urosm
/
ikiwiki
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add CVE references for CVE-2016-10026

master
Simon McVittie 2016-12-21 13:03:32 +00:00
parent bec3047aff
commit 28409cd358
4 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
debian/changelog vendored
View File

@ -1,3 +1,9 @@
ikiwiki (3.20161220) UNRELEASED; urgency=medium
* Add CVE references for CVE-2016-10026
-- Simon McVittie <smcv@debian.org> Wed, 21 Dec 2016 13:03:07 +0000
ikiwiki (3.20161219) unstable; urgency=medium ikiwiki (3.20161219) unstable; urgency=medium
[ Joey Hess ] [ Joey Hess ]
@ -8,7 +14,7 @@ ikiwiki (3.20161219) unstable; urgency=medium
* Security: tell `git revert` not to follow renames. If it does, then * Security: tell `git revert` not to follow renames. If it does, then
renaming a file can result in a revert writing outside the wiki srcdir renaming a file can result in a revert writing outside the wiki srcdir
or altering a file that the reverting user should not be able to alter, or altering a file that the reverting user should not be able to alter,
an authorization bypass. Thanks, intrigeri an authorization bypass. Thanks, intrigeri. (CVE-2016-10026)
* cgitemplate: remove some dead code. Thanks, blipvert * cgitemplate: remove some dead code. Thanks, blipvert
* Restrict CSS matches against header class to not break * Restrict CSS matches against header class to not break
Pandoc tables with header rows. Thanks, karsk Pandoc tables with header rows. Thanks, karsk

5
doc/bugs/rcs_revert_can_bypass_authorization_if_affected_files_were_renamed.mdwn
View File

@ -24,6 +24,9 @@ when reverting.
> I tried to do something more clever (doing the revert, and checking > I tried to do something more clever (doing the revert, and checking
> whether it made changes that aren't allowed) but couldn't get it to > whether it made changes that aren't allowed) but couldn't get it to
> work in a reasonable time, so I'm going with the simpler fix. > work in a reasonable time, so I'm going with the simpler fix.
> [[Fix committed|done]], a release will follow later today. --[[smcv]] > [[Fix committed|done]], a release will follow later today.
>
> [[!cve CVE-2016-10026]] has been assigned to this vulnerability.
> --[[smcv]]
>> You rock, thanks a lot! --[[intrigeri]] >> You rock, thanks a lot! --[[intrigeri]]

2
doc/news/version_3.20161219.mdwn
View File

@ -7,7 +7,7 @@ ikiwiki 3.20161219 released with [[!toggle text="these changes"]]
* Security: tell `git revert` not to follow renames. If it does, then * Security: tell `git revert` not to follow renames. If it does, then
renaming a file can result in a revert writing outside the wiki srcdir renaming a file can result in a revert writing outside the wiki srcdir
or altering a file that the reverting user should not be able to alter, or altering a file that the reverting user should not be able to alter,
an authorization bypass. Thanks, intrigeri an authorization bypass. Thanks, intrigeri. ([[!cve CVE-2016-10026]])
* cgitemplate: remove some dead code. Thanks, blipvert * cgitemplate: remove some dead code. Thanks, blipvert
* Restrict CSS matches against header class to not break * Restrict CSS matches against header class to not break
Pandoc tables with header rows. Thanks, karsk Pandoc tables with header rows. Thanks, karsk

2
doc/security.mdwn
View File

@ -562,4 +562,4 @@ This affects sites with the `git` VCS and the `recentchanges` plugin,
which are both used in most ikiwiki installations. which are both used in most ikiwiki installations.
This bug was reported on 2016-12-17. The fixed version 3.20161219 This bug was reported on 2016-12-17. The fixed version 3.20161219
was released on 2016-12-19. was released on 2016-12-19. ([[!cve CVE-2016-10026]])