Add CVE references for CVE-2016-10026

2016-12-21 13:03:32 +00:00 · 2016-12-21 13:03:32 +00:00 · 28409cd358
parent bec3047aff
commit 28409cd358
4 changed files with 14 additions and 5 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,9 @@
+ikiwiki (3.20161220) UNRELEASED; urgency=medium
+
+  * Add CVE references for CVE-2016-10026
+
+ -- Simon McVittie <smcv@debian.org>  Wed, 21 Dec 2016 13:03:07 +0000
+
 ikiwiki (3.20161219) unstable; urgency=medium

  [ Joey Hess ]
@ -8,7 +14,7 @@ ikiwiki (3.20161219) unstable; urgency=medium
  * Security: tell `git revert` not to follow renames. If it does, then
    renaming a file can result in a revert writing outside the wiki srcdir
    or altering a file that the reverting user should not be able to alter,
-    an authorization bypass. Thanks, intrigeri
+    an authorization bypass. Thanks, intrigeri. (CVE-2016-10026)
  * cgitemplate: remove some dead code. Thanks, blipvert
  * Restrict CSS matches against header class to not break
    Pandoc tables with header rows. Thanks, karsk
--- a/doc/bugs/rcs_revert_can_bypass_authorization_if_affected_files_were_renamed.mdwn
+++ b/doc/bugs/rcs_revert_can_bypass_authorization_if_affected_files_were_renamed.mdwn
@ -24,6 +24,9 @@ when reverting.
 > I tried to do something more clever (doing the revert, and checking
 > whether it made changes that aren't allowed) but couldn't get it to
 > work in a reasonable time, so I'm going with the simpler fix.
-> [[Fix committed|done]], a release will follow later today. --[[smcv]]
+> [[Fix committed|done]], a release will follow later today.
+>
+> [[!cve CVE-2016-10026]] has been assigned to this vulnerability.
+> --[[smcv]]

 >> You rock, thanks a lot! --[[intrigeri]]
--- a/doc/news/version_3.20161219.mdwn
+++ b/doc/news/version_3.20161219.mdwn
@ -7,8 +7,8 @@ ikiwiki 3.20161219 released with [[!toggle text="these changes"]]
   * Security: tell `git revert` not to follow renames. If it does, then
     renaming a file can result in a revert writing outside the wiki srcdir
     or altering a file that the reverting user should not be able to alter,
-     an authorization bypass. Thanks, intrigeri
+     an authorization bypass. Thanks, intrigeri. ([[!cve CVE-2016-10026]])
   * cgitemplate: remove some dead code. Thanks, blipvert
   * Restrict CSS matches against header class to not break
     Pandoc tables with header rows. Thanks, karsk
-   * Make pagestats output more deterministic. Thanks, intrigeri"""]]
+   * Make pagestats output more deterministic. Thanks, intrigeri"""]]
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@ -562,4 +562,4 @@ This affects sites with the `git` VCS and the `recentchanges` plugin,
 which are both used in most ikiwiki installations.

 This bug was reported on 2016-12-17. The fixed version 3.20161219
-was released on 2016-12-19.
+was released on 2016-12-19. ([[!cve CVE-2016-10026]])