urosm
/
ikiwiki
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add CVE references for CVE-2016-9646, CVE-2016-9645 

Thanks to the Debian security team for allocating these.
master
Simon McVittie 2016-12-29 17:31:30 +00:00
parent 078d4208ca
commit cf0166347c
2 changed files with 12 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
debian/changelog vendored
View File

@ -4,14 +4,15 @@ ikiwiki (3.20161220) UNRELEASED; urgency=medium
necessary, avoiding unintended function argument injection necessary, avoiding unintended function argument injection
analogous to CVE-2014-1572. In ikiwiki this could be used to analogous to CVE-2014-1572. In ikiwiki this could be used to
forge commit metadata, but thankfully nothing more serious. forge commit metadata, but thankfully nothing more serious.
(OVE-20161226-0001) (CVE-2016-9646)
* Security: try revert operations before approving them. Previously, * Security: try revert operations in a temporary working tree before
automatic rename detection could result in a revert writing outside approving them. Previously, automatic rename detection could result in
the wiki srcdir or altering a file that the reverting user should not be a revert writing outside the wiki srcdir or altering a file that the
able to alter, an authorization bypass. The incomplete fix released in reverting user should not be able to alter, an authorization bypass.
3.20161219 was not effective for git versions prior to 2.8.0rc0. (CVE-2016-10026 represents the original vulnerability.)
(CVE-2016-10026 represents the original vulnerability) The incomplete fix released in 3.20161219 was not effective for git
(OVE-20161226-0002 represents the incomplete fix released in 3.20161219) versions prior to 2.8.0rc0.
(CVE-2016-9645 represents that incomplete solution.)
* Add CVE references for CVE-2016-10026 * Add CVE references for CVE-2016-10026
* Add automated test for using the CGI with git, including * Add automated test for using the CGI with git, including
CVE-2016-10026 CVE-2016-10026

5
doc/security.mdwn
View File

@ -566,7 +566,8 @@ This bug was reported on 2016-12-17. A partially fixed version
version was not effective with git versions older than 2.8.0. version was not effective with git versions older than 2.8.0.
([[!cve CVE-2016-10026]] represents the original vulnerability. ([[!cve CVE-2016-10026]] represents the original vulnerability.
OVE-20161226-0002 represents the incomplete fix in 3.20161219.) [[!cve CVE-2016-9645]]/OVE-20161226-0002 represents the vulnerability
in 3.20161219 caused by the incomplete fix.)
## Commit metadata forgery via CGI::FormBuilder context-dependent APIs ## Commit metadata forgery via CGI::FormBuilder context-dependent APIs
@ -588,4 +589,4 @@ of them relatively minor:
could potentially forge commit authorship (attribute their edit to could potentially forge commit authorship (attribute their edit to
someone else) by crafting multiple values for the rcsinfo field someone else) by crafting multiple values for the rcsinfo field
(OVE-20161226-0001) ([[!cve CVE-2016-9646]]/OVE-20161226-0001)