From: Joey Hess Date: Sun, 1 Jun 2008 00:16:18 +0000 (-0400) Subject: cve id X-Git-Url: https://scripts.mit.edu/gitweb/www/ikiwiki.git/commitdiff_plain/c1289de1eff4c0b4b2cd47e61b2273970e327009 cve id --- diff --git a/debian/changelog b/debian/changelog index 7a3f6061f..02796394b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -11,7 +11,7 @@ ikiwiki (2.48) unstable; urgency=high * Fix security hole that occurred if openid and passwordauth were both enabled. passwordauth would allow logging in as a known openid, with an - empty password. Closes: #483770 + empty password. Closes: #483770 (CVE-2008-0169) * Add rel=nofollow to edit links. This may prevent some spiders from pounding on the cgi following edit links. * passwordauth: If Authen::Passphrase is installed, use it to store diff --git a/doc/news/version_2.48.mdwn b/doc/news/version_2.48.mdwn index a0c52f4e8..76dbd7ddc 100644 --- a/doc/news/version_2.48.mdwn +++ b/doc/news/version_2.48.mdwn @@ -13,6 +13,7 @@ ikiwiki 2.48 released with [[toggle text="these changes"]] * Fix security hole that occurred if openid and passwordauth were both enabled. passwordauth would allow logging in as a known openid, with an empty password. Closes: #[483770](http://bugs.debian.org/483770) + (CVE-2008-0169) * Add rel=nofollow to edit links. This may prevent some spiders from pounding on the cgi following edit links. * passwordauth: If Authen::Passphrase is installed, use it to store diff --git a/doc/security.mdwn b/doc/security.mdwn index b2e076ec4..57cac719f 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -403,7 +403,7 @@ passwords in cleartext over the net to log in, either. This hole allowed ikiwiki to accept logins using empty passwords, to openid accounts that didn't use a password. It was introduced in version 1.34, and fixed in version 2.48. The [bug](http://bugs.debian.org/483770) was -discovered on 30 May 2008 and fixed the same day. +discovered on 30 May 2008 and fixed the same day. ([[cve CVE-2008-0169]]) I recommend upgrading to 2.48 immediatly if your wiki allows both password and openid logins.