From 4d0e525e6a1469a30f3b81c19a289840147463e6 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@debian.org>
Date: Wed, 11 Jan 2017 18:16:42 +0000
Subject: Document the security fix soon to be released in 3.20170111

---
 doc/security.mdwn | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

(limited to 'doc/security.mdwn')

diff --git a/doc/security.mdwn b/doc/security.mdwn
index a538a49fe..5c54031a8 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -591,7 +591,23 @@ of them relatively minor:
   could potentially forge commit authorship (attribute their edit to
   someone else) by crafting multiple values for the rcsinfo field
 
-This was fixed in ikiwiki 3.20161229. A backport to Debian 8
-'jessie' is in progress.
+This was fixed in ikiwiki 3.20161229, with fixes backported to Debian 8
+in version 3.20141016.4.
 
 ([[!debcve CVE-2016-9646]]/OVE-20161226-0001)
+
+## <span id="cve-2017-0356">Authentication bypass via repeated parameters</span>
+
+The ikiwiki maintainers discovered further flaws similar 2016-9646
+in the passwordauth plugin's use of CGI::FormBuilder, with a more
+serious impact:
+
+* An attacker who can log in to a site with a password can log in
+  as a different and potentially more privileged user.
+* An attacker who can create a new account can set arbitrary fields
+  in the user database for that account.
+
+This was fixed in ikiwiki 3.20170111, with fixes backported to Debian 8
+in version 3.20141016.4.
+
+([[!debcve CVE-2017-0356]]/OVE-20170111-0001)
-- 
cgit v1.2.3