From 7586f5165e36ca010d14ad87202ad923ca63144b Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Mon, 9 Jan 2017 14:11:18 +0000 Subject: news: Use Debian security tracker instead of MITRE for CVE references The Debian security tracker gets timely updates, whereas the official CVE pages hosted by MITRE tend to show up as "RESERVED" for several weeks or months after assignment. --- doc/news/version_3.20160728.mdwn | 2 +- doc/news/version_3.20161219.mdwn | 2 +- doc/news/version_3.20161229.mdwn | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) (limited to 'doc/news') diff --git a/doc/news/version_3.20160728.mdwn b/doc/news/version_3.20160728.mdwn index 6836a9b79..88baddca2 100644 --- a/doc/news/version_3.20160728.mdwn +++ b/doc/news/version_3.20160728.mdwn @@ -1,7 +1,7 @@ ikiwiki 3.20160728 released with [[!toggle text="these changes"]] [[!toggleable text=""" * Explicitly remove current working directory from Perl's library - search path, mitigating [[!cve CVE-2016-1238]] (see [[!debbug 588017]]) + search path, mitigating [[!debcve CVE-2016-1238]] (see [[!debbug 588017]]) * wrappers: allocate new environment dynamically, so we won't overrun the array if third-party plugins add multiple environment variables. * Standards-Version: 3.9.8 (no changes required) diff --git a/doc/news/version_3.20161219.mdwn b/doc/news/version_3.20161219.mdwn index b03900972..e4f32db9e 100644 --- a/doc/news/version_3.20161219.mdwn +++ b/doc/news/version_3.20161219.mdwn @@ -7,7 +7,7 @@ ikiwiki 3.20161219 released with [[!toggle text="these changes"]] * Security: tell `git revert` not to follow renames. If it does, then renaming a file can result in a revert writing outside the wiki srcdir or altering a file that the reverting user should not be able to alter, - an authorization bypass. Thanks, intrigeri. ([[!cve CVE-2016-10026]]) + an authorization bypass. Thanks, intrigeri. ([[!debcve CVE-2016-10026]]) * cgitemplate: remove some dead code. Thanks, blipvert * Restrict CSS matches against header class to not break Pandoc tables with header rows. Thanks, karsk diff --git a/doc/news/version_3.20161229.mdwn b/doc/news/version_3.20161229.mdwn index 7d96cedb9..365cb69d1 100644 --- a/doc/news/version_3.20161229.mdwn +++ b/doc/news/version_3.20161229.mdwn @@ -2,17 +2,17 @@ ikiwiki 3.20161229 released with [[!toggle text="these changes"]] [[!toggleable text=""" * Security: force CGI::FormBuilder->field to scalar context where necessary, avoiding unintended function argument injection - analogous to [[!cve CVE-2014-1572]]. In ikiwiki this could be used to + analogous to [[!debcve CVE-2014-1572]]. In ikiwiki this could be used to forge commit metadata, but thankfully nothing more serious. - ([[!cve CVE-2016-9646]]) + ([[!debcve CVE-2016-9646]]) * Security: try revert operations in a temporary working tree before approving them. Previously, automatic rename detection could result in a revert writing outside the wiki srcdir or altering a file that the reverting user should not be able to alter, an authorization bypass. - ([[!cve CVE-2016-10026]] represents the original vulnerability.) + ([[!debcve CVE-2016-10026]] represents the original vulnerability.) The incomplete fix released in 3.20161219 was not effective for git versions prior to 2.8.0rc0. - ([[!cve CVE-2016-9645]] represents that incomplete solution.) + ([[!debcve CVE-2016-9645]] represents that incomplete solution.) * Add CVE references for CVE-2016-10026 * Add automated test for using the CGI with git, including CVE-2016-10026 -- cgit v1.2.3