diff options
| author | Joey Hess <joey@kodama.kitenet.net> | 2008-02-20 16:48:38 -0500 |
|---|---|---|
| committer | Joey Hess <joey@kodama.kitenet.net> | 2008-02-20 16:48:38 -0500 |
| commit | 0737121a739f7071b6cd3a2059379fadd4fc1805 (patch) | |
| tree | e4d8d1435a3e027d06cf78ddd2ebf7809315ccf8 | |
| parent | 5f1a97d954abdc4b37b32267c6012379bba9fa0c (diff) | |
add CVE ids
| -rw-r--r-- | doc/security.mdwn | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/doc/security.mdwn b/doc/security.mdwn index 9259209ee..723daeccc 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -356,9 +356,10 @@ allow the security hole to be exploited. ## javascript insertion via uris The htmlscrubber did not block javascript in uris. This was fixed by adding -a whitelist of valid uri types, which does not include javascript. Some -urls specifyable by the meta plugin could also theoretically have been used -to inject javascript; this was also blocked. +a whitelist of valid uri types, which does not include javascript. +([[cve CVE-2008-0809]]) Some urls specifyable by the meta plugin could also +theoretically have been used to inject javascript; this was also blocked +([[cve CVE-2008-0808]]). This hole was discovered on 10 February 2008 and fixed the same day with the release of ikiwiki 2.31.1. (And a few subsequent versions..) |