summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoey Hess <joey@kodama.kitenet.net>2008-04-20 15:25:51 -0400
committerJoey Hess <joey@kodama.kitenet.net>2008-04-20 15:25:51 -0400
commit3912a9f5e9e3936822b434862cb7877ea7378beb (patch)
tree803b440907db8a7d8b7b5e76de3d821bea3e413f
parente62f3f8f951cca752eeebebba310dc51df392516 (diff)
add CVE link
-rw-r--r--debian/changelog1
-rw-r--r--doc/security.mdwn2
2 files changed, 2 insertions, 1 deletions
diff --git a/debian/changelog b/debian/changelog
index 2b3b756f8..bd2ed8afd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -24,6 +24,7 @@ ikiwiki (2.42) unstable; urgency=high
* Fix CSRF attacks against the preferences and edit forms. The fix involved
embedding the session id in the forms, and not allowing the forms to be
submitted if the embedded id does not match the session id. Closes: #475445
+ (CVE-2008-0165)
-- Joey Hess <joeyh@debian.org> Thu, 03 Apr 2008 02:35:39 -0400
diff --git a/doc/security.mdwn b/doc/security.mdwn
index bbbc98e1f..fc9937288 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -372,7 +372,7 @@ parties.
Cross Site Request Forging could be used to constuct a link that would
change a logged-in user's password or other preferences if they clicked on
the link. It could also be used to construct a link that would cause a wiki
-page to be modified by a logged-in user.
+page to be modified by a logged-in user. ([[cve CVE-2008-0165]])
These holes were discovered on 10 April 2008 and fixed the same day with
the release of ikiwiki 2.42. A fix was also backported to Debian etch, as