[!cve CVE-2016-9645]] represents that incomplete solution.) + ([[!debcve CVE-2016-9645]] represents that incomplete solution.) * Add CVE references for CVE-2016-10026 * Add automated test for using the CGI with git, including CVE-2016-10026 |