From 4d0e525e6a1469a30f3b81c19a289840147463e6 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Wed, 11 Jan 2017 18:16:42 +0000 Subject: [PATCH] Document the security fix soon to be released in 3.20170111 --- debian/changelog | 13 +++++++++++++ doc/security.mdwn | 20 ++++++++++++++++++-- 2 files changed, 31 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 2183ef179..36a9701d9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,16 @@ +ikiwiki (3.20170111) UNRELEASED; urgency=medium + + * passwordauth: prevent authentication bypass via multiple name + parameters (CVE-2017-0356, OVE-20170111-0001) + * passwordauth: avoid userinfo forgery via repeated email parameter + (also in the scope of CVE-2017-0356) + * CGI, attachment, passwordauth: harden against repeated parameters + (not believed to have been a vulnerability) + * remove: make it clearer that repeated page parameter is OK here + * t/passwordauth.t: new automated test for passwordauth + + -- Simon McVittie Wed, 11 Jan 2017 18:12:05 +0000 + ikiwiki (3.20170110) unstable; urgency=medium [ Amitai Schleier ] diff --git a/doc/security.mdwn b/doc/security.mdwn index a538a49fe..5c54031a8 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -591,7 +591,23 @@ of them relatively minor: could potentially forge commit authorship (attribute their edit to someone else) by crafting multiple values for the rcsinfo field -This was fixed in ikiwiki 3.20161229. A backport to Debian 8 -'jessie' is in progress. +This was fixed in ikiwiki 3.20161229, with fixes backported to Debian 8 +in version 3.20141016.4. ([[!debcve CVE-2016-9646]]/OVE-20161226-0001) + +## Authentication bypass via repeated parameters + +The ikiwiki maintainers discovered further flaws similar 2016-9646 +in the passwordauth plugin's use of CGI::FormBuilder, with a more +serious impact: + +* An attacker who can log in to a site with a password can log in + as a different and potentially more privileged user. +* An attacker who can create a new account can set arbitrary fields + in the user database for that account. + +This was fixed in ikiwiki 3.20170111, with fixes backported to Debian 8 +in version 3.20141016.4. + +([[!debcve CVE-2017-0356]]/OVE-20170111-0001)