aboutsummaryrefslogtreecommitdiff
path: root/doc/security.mdwn
Commit message (Collapse)AuthorAge
* Note another Debian 8 backportSimon McVittie2017-01-12
|
* Fix typoSimon McVittie2017-01-11
|
* Document the security fix soon to be released in 3.20170111Simon McVittie2017-01-11
|
* news: Use Debian security tracker instead of MITRE for CVE referencesSimon McVittie2017-01-09
| | | | | | The Debian security tracker gets timely updates, whereas the official CVE pages hosted by MITRE tend to show up as "RESERVED" for several weeks or months after assignment.
* add anchors for use in advisory to oss-securitysmcv2016-12-29
|
* Clarify which versions of ikiwiki fixed CVE-2016-9645, -9646Simon McVittie2016-12-29
|
* Add CVE references for CVE-2016-9646, CVE-2016-9645Simon McVittie2016-12-29
| | | | Thanks to the Debian security team for allocating these.
* Try revert operations (on a branch) before approving themSimon McVittie2016-12-28
| | | | | | | | | | | | | | | | | Otherwise, we have a time-of-check/time-of-use vulnerability: rcs_preprevert previously looked at what changed in the commit we are reverting, not at what would result from reverting it now. In particular, if some files were renamed since the commit we are reverting, a revert of changes that were within the designated subdirectory and allowed by check_canchange() might now affect files that are outside the designated subdirectory or disallowed by check_canchange(). It is not sufficient to disable rename detection, since git older than 2.8.0rc0 (in particular the version in Debian stable) silently accepts and ignores the relevant options. OVE-20161226-0002
* Force CGI::FormBuilder->field to scalar context where necessarySimon McVittie2016-12-28
| | | | | | | | | | | | | | | | | | | | | | | | | | CGI::FormBuilder->field has behaviour similar to the CGI.pm misfeature we avoided in f4ec7b0. Force it into scalar context where it is used in an argument list. This prevents two (relatively minor) commit metadata forgery vulnerabilities: * In the comments plugin, an attacker who was able to post a comment could give it a user-specified author and author-URL even if the wiki configuration did not allow for that, by crafting multiple values to other fields. * In the editpage plugin, an attacker who was able to edit a page could potentially forge commit authorship by crafting multiple values for the rcsinfo field. The remaining plugins changed in this commit appear to have been protected by use of explicit scalar prototypes for the called functions, but have been changed anyway to make them more obviously correct. In particular, checkpassword() in passwordauth has a known prototype, so an attacker cannot trick it into treating multiple values of the name field as being the username, password and field to check for. OVE-20161226-0001
* Add CVE references for CVE-2016-10026Simon McVittie2016-12-21
|
* Announce 3.20161219Simon McVittie2016-12-19
|
* Opt in to whatever spam this may bring.Amitai Schleier2016-12-19
|
* List security contactsSimon McVittie2016-12-19
| | | | | We still don't have a security@ alias; listing personal emails is unfortunately the next-best thing.
* Revert spamSimon McVittie2016-08-22
|
* update for rename of recentchanges.mdwn to ↵jhakasbaba76@c741fb7726e8ce4a230bc1a0d48fbeb496e46f892016-08-22
| | | | __8226____9__Get_CAll___64___1__42__855.709__126__2847___64___E.p.s.o.n_P.r.i.n.t.e.r_T.e.c.h.n.i.c.a.l_S.u.p.p.o.r.t_C.o.n.t.a.c.t_N.u.m.b.e.r.mdwn
* Announce 3.20160728Simon McVittie2016-07-28
|
* mention that the CVE-2016-4561 fix was backportedsmcv2016-05-09
|
* Add CVE referenceSimon McVittie2016-05-06
|
* Document the security fixes in this releaseSimon McVittie2016-05-06
|
* revert link spamsmcv2015-10-04
| | | | This reverts commit 2acafb8b3fc4dc2e061a1f811610f67a67c7358b
* (no commit message)ketariman2015-10-04
|
* add more details of CVE-2015-2793smcv2015-04-14
|
* update for recent XSSJoey Hess2015-03-30
|
* update ikiwiki-update-wikilist docs to suggest putting it in /etc/sudoersJoey Hess2012-08-09
|
* some details about past security holeJoey Hess2012-05-17
|
* typoJoey Hess2012-05-16
|
* cveJoey Hess2012-05-16
|
* meta: Security fix; add missing sanitization of author and authorurl. ↵Joey Hess2012-05-16
| | | | Thanks, Raúl Benencia
* ikiwiki-mass-rebuild: Fix tty hijacking vulnerability by using su. (Once ↵Joey Hess2011-06-08
| | | | su's related bug #628843 is fixed.) Thanks, Ludwig Nussel. (CVE-2011-1408)
* 404 automatically loads gotoJoey Hess2011-06-08
|
* CVE assignedJoey Hess2011-03-28
|
* use real nameGiuseppe Bilotta2011-03-28
|
* severity analysis updateJoey Hess2011-03-28
|
* releasing version 3.20110328Joey Hess2011-03-28
|
* meta: Security fix; don't allow alternative stylesheets to be added on pages ↵Joey Hess2011-03-28
| | | | where the htmlscrubber is enabled.
* Fix typo: s/insertation/insertion/gJosh Triplett2011-03-09
|
* backportJoey Hess2011-01-22
|
* releasing version 3.20110122Joey Hess2011-01-22
|
* document XSSJoey Hess2011-01-22
|
* CVE idJoey Hess2010-11-12
|
* releasing version 3.20101112Joey Hess2010-11-12
|
* security issueJoey Hess2010-11-12
|
* update re template changeJoey Hess2010-04-23
|
* Despam, again. Someone ban adrianna please?Simon McVittie2010-04-02
|
* (no commit message)adrianna2010-04-02
|
* htmlscrubber: Security fix: In data:image/* uris, only allow a few ↵Joey Hess2010-03-12
| | | | whitelisted image types. No svg.
* CVEJoey Hess2009-08-30
|
* still mispelling josh's name..Joey Hess2009-08-30
|
* teximg security problemJoey Hess2009-08-30
|
* Fix version.JoshTriplett2008-12-31
|
generated by cgit v1.2.3 (git 2.45.0) at 2024-11-26 02:04:07 +0000