summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
Diffstat (limited to 'doc')
-rw-r--r--doc/news/version_2.48.mdwn1
-rw-r--r--doc/security.mdwn2
2 files changed, 2 insertions, 1 deletions
diff --git a/doc/news/version_2.48.mdwn b/doc/news/version_2.48.mdwn
index a0c52f4e8..76dbd7ddc 100644
--- a/doc/news/version_2.48.mdwn
+++ b/doc/news/version_2.48.mdwn
@@ -13,6 +13,7 @@ ikiwiki 2.48 released with [[toggle text="these changes"]]
* Fix security hole that occurred if openid and passwordauth were both
enabled. passwordauth would allow logging in as a known openid, with an
empty password. Closes: #[483770](http://bugs.debian.org/483770)
+ (CVE-2008-0169)
* Add rel=nofollow to edit links. This may prevent some spiders from
pounding on the cgi following edit links.
* passwordauth: If Authen::Passphrase is installed, use it to store
diff --git a/doc/security.mdwn b/doc/security.mdwn
index b2e076ec4..57cac719f 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -403,7 +403,7 @@ passwords in cleartext over the net to log in, either.
This hole allowed ikiwiki to accept logins using empty passwords, to openid
accounts that didn't use a password. It was introduced in version 1.34, and
fixed in version 2.48. The [bug](http://bugs.debian.org/483770) was
-discovered on 30 May 2008 and fixed the same day.
+discovered on 30 May 2008 and fixed the same day. ([[cve CVE-2008-0169]])
I recommend upgrading to 2.48 immediatly if your wiki allows both password
and openid logins.