From c1289de1eff4c0b4b2cd47e61b2273970e327009 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sat, 31 May 2008 20:16:18 -0400 Subject: [PATCH] cve id --- debian/changelog | 2 +- doc/news/version_2.48.mdwn | 1 + doc/security.mdwn | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 7a3f6061f..02796394b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -11,7 +11,7 @@ ikiwiki (2.48) unstable; urgency=high * Fix security hole that occurred if openid and passwordauth were both enabled. passwordauth would allow logging in as a known openid, with an - empty password. Closes: #483770 + empty password. Closes: #483770 (CVE-2008-0169) * Add rel=nofollow to edit links. This may prevent some spiders from pounding on the cgi following edit links. * passwordauth: If Authen::Passphrase is installed, use it to store diff --git a/doc/news/version_2.48.mdwn b/doc/news/version_2.48.mdwn index a0c52f4e8..76dbd7ddc 100644 --- a/doc/news/version_2.48.mdwn +++ b/doc/news/version_2.48.mdwn @@ -13,6 +13,7 @@ ikiwiki 2.48 released with [[toggle text="these changes"]] * Fix security hole that occurred if openid and passwordauth were both enabled. passwordauth would allow logging in as a known openid, with an empty password. Closes: #[483770](http://bugs.debian.org/483770) + (CVE-2008-0169) * Add rel=nofollow to edit links. This may prevent some spiders from pounding on the cgi following edit links. * passwordauth: If Authen::Passphrase is installed, use it to store diff --git a/doc/security.mdwn b/doc/security.mdwn index b2e076ec4..57cac719f 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -403,7 +403,7 @@ passwords in cleartext over the net to log in, either. This hole allowed ikiwiki to accept logins using empty passwords, to openid accounts that didn't use a password. It was introduced in version 1.34, and fixed in version 2.48. The [bug](http://bugs.debian.org/483770) was -discovered on 30 May 2008 and fixed the same day. +discovered on 30 May 2008 and fixed the same day. ([[cve CVE-2008-0169]]) I recommend upgrading to 2.48 immediatly if your wiki allows both password and openid logins.